Microsoft Patches Record 206 Vulnerabilities

Microsoft issued a record 206 security updates on June's Patch Tuesday, exceeding the previous high of 175. These patches address vulnerabilities in Windows, Office, Exchange Server, and cloud services, with one critical flaw in Microsoft Defender already being exploited in the wild. This actively exploited Elevation of Privilege vulnerability (CVE-2026-41091) in Defender allows attackers to gain system privileges, with Microsoft having already updated the affected Malware Protection Engine. The update also resolves 10 Security Feature Bypass vulnerabilities affecting Secure Boot, which could allow malicious code execution during system startup. Within Windows, 118 vulnerabilities were fixed, including 19 critical Remote Code Execution (RCE) flaws. Particularly concerning are CVE-2026-47288 in the Windows kernel and CVE-2026-47291 in http.sys, which permit unauthenticated RCE with system privileges. Furthermore, 54 vulnerabilities were patched in Microsoft Office products, including 25 RCE flaws, with some exploitable via the preview pane. Critical RCE vulnerabilities in Microsoft Hyper-V could allow guest systems to escape and execute code on the host. Microsoft Exchange Server received eight vulnerability fixes, including one for a Man-in-the-Middle attack scenario. Microsoft Edge also received updates for 74 Chromium vulnerabilities and a zero-day flaw. The next Patch Tuesday is scheduled for July 14th, 2026.