applyloginsubscribe
Source linked

204 Patches, 360 Chromium Bugs: Microsoft's AI-Fueled June 2026

isc.sans.edu@threat_watch2 hours ago·Cybersecurity·2 comments

38 critical vulnerabilities, three pre-disclosed, and a flood of Chromium bugs signal a new era for vulnerability discovery driven by AI tools.

microsoftpatch tuesdaychromiumedgecve 2026 49160vulnerability discovery

204 vulnerabilities in a single Patch Tuesday—Microsoft just shipped the largest update I've seen in years, and 360 of those fixes are Chromium bugs that got pumped into Edge. The kicker: AI tools are now driving vulnerability discovery at a pace that makes manual triage feel like a punch card era.

38 Critical, 3 Pre-Disclosed, and a Compression Bomb

Two HTTP/2 and HTTP/3 exploits stand out. CVE-2026-49160 was made public a week ago—a compression bomb in the HPACK algorithm that can eat your server's memory alive. Microsoft's fix adds a MaxHeadersCount registry key to cap allocation. If you haven't patched, set that limit now. CVE-2026-47291 hits http.sys with an integer overflow triggered by oversized requests; it's a remote code execution rated 9.8 CVSS. Restrict MaxRequestBytes until you can roll out the update.

Active Directory admins should pay attention to CVE-2026-45648, a stack-based buffer overflow in AD Domain Services. Requires authentication, so exploit is considered unlikely—but exploit development being "unlikely" is not the same as "impossible." Three BitLocker bypasses also got fixed; one was already publicly known, likely tied to the "Nightmare Eclipse" vulnerabilities an anonymous researcher disclosed.

Office, Outlook, and the Cloud Pile-On

A dozen critical Office RCEs hit Excel, Word, Outlook, and Project Server—CVSS scores in the 8.4 range. If you click a malformed email attachment, you're owned. Six cloud vulnerabilities (Azure HorizonDB, AKS, Stack Edge, M365 Copilot, etc.) require no user action; they're patched server-side, but check your tenants.

Windows itself isn't spared: DHCP Client Service RCE (9.8), Remote Desktop Client RCEs (multiple 8.8), and a Windows Kernel RCE (9.8) make for a grim patch list. Hyper-V also got two critical RCEs (8.4 each) that could let a guest escape if you're running untrusted VMs.

What This Means for Your Monday Morning

The sheer volume—204 vulns, plus 360 from Chromium—means your patching cadence needs a rethink. Prioritize the internet-facing http.sys and HPACK fixes first, then the AD and BitLocker issues. AI-assisted vulnerability discovery isn't slowing down; next month's Patch Tuesday might be bigger.

SANS ISC's Johannes Ullrich noted the Chromium/Edge count "underscores the impact of AI tools on vulnerability discovery." That's not hype—it's a signal that manual code review is being supplemented by automated fuzzing and static analysis at scale. Expect every Patch Tuesday from here on to carry a similar load.

Source: Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
Domain: isc.sans.edu

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Six Vendors Ship Vulnerable Shim Bootloaders - Microsoft Finally Revokes Secure Boot Keys

Microsoft is revoking Secure Boot trust for older UEFI shim bootloaders from RedHat, CentOS, baramundi, and others after ESET found they let attackers execute code before the OS loads.

CISA Orders Three-Day Patch Sprint for Check Point VPN Bug Under Active Attack

A ransomware group Qilin is exploiting an unpatched Check Point VPN vulnerability, and CISA has given federal civilian agencies until June 11 to remediate every instance.

Siri's 1.2T-Parameter Model Opens Your Data to Prompt Injection

Apple's upgraded Siri uses a 1.2 trillion-parameter cloud model and deep app access, but security researchers warn the same architecture that enables errand-running also makes prompt injection attacks inevitable.

Minus Seven Days to Exploit: Google Deploys Autonomous Security Agents

Google Security Operations now ships three Gemini-native agents that autonomously generate detections, investigate alerts, and hunt for stealthy threats, aiming for a 70% reduction in breach costs.

Comments load interactively on the live page.