Computer Works Computer Works
Call
Cybersecurity

Microsoft's Biggest-Ever Patch Tuesday: 206 Vulnerabilities Fixed, 3 Zero-Days Disclosed — How to Update Your Windows PC Right Now

June 2026's Patch Tuesday is the largest in Microsoft's history — 206 bugs fixed, 32 critical, and three publicly disclosed zero-days. Here's what the key flaws mean for you, and a step-by-step guide to getting your PC protected today.

Microsoft's Biggest-Ever Patch Tuesday: 206 Vulnerabilities Fixed, 3 Zero-Days Disclosed — How to Update Your Windows PC Right Now

What's new since our earlier coverage: Our June 10 post gave a broad overview of this month's massive release. This post goes deeper on the three specific zero-days, the Nightmare Eclipse researcher story fueling them, the AI-driven trend pushing patch counts higher, and most importantly — a plain-English, step-by-step guide to getting your Windows PC updated today.

If you use a Windows computer — at home, at work, anywhere — this month's Patch Tuesday is one you genuinely cannot afford to ignore.

On June 10, 2026, Microsoft released what Malwarebytes is calling the largest Patch Tuesday in the program's history: 206 security vulnerabilities fixed, 32 of them rated critical, and three zero-days publicly disclosed before patches were available. To put that in perspective, Microsoft launched its monthly Patch Tuesday cycle back in October 2003 — originally in response to the chaos caused by the Blaster worm — and this month's release is the biggest the program has ever seen.

None of the three zero-days are confirmed to have been actively exploited yet. But "publicly disclosed" means working exploit code or detailed instructions are already out in the open, which means the clock is ticking.

The Three Zero-Days You Need to Know About

1. CVE-2026-50507 — Windows BitLocker Bypass

Malwarebytes describes this one plainly: a flaw in Windows BitLocker (CVSS score 6.8) that allows an attacker with physical access to your device to bypass encryption and read your data. BitLocker is the feature that protects your files if your laptop is lost or stolen. This flaw undermines that protection entirely.

This vulnerability is tied to a publicly released exploit dubbed "YellowKey," published by a security researcher going by the handle Nightmare Eclipse, as reported by Krebs on Security. The researcher claims to be a former Microsoft employee, though Microsoft has not confirmed or denied that claim.

2. CVE-2026-49160 — HTTP.sys Denial-of-Service (HTTP/2 Bomb)

This one (CVSS score 7.5) affects web servers running HTTP.sys — including Microsoft's own Internet Information Services (IIS). According to Malwarebytes, it can be exploited remotely using a technique called an HTTP/2 Bomb to knock major web servers offline. Notably, Krebs on Security reports that Microsoft credited OpenAI's Codex with discovering and reporting this flaw.

3. CVE-2026-45586 — Windows CTFMON Privilege Escalation

This flaw (CVSS score 7.8) lives in the Windows Collaborative Translation Framework and allows an attacker to gain SYSTEM-level privileges — the highest level of access on a Windows machine. As Malwarebytes explains, elevation-of-privilege vulnerabilities like this are especially dangerous because attackers can chain them with other flaws to take complete control of a system. This one is also linked to Nightmare Eclipse, whose publicly released exploit was nicknamed "GreenPlasma."

Why Patch Counts Are Going to Keep Rising

Here's something worth understanding for the long term. Krebs on Security quotes Satnam Narang, senior staff research engineer at Tenable, on why this month's numbers are so high — and why they're likely to stay that way:

"Some surveys put AI usage among security professionals generally at 90%, so it's unsurprising that this volume of patches may be the norm. Pandora's proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday."

In other words, both Microsoft's engineers and outside security researchers are now using AI to find vulnerabilities faster than ever before. More bugs found means more bugs to patch. The 206 headline number also doesn't include the 360 browser vulnerabilities Microsoft addressed this month — browser flaws are tracked separately and not counted in the official Patch Tuesday total, according to Rapid7's Adam Barnett as cited by Krebs on Security.

What Yuba City Businesses and Home Users Should Do Right Now

The fix for all three zero-days is the same: install this month's Windows updates. Here's exactly how to do it.

Step-by-Step: How to Install June's Patch Tuesday Updates

Step 1 — Open Settings Click the Start button (the Windows logo in the bottom-left corner of your screen), then click the gear icon for Settings.

Step 2 — Navigate to Windows Update In the Settings window, look for Windows Update in the left-hand menu (it's usually near the bottom).

Step 3 — Check for Updates Click Check for updates. Windows will search for the latest patches. If you've enabled the option to receive updates as soon as they're available, you may already see a Restart required message — go ahead and restart to complete the installation.

Step 4 — Download and Install If updates are found and haven't started downloading yet, they'll begin automatically. Once downloaded, click Install or Restart now when prompted. Your computer will likely need to reboot to finish.

Step 5 — Confirm You're Protected After restarting, go back to Windows Update and check one more time. If it reads "You're up to date," you're good.

Quick tip from Malwarebytes: Always consider backing up your important data before applying major operating system updates, just in case anything unexpected happens during the process.

A Note on Nightmare Eclipse and What's Coming in July

The Nightmare Eclipse situation is worth watching. According to Krebs on Security, this researcher has pledged a "bone shattering" drop of additional Windows zero-day exploits on July 14 — the same day as next month's Patch Tuesday. The researcher also published a new Windows Defender exploit immediately after this month's patches dropped. Microsoft and Nightmare Eclipse have had a public and contentious back-and-forth, including Microsoft briefly suggesting it might take legal action before walking that statement back.

The upshot for everyday users: more unpatched vulnerabilities may be publicly available in the coming weeks. The best defense is staying current on updates and being proactive rather than reactive.

Staying on Top of This Is Harder Than It Should Be

For most home users, following the steps above is enough. But small businesses running multiple machines, servers, or Windows-based point-of-sale systems can find patch management genuinely difficult to keep up with — especially when update cycles are accelerating.

If you're a Yuba City small business and you're not sure whether your systems are current, our /business IT support services include patch management as part of ongoing support. And if you want hands-off peace of mind for your personal computer, our /membership plans cover real-time protection and vulnerability monitoring starting at $14.99/month — we're happy to help if you need it.

For everyone else: open Windows Update today. This one's worth the few minutes it takes.

Patch details sourced from Malwarebytes Labs and Krebs on Security.

Recommended
Proton VPN
Proton VPN
Protect your browsing
Proton Mail
Proton Mail
Encrypted email
Related local service
Worried this could be malware?
If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with our local virus removal page.
Call Us View virus removal
Tags
cybersecurity vulnerability patch-management windows-security microsoft
← Back to all posts