On Tuesday, Microsoft unveiled a significant update addressing a staggering 206 security vulnerabilities across its software ecosystem. Among these, three flaws were publicly disclosed at the time of the release, underscoring the urgency of the situation.
Severity and Types of Vulnerabilities
Out of the total vulnerabilities, 39 have been classified as Critical, while 167 are deemed Important. The breakdown of these vulnerabilities reveals a diverse array of risks, including:
- 63 privilege escalation vulnerabilities
- 56 remote code execution vulnerabilities
- 30 information disclosure vulnerabilities
- 27 spoofing vulnerabilities
- 20 security feature bypass vulnerabilities
- 7 denial-of-service vulnerabilities
- 3 tampering vulnerabilities
Notably, the patches also encompass two non-Microsoft Common Vulnerabilities and Exposures (CVEs), specifically a privilege escalation vulnerability in the Windows Kernel (CVE-2025-10263) and a UEFI Secure Boot security feature bypass (CVE-2026-8863). This comes in addition to over 350 security flaws that Google has recently addressed in Chromium, which underpins Microsoft’s Edge browser.
Critical Flaws Highlighted
At the forefront of the fixes is CVE-2026-45657, a use-after-free flaw in the Windows Kernel, boasting a CVSS score of 9.8. This vulnerability poses a risk of remote code execution, allowing an attacker to exploit it by sending specially crafted network traffic to a vulnerable Windows system. Microsoft elaborated, stating, “If successful, the malicious network packets could trigger a flaw in how the Windows kernel processes certain TCP/IP data, potentially allowing the attacker to run code with system-level privileges without needing to sign in or interact with a user.”
Other critical vulnerabilities include:
- CVE-2026-47291 (CVSS score: 9.8) – An integer overflow flaw in Windows HTTP.sys, enabling unauthorized code execution over a network.
- CVE-2026-44815 (CVSS score: 9.8) – A stack-based buffer overflow vulnerability in Windows DHCP Client, similarly allowing unauthorized code execution over a network.
Alex Vovk, CEO and co-founder of Action1, emphasized the gravity of CVE-2026-44815, noting that it requires no credentials or user action, transforming network traffic into a potential full system compromise. He cautioned that successful exploitation could lead to severe consequences, including server compromise, malware deployment, and data theft.
Additional Vulnerabilities and Fixes
Microsoft has also addressed CVE-2026-45585, a Windows BitLocker security feature bypass vulnerability, which was previously highlighted by security researcher Chaotic Eclipse. This flaw allows an attacker with physical access to a system to bypass the BitLocker Device Encryption feature, gaining access to encrypted data.
Furthermore, CVE-2026-50507 has been identified as a fix for another BitLocker bypass, known as bitskrieg, which grants full access to encrypted data. Other notable vulnerabilities include:
- CVE-2026-45586 (CVSS score: 7.8) – A privilege escalation vulnerability in the Windows Collaborative Translation Framework (CTFMON).
- CVE-2026-49160 (CVSS score: 7.5) – A denial-of-service vulnerability related to HTTP.sys, which can incapacitate web servers rapidly.
To mitigate the risks associated with CVE-2026-49160, Microsoft has introduced a new “MaxHeadersCount” registry setting, aimed at limiting the number of headers in HTTP/2 and HTTP/3 requests, thereby enhancing system performance and reliability.
The Role of AI in Vulnerability Discovery
The surge in the number of patches has been attributed to the increasing use of artificial intelligence in vulnerability discovery. Microsoft anticipates that this trend will persist, as Satnam Narang, a senior staff research engineer at Tenable, remarked, “Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday.”
Dustin Childs, head of threat awareness at TrendAI’s Zero Day Initiative, noted that the current volume of vulnerabilities reported by Microsoft this year surpasses the total from all of 2018, highlighting the extraordinary pace at which flaws are being discovered and addressed.
In light of these developments, the tech community remains vigilant, especially as Chaotic Eclipse has also released a proof-of-concept exploit for another Microsoft Defender zero-day, named RoguePlanet, which could potentially allow attackers to gain SYSTEM privileges through a race condition.