Microsoft’s June Patch Tuesday addressed 206 CVEs across its products, with 38 rated as critical and three publicly known vulnerabilities among them.

Three zero-day vulnerabilities were disclosed publicly this month, all not known to be exploited prior to the patch, including a Windows CTFMON elevation of privileges flaw and an HTTP/2 denial-of-service vulnerability dubbed the HTTP/2 Bomb.

A full list of resolved vulnerabilities for May 2026 Patch Tuesday is provided, along with links to detailed MSRC vulnerability entries and the full BleepingComputer report.

Experts warn this could become the new normal, affecting how defenders prioritize and deploy patches.

There is speculation about AI involvement in discovering and testing these patches, with officials and researchers noting the unusually large release and raising questions about AI’s role and patch quality.

Ten Secure Boot vulnerabilities, many with scope changes enabling exploitation of boot integrity and pre-OS execution, are primarily attributed to researcher Alon Leviev and related groups, with deeper implications for pre-OS security.

The piece attributes several vulnerabilities to anonymous researchers or to Calif.io researchers Quang Luong and Codex, and references ongoing controversy over disclosure practices and bug bounty handling.

Security researchers from Cohesity and Action1 flag several near-maximum severity flaws as top priorities, emphasizing the vast attack surface across Windows endpoints and the potential for rapid exploitation.

Analysts caution organizations not to rely solely on patching; they should strengthen foundational security measures, including hardening, endpoint protection (EDR), data loss prevention (DLP), and improved visibility, prioritization, and safe automation to respond at scale.

Industry experts argue that while the patch volume is high, many CVEs may never be exploited; historical data show an average of roughly 30 CVEs per year ending in KEV, with only a subset becoming exploited threats.

CVE-2026-50507 may be related to YellowKey and links to Chaotic Eclipse defenses; several leaked exploits have seen in-the-wild activity.