Microsoft June 2026 Patch Tuesday: Record 200 Vulnerabilities, 3 Zero-Days, RoguePlanet Drops Hours Later — The Most Critical Patch Event of 2026

Sources: Microsoft MSRC · Bleeping Computer · Help Net Security · TechRepublic · Infosecurity Magazine · Zecurit · The Cyber Express · Rapid7 · Action1 | Total CVEs: 200 Microsoft + 360 Edge/Chromium | Critical: 33 | Record: Largest Patch Tuesday in program history

The largest Patch Tuesday in Microsoft history — and it got worse within hours

Microsoft’s June 2026 Patch Tuesday is the largest single monthly security release in the program’s history — 200 CVEs across Windows, Office, Azure, Exchange Server, Remote Desktop Services, and HTTP.sys. It surpasses the previous record of 167 CVEs set in October 2025. The release includes 33 Critical vulnerabilities, 83 total RCE flaws, and three publicly disclosed zero-days including MiniPlasma — the Windows SYSTEM zero-day DataWater covered on May 19 that has been unpatched with an active public PoC for over three weeks.

Then, within hours of Microsoft’s release, researcher Nightmare Eclipse dropped RoguePlanet — a brand-new unpatched zero-day exploiting a race condition in Windows Defender to spawn a SYSTEM-level command shell. Multiple researchers confirmed the public PoC works. No patch. No timeline. The same researcher whose prior disclosures produced MiniPlasma, BlueHammer, RedSun, UnDefend, and YellowKey — all finally patched today — has immediately produced another unpatched replacement. The Verizon DBIR 2026 found median exploitation time after public disclosure is 5 days. With a working PoC already live, that window shrinks further.

The three patched zero-days

CVE-2026-45586 — GreenPlasma / MiniPlasma: Windows CTFMON SYSTEM Elevation of Privilege

MiniPlasma — covered in full on May 19 — is now formally CVE-2026-45586 and patched today. The vulnerability exploits improper link resolution in the Windows Collaborative Translation Framework to elevate a standard user to SYSTEM. A public PoC has been on GitHub since Nightmare Eclipse’s original disclosure. Multiple threat actor groups confirmed exploiting it before today’s patch. Apply immediately — temporary mitigations from the May 19 article are no longer needed once patched.

CVE-2026-50507 — YellowKey: Windows BitLocker Security Feature Bypass

YellowKey allows a local attacker with physical access to bypass BitLocker full-disk encryption and read data on an encrypted drive. This is the vulnerability that turns a stolen laptop into a confirmed data breach. In HIPAA, PCI-DSS, SOC 2, and FedRAMP environments, exploitation triggers breach notification obligations. Patch all endpoints — prioritize executive, finance, HR, and legal devices.

CVE-2026-49160 — HTTP/2 Bomb: Windows HTTP.sys Denial of Service

Abuses how HTTP/2 compresses headers — an attacker sends tiny data that forces servers to allocate massive memory. A single home computer can take down a web server in 20 seconds. Discovered by AI-powered research tools — a direct data point in the autonomous vulnerability discovery trend DataWater tracked through the White House AI EO. Rapid7 noted: “This class of vulnerabilities is likely to expand further as researchers use LLM capability to probe not just specific software, but also the standards on which software rests.”

RoguePlanet: the brand-new unpatched zero-day

Within hours of today’s patch release, Nightmare Eclipse dropped RoguePlanet — a race condition in Windows Defender spawning a SYSTEM shell. Multiple researchers confirmed the public PoC achieves local privilege escalation, with one reporting 100% success rate on some machines. No patch. No timeline. The Nightmare Eclipse series now includes: BlueHammer · MiniPlasma · RedSun · UnDefend · YellowKey (all patched today) plus RoguePlanet (unpatched).

Interim mitigations while no patch exists:

• Monitor Windows Defender processes for unexpected child process spawning — particularly cmd.exe or powershell.exe from Defender service processes
• Alert on SYSTEM-level process creation from non-SYSTEM parent processes
• Restrict local access to high-value systems — RoguePlanet requires local execution
• Monitor Microsoft MSRC for an emergency out-of-band patch

Top priority CVEs to patch first

CVE-2026-47291 — Windows HTTP.sys CVSS 9.8: Wormable, No Auth, No User Interaction

The single highest-priority patch in the June release. RCE in the Windows HTTP.sys kernel driver — unauthenticated, no user interaction, potentially wormable. CVSS 9.8. This is the profile of EternalBlue and BlueKeep. Patch all internet-facing Windows servers running IIS or WinRM first.

CVE-2026-44815 — Windows DHCP Client: Wormable, Every Endpoint

The DHCP Client runs on virtually every Windows endpoint. Wormable propagation from a single compromised segment across every Windows device requesting a DHCP lease. Same priority tier as CVE-2026-47291. Patch all endpoints today.

Remote Desktop Client — Seven-CVE Cluster

Seven CVEs patched in Windows Remote Desktop simultaneously. RDP is the primary ransomware initial access vector for organizations with external exposure. Patch and audit whether external RDP is necessary.

CVE-2026-26142 — Nuance PowerScribe CVSS 9.8: RCE in Hospital Radiology

PowerScribe runs in radiology departments globally. CVSS 9.8 RCE in a top ransomware target sector — the DBIR 2026 confirms healthcare is among the highest-value ransomware targets. Healthcare security teams: treat this as an emergency patch.

Why this is the largest Patch Tuesday ever — and won’t be the last

Industry analysts point to AI-assisted vulnerability discovery as the primary driver of record CVE volume. The White House AI EO signed June 2 cited autonomous vulnerability discovery as the trigger for new government AI governance. This same week, a $1,000 AI agent found 21 zero-days in FFmpeg — some 23 years old. Google’s Chrome 149 included 429 security fixes — also a record — with Google noting AI-generated reports are creating unprecedented triage pressure. The 200-CVE Patch Tuesday is the new baseline. Organizations still running manual patch management are structurally incapable of keeping pace with a 5-day exploitation window.

Secure Boot: the silent deadline in 17 days

The Secure Boot KEK certificate expires June 26, 2026. Devices without the June Patch Tuesday update lose the ability to receive future Secure Boot certificate updates after that date. This is the last scheduled Patch Tuesday before expiration. Complete full deployment before June 26.

Patching priority stack — execute today

1. CVE-2026-47291 (HTTP.sys CVSS 9.8 wormable RCE) — Internet-facing Windows servers first.
2. CVE-2026-44815 (DHCP Client wormable) — All Windows endpoints.
3. CVE-2026-45586 (GreenPlasma/MiniPlasma SYSTEM EoP) — All Windows systems.
4. RoguePlanet (unpatched) — Behavioral detection now. Monitor MSRC for emergency patch.
5. Remote Desktop Client 7-CVE cluster — All systems. Audit external RDP.
6. CVE-2026-26142 (PowerScribe CVSS 9.8) — Healthcare: emergency priority.
7. CVE-2026-50507 (YellowKey BitLocker bypass) — All endpoints with compliance encryption requirements.
8. All 200 CVEs + Secure Boot update — Complete before June 26.

Sources and further reading

• Bleeping Computer — Microsoft June 2026 Patch Tuesday Fixes 3 Zero-Days, 200 Flaws
• Help Net Security — Record Patch Tuesday, RoguePlanet Drops Within Hours
• The Cyber Express — June 2026 Patch Tuesday: 200 Microsoft Vulnerabilities
• TechRepublic — Microsoft’s Record-Breaking Patch Tuesday
• Infosecurity Magazine — Microsoft Fixes 200 CVEs This Patch Tuesday
• Zecurit — Patch Tuesday June 2026: Full CVE Analysis

DataWater — Article #25 — June 10, 2026. Previous: Claude Code Prompt Injection (June 8) · FIFA World Cup 2026 Fraud Wave (June 8). Browse the full archive →