Microsoft June 2026 Patch Tuesday fixes record 206 flaws, 6 zero-days

Microsoft released its largest Patch Tuesday on record June 10, 2026, fixing 206 security vulnerabilities across its product portfolio. The update includes fixes for six zero-day flaws, one of which is actively exploited in attacks against Exchange Server.

Of the 206 flaws, 39 are rated Critical and 167 are rated Important. The breakdown includes 63 privilege escalation bugs, 56 remote code execution flaws, 30 information disclosure issues, 27 spoofing vulnerabilities, and 20 security feature bypass problems. This surpasses the previous record of 167 flaws set in April 2026.

Exchange Server zero-day under active attack

The most urgent vulnerability is CVE-2026-42897, a high-severity spoofing flaw in Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Microsoft says remote attackers with no privileges can exploit it by sending a specially crafted email. If a user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript executes in the browser context.

Microsoft first detected the attacks in mid-May and rolled out automatic temporary mitigations through the Exchange Emergency Mitigation Service (EEMS). The Cybersecurity and Infrastructure Security Agency added the flaw to its exploited vulnerabilities list on May 15 and ordered U.S. federal agencies to patch within two weeks. Over the past five years, CISA has listed 20 Exchange Server vulnerabilities as exploited, with ransomware gangs using 14 of them.

AI blamed for vulnerability surge

Microsoft security leadership acknowledged last month that artificial intelligence tools are driving a sharp increase in vulnerability discovery across the industry. Dark Reading reported that AI accelerates both the speed and scale of finding flaws, making voluminous patch updates the new normal. CyberScoop noted that fears about a flood of error-riddled software have materialized.

The three publicly disclosed zero-days in this release add urgency. While Microsoft did not name the specific CVEs, the company confirmed that proof-of-concept code or public disclosure existed before the patch. The remaining two zero-days were privately reported and not known to be exploited.

Administrators should prioritize the Exchange Server update and leave the EEMS mitigations in place for additional protection. Microsoft recommends installing the June 2026 Security Updates as soon as possible. With AI-driven discovery accelerating, organizations should expect similarly large Patch Tuesday releases in coming months.