Dark ReadingArchived Jun 10, 2026✓ Full text saved
Voluminous patch updates could soon be the norm, as artificial intelligence accelerates the speed and scale of vulnerability discovery.
Full text archived locally
✦ AI Summary· Claude Sonnet
VULNERABILITIES & THREATS
APPLICATION SECURITY
CYBER RISK
THREAT INTELLIGENCE
NEWS
Blame AI: Patch Tuesday Hits Record 206 CVEs
Voluminous patch updates could soon be the norm, as artificial intelligence accelerates the speed and scale of vulnerability discovery.
Jai Vijayan,Contributing Writer
June 9, 2026
5 Min Read
SOURCE: ANDRII YALANSKYI VIA SHUTTERSTOCK
Microsoft's June 2026 Patch Tuesday update with fixes for a record 206 unique CVEs is the latest sign of what is quickly becoming the new normal for organizations as AI accelerates vulnerability discovery.
Three of the flaws in the mammoth update are previously disclosed zero-day bugs. They are part of a broader set of 13 vulnerabilities Microsoft flagged as "Exploitation More Likely," indicating heightened near-term risk for organizations. The update also includes 32 critical-severity vulnerabilities, five of which carry CVSS scores of 9.0 or higher on the 10-point scale.
Three Previously Disclosed and Other High Priority Bugs
As has been the case recently, a high percentage of vulnerabilities in the release are either remote code execution (RCE) vulnerabilities or elevation of privilege (EoP) bugs. Other, relatively less common vulnerability types include those that enable denial-of-service conditions, data theft, and security features bypass.
Related:Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address
Security researchers pointed to the three previously disclosed vulnerabilities as issues meriting immediate attention. The three flaws include CVE-2026-45586 (CVSS: 7.8), an EoP bug in Windows Collaborative Translation Framework (CTFMON) that attackers can exploit to gain SYSTEM level privileges; CVE-2026-49160 (CVSS: 7.5), a denial-of-service bug in Windows.sys; and CVE-2026-50507 (CVSS: 6.8), which enables bypass of Microsoft's BitLocker security feature.
Amol Sarwate, head of security research at Cohesity, flagged two near-maximum severity vulnerabilities in this month's release as top priorities. One is an RCE flaw in Windows HTTP.sys, CVE-2026-47291 (CVSS: 9.8); the other is CVE‑2026‑44815 (CVSS: 9.8) in the Windows DHCP Client service. "CVE-2026-47291 should be of top priority because it allows unauthenticated attackers to remotely achieve full compromise without any user interaction, making it potentially wormable," Sarwate warned in prepared comments. "CVE‑2026‑44815 falls in the same category, as the DHCP Client runs on virtually every Windows endpoint, giving it an enormous attack surface."
LOADING...
Researchers at Action1 included two critical RCE bugs in Windows Graphics Component — CVE-2026-44812 (CVSS: 7.8) and CVE-2026-44803 (CVSS: 7.8) — and CVE-2026-42987 (CVSS: 8.1), an RCE in Windows Deployment Services, as flaws meriting high priority attention. The company described CVE-2026-44812 as the "doorway to full system compromise," and CVE-2026-44803 as enabling a single preview action to "open the door to code execution.”
Related:Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs
Notably, Microsoft's June update did not appear to contain any fixes for multiple vulnerabilities that a disgruntled security researcher known as Nightmare Eclipse disclosed recently. The vulnerabilities tracked as YellowKey, GreenPlasma, and MiniPlasma enable a range of malicious actions including security feature bypass and privilege escalation.
An Ominous Harbinger?
Microsoft’s June 2026 Patch Tuesday release is significantly larger than its previous record of 175 CVEs, set in October 2025. Last month, Microsoft vice president of Engineering Tom Gallagher warned that releases of this scale could become the new normal, because of AI tools enabling vulnerability discovery at a speed and scale previously unseen.
"I'm fairly confident that the days of 50 to 70 CVEs in a Patch Tuesday release are in the rearview," says Satnam Narang senior staff research engineer at Tenable. "I would expect, at a minimum, 100-plus CVEs each month to become the norm across Patch Tuesday as we move through the rest of 2026 and beyond," he predicts in comments to Dark Reading.
For security teams the challenge is how quickly attackers can weaponize N-day or known vulnerabilities as AI models including those like Claude Mythos, GPT 5.5, and DeepSeek v4 become more accessible, he says. "These developments lower not just the barrier to entry for a lone operation but cost as well."
Related:Check Point VPN Flaw Exploited Since Early May
Tyler Reguly, associate director of security R&D at Fortra, cautions against organizations getting intimated by the volume of patches alone. "While we have 206 CVEs this month, only three of those have been publicly disclosed and none are listed as exploited," he points out to Dark Reading. "This means that the clock is starting now on active development of exploits and, if the zero-day clock is to be believed, the mean time to exploit will be 21.5 hours."
Keeping Things in Perspective
Based on past precedent, the reality, however, is that the majority of these CVEs will never be exploited, Reguly adds. Available stats on CVEs show that 28 ended up in CISA's known exploited vulnerabilities (KEV) list in 2023; 32 in 2024; and 30 in 2025. "That's a pretty clear average of 30 CVEs per year, or 2.5 CVEs per month," he says. So far in 2026, 15 CVEs have made KEV and if the three publicly disclosed vulnerabilities in June's update end up in the catalog, that would still be a total of 18 by mid-year—or an average of three per month. "We're not that far off the average. So, yes, AI is making a difference, but so far it is a slight difference."
For security teams the message is they need to get back to the basics, Reguly says. "You can't patch your way to a secure environment as hard as you may try, but that is just one layer," he points out. "You can harden systems, you can apply endpoint protections with technologies like [endpoint detection and response, or EDR] and [data loss prevention, or DLP], and you can monitor your system logs."
Justin Fier, senior vice president at Darktrace, echoes similar thoughts. Organizations can expect vulnerability volumes to increase because of AI-assisted vulnerability discovery. "Whether every month reaches 200-plus patches is less important than the fact that security teams will be dealing with a larger and more continuous stream of vulnerabilities that require assessment and action."
But that does not mean every disclosed vulnerability immediately becomes a working exploit. "For enterprise security teams, the lesson is not simply 'patch faster.' Patching will still be essential, but it will not be enough on its own," he notes. Organizations are going to need to assume that some vulnerabilities will be found and exploited faster than they can be fixed. "That means security and IT teams need better visibility into their environments, clearer prioritization, and safer automation so they can respond at the speed and scale this environment requires."
About the Author
Jai Vijayan
Contributing Writer
Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.
Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
VULNERABILITIES & THREATS
Cheap Hardware Module Bypasses AMD, Intel Memory Encryption
by Rob Wright
NOV 25, 2025
VULNERABILITIES & THREATS
Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs
by Jai Vijayan, Contributing Writer
NOV 11, 2025
VULNERABILITIES & THREATS
Microsoft Issues Emergency Patch for Critical Windows Server Bug
by Rob Wright
OCT 24, 2025
VULNERABILITIES & THREATS
350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE
by Nate Nelson, Contributing Writer
JUL 11, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
LOADING...
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
More Webinars
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT