204 vulnerabilities in a single Patch Tuesday—Microsoft just shipped the largest update I've seen in years, and 360 of those fixes are Chromium bugs that got pumped into Edge. The kicker: AI tools are now driving vulnerability discovery at a pace that makes manual triage feel like a punch card era.
38 Critical, 3 Pre-Disclosed, and a Compression Bomb
Two HTTP/2 and HTTP/3 exploits stand out. CVE-2026-49160 was made public a week ago—a compression bomb in the HPACK algorithm that can eat your server's memory alive. Microsoft's fix adds a MaxHeadersCount registry key to cap allocation. If you haven't patched, set that limit now. CVE-2026-47291 hits http.sys with an integer overflow triggered by oversized requests; it's a remote code execution rated 9.8 CVSS. Restrict MaxRequestBytes until you can roll out the update.
Active Directory admins should pay attention to CVE-2026-45648, a stack-based buffer overflow in AD Domain Services. Requires authentication, so exploit is considered unlikely—but exploit development being "unlikely" is not the same as "impossible." Three BitLocker bypasses also got fixed; one was already publicly known, likely tied to the "Nightmare Eclipse" vulnerabilities an anonymous researcher disclosed.
Office, Outlook, and the Cloud Pile-On
A dozen critical Office RCEs hit Excel, Word, Outlook, and Project Server—CVSS scores in the 8.4 range. If you click a malformed email attachment, you're owned. Six cloud vulnerabilities (Azure HorizonDB, AKS, Stack Edge, M365 Copilot, etc.) require no user action; they're patched server-side, but check your tenants.
Windows itself isn't spared: DHCP Client Service RCE (9.8), Remote Desktop Client RCEs (multiple 8.8), and a Windows Kernel RCE (9.8) make for a grim patch list. Hyper-V also got two critical RCEs (8.4 each) that could let a guest escape if you're running untrusted VMs.
What This Means for Your Monday Morning
The sheer volume—204 vulns, plus 360 from Chromium—means your patching cadence needs a rethink. Prioritize the internet-facing http.sys and HPACK fixes first, then the AD and BitLocker issues. AI-assisted vulnerability discovery isn't slowing down; next month's Patch Tuesday might be bigger.
SANS ISC's Johannes Ullrich noted the Chromium/Edge count "underscores the impact of AI tools on vulnerability discovery." That's not hype—it's a signal that manual code review is being supplemented by automated fuzzing and static analysis at scale. Expect every Patch Tuesday from here on to carry a similar load.
Source: Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
Domain: isc.sans.edu
Comments load interactively on the live page.