Microsoft's Record 206-CVE Patch Tuesday and the Nightmare Eclipse Zero-Days
The largest Patch Tuesday on record arrives with three publicly disclosed zero-days — and a running feud with one researcher producing a steady stream of Microsoft exploits.
Key Takeaways
|
A record patch load, three publicly disclosed zero-days, and a researcher who answered the fixes within hours.
REDMOND, WASHINGTON — Microsoft on June 10, 2026 shipped its largest Patch Tuesday on record: security updates for 206 CVEs across Windows and its broader product line, eclipsing the previous high of 175 set in October 2025. The release fixed 33 critical vulnerabilities and three publicly disclosed zero-days — an HTTP.sys denial-of-service flaw, a Windows elevation-of-privilege bug, and a BitLocker bypass — all three of which Microsoft assessed as "Exploitation More Likely."
The record load did not buy Microsoft any quiet. Within hours of the updates going live, the anonymous researcher who has spent months publicly dropping Windows zero-days — known by the handles Nightmare Eclipse and Chaotic Eclipse — released two more unpatched Microsoft exploits, continuing a feud that began when the company publicly condemned uncoordinated zero-day disclosures. Security firms also increasingly tie the swelling CVE volume to AI-assisted vulnerability discovery, which is reportedly accelerating how fast new flaws are found across the industry.
| At a Glance | |
|---|---|
| Field | Details |
| Release | June 2026 Patch Tuesday |
| Total CVEs | 206 (largest on record; prev. 175, Oct 2025) |
| Critical | 33 |
| Publicly disclosed zero-days | 3 — all "Exploitation More Likely" |
| Zero-day 1 | CVE-2026-49160 (CVSS 7.5) — HTTP.sys DoS / HTTP/2 Bomb |
| Zero-day 2 | CVE-2026-45586 (CVSS 7.8) — Windows CTFMON EoP |
| Zero-day 3 | CVE-2026-50507 (CVSS 6.8) — BitLocker bypass (PoC) |
| Post-patch drops | RoguePlanet, GreatXML (Nightmare Eclipse) |
206 CVEs — What's in the Largest Patch Tuesday on Record
By raw count, June 2026 is the heaviest Patch Tuesday Microsoft has ever shipped. According to SOCRadar, the release resolved 206 vulnerabilities across Windows and a wide range of Microsoft products, comprising 33 critical and 167 important flaws. Krebs on Security and CyberScoop both characterized the cycle as a record, surpassing the prior high of 175 CVEs set in October 2025.
Elevation-of-privilege and remote-code-execution bugs dominated the release in unusually close numbers, together accounting for well over half of all patches. The critical tier alone spans a broad surface: a perfect-10.0 Azure HorizonDB elevation-of-privilege flaw (CVE-2026-48567, fixed server-side with no customer action), and a cluster of CVSS 9.8 remote-code-execution bugs including a Windows Kernel RCE (CVE-2026-45657), a Windows HTTP.sys RCE (CVE-2026-47291), and a Windows DHCP Client RCE (CVE-2026-44815) — all reachable without authentication.
The sheer scale of the release is itself the story for defenders. A 206-CVE month is impossible to apply uniformly in a single maintenance window, which is exactly why risk-based prioritization has become the operating model for patch management. The three publicly disclosed zero-days, the unauthenticated RCEs, and the bugs Microsoft flagged "Exploitation More Likely" are the entries that warrant emergency-change treatment ahead of the long tail.
The Three Publicly Disclosed Zero-Days
Three of June's vulnerabilities were public knowledge before Microsoft shipped a fix — the defining trait of a zero-day. All three carry a Microsoft assessment of "Exploitation More Likely," and each had verifiable CVE numbers in Microsoft's release.
The first, CVE-2026-49160 (CVSS 7.5), is a denial-of-service flaw in the Windows HTTP.sys kernel-mode listener, linked to the "HTTP/2 Bomb" technique in which a small, crafted HTTP/2 request forces the server to expand and process a disproportionately large amount of data. Because it sits in a shared Windows component rather than a single application, a remote, unauthenticated attacker can destabilize multiple services on the same host at once, with no user interaction required.
The second, CVE-2026-45586 (CVSS 7.8), is a local elevation-of-privilege bug in the Windows Collaborative Translation Framework — the CTFMON service that manages text input and language services. An authenticated attacker with local access can use it to elevate to SYSTEM, the kind of step that slots cleanly into a multi-stage intrusion that begins with phishing or a malicious document.
The third, CVE-2026-50507 (CVSS 6.8), is a BitLocker security-feature bypass — and the most urgent of the trio for many fleets, because its CVSS vector indicates functional proof-of-concept exploit code is already public. It requires physical access, but that is precisely the threat model BitLocker exists to defend, making it a real risk for lost or stolen laptops and evil-maid scenarios. Microsoft also patched a separate, previously disclosed BitLocker bypass this cycle — CVE-2026-45585, the flaw the Nightmare Eclipse researcher had earlier published as "YellowKey."
RoguePlanet: SYSTEM Access on a Patched Windows Box
The fixes did not end the disclosures. According to The Hacker News, hours after the June updates went live the researcher published a proof-of-concept for a new, unpatched Microsoft Defender zero-day named RoguePlanet. The flaw is a race condition that, when it lands, spawns a shell with SYSTEM-level privileges — full control of the machine.
The detail that makes RoguePlanet notable is its target state. The researcher said the exploit was tested on Windows 11 and Windows 10 machines with the June 2026 Patch Tuesday updates already installed, meaning it reportedly works against fully up-to-date desktops rather than unpatched ones. "The exploit is a race condition, so it's a hit or miss," the researcher wrote, claiming a 100% success rate on some machines and inconsistent results on others. The exploit does not currently work on Windows Server, where standard users cannot mount the ISO image the technique relies on, though the researcher maintains Server is also affected.
RoguePlanet is the latest in a run of Microsoft Defender flaws from the same researcher, following BlueHammer, UnDefend and RedSun — a batch of Defender zero-days that Microsoft has since had to patch. Microsoft told The Hacker News it was "actively investigating the validity and potential applicability" of the RoguePlanet claims and reaffirmed its commitment to coordinated disclosure.
GreatXML: A BitLocker Bypass via Recovery-Partition XML Files
A day after RoguePlanet, the same researcher released GreatXML, a second new BitLocker bypass. According to The Hacker News, the technique abuses an interaction between Microsoft Defender's Offline Scan feature and the Windows Recovery Environment (WinRE).
The method, as described by the researcher, is mechanical: copy a crafted "unattend.xml" and a recovery folder containing a "ReAgent.xml" file to the root of the recovery partition, then reboot into WinRE by holding Shift while clicking Restart. If every step is followed, the result is a shell with unrestricted access to the BitLocker-protected volume. The researcher said the discovery was accidental and took roughly four hours to find, and warned that any system on which a Windows Defender Offline Scan has ever run is exposed.
GreatXML is the second BitLocker bypass the researcher has released, after YellowKey (CVE-2026-45585), which Microsoft patched in this same Patch Tuesday. As a freshly published technique, GreatXML had no assigned CVE at the time of disclosure, and the available reporting does not establish whether Microsoft considers it a distinct vulnerability or a variant of an already-tracked issue.
Nightmare Eclipse's Running Feud with Microsoft
The disclosures are not random. They are part of what reporting describes as a retaliatory campaign by an anonymous researcher who operates under the handles Nightmare Eclipse and Chaotic Eclipse — and who published the latest exploits from a new GitHub account, "MSNightmare," after earlier accounts were taken down.
In cryptographically signed posts, the researcher has accused Microsoft of revoking access to their Microsoft Security Response Center reporting account, dismissing their reports, failing to compensate them, and defaming them. The result has been a steady cadence of public, uncoordinated zero-day drops — BlueHammer, RedSun, UnDefend, YellowKey, MiniPlasma and now RoguePlanet and GreatXML — that Microsoft has had to chase with patches.
Microsoft has called such public disclosures "never justifiable," arguing they put customers at unnecessary risk, and the dispute previously spilled into the researcher's threat of a coordinated July 14 exploit drop. The pattern echoes other recent Windows disclosures from the same orbit, including the MiniPlasma cldflt regression. Critically, the researcher's identity remains unknown, and reporting does not establish whether Microsoft is in any dialogue with them.
The AI-Discovery Driver
Alongside the feud, a structural explanation is gaining traction for why monthly CVE counts keep climbing: AI-assisted vulnerability discovery. According to Dark Reading and The Register, security teams increasingly attribute the swelling volume of disclosed flaws — including this record Patch Tuesday — to AI tooling that accelerates how fast bugs are found and triaged.
The trend is visible well beyond Microsoft's release notes. The same week, autonomous AI agents were credited with uncovering large batches of zero-days in widely used open-source software, part of a broader shift in which AI is reshaping both offense and defense in vulnerability research. That dynamic cuts both ways: the same automation that helps vendors and researchers find flaws faster also expands the raw inventory of bugs that defenders must triage every month.
Two important caveats apply. The available sources tie AI to the rising CVE volume as an industry trend and as analyst assessment, not as an official Microsoft statement that AI specifically drove June's 206-CVE count. And whether any specific AI-assisted research contributed individual CVEs to this release is not established. The connection is real and widely reported, but it is a directional explanation rather than a line-item accounting of where each of the 206 flaws came from.
What Patching Teams Should Prioritize
With 206 CVEs, uniform patching is not realistic, so sequencing matters. The three publicly disclosed zero-days top the list: apply the BitLocker fix (CVE-2026-50507) urgently on any device that leaves controlled environments, given the public proof-of-concept, and prioritize the HTTP.sys DoS (CVE-2026-49160) on internet-facing Windows hosts processing HTTP traffic.
The unauthenticated critical RCEs are the next block. SOCRadar recommends treating the two HTTP.sys flaws — the zero-day DoS and the CVSS 9.8 RCE (CVE-2026-47291), the only bug this month with a published mitigation — as a single patching priority for any host serving HTTP. DHCP infrastructure (CVE-2026-44815 and CVE-2026-45602) and the unauthenticated Windows Kernel RCE (CVE-2026-45657) round out the must-patch-now tier, all exploitable without credentials or user interaction.
Beyond this cycle, the Defender exposures deserve standing attention. Because RoguePlanet reportedly works on fully patched June systems and GreatXML targets the recovery environment, defenders should track Microsoft's follow-up advisories closely and fold these into a continuous, risk-based vulnerability-management program rather than a once-a-month scramble. For organizations still measuring patch posture against last month's CVE landscape, June's record release is a reminder that monthly volume is trending up, not down.
