Microsoft patches 208 CVEs on record Patch Tuesday as researcher drops new Defender zero-day

Microsoft shipped security fixes for 208 vulnerabilities on June 10, 2026 — the largest single Patch Tuesday release in the program’s 23-year history. Within hours of the update dropping, a researcher known as Nightmare Eclipse published working exploit code for a previously undisclosed Windows Defender privilege escalation flaw, leaving enterprise security teams facing one of the most demanding patch days on record.

A wormable kernel bug at the top of the list

The most urgent fix in this month’s batch is CVE-2026-45657, a CVSS 9.8 use-after-free vulnerability in the Windows Kernel TCP/IP stack. Microsoft classifies it as wormable: an unauthenticated attacker on the internet can send specially crafted packets to a vulnerable system and achieve SYSTEM-level code execution, with no credentials and no user interaction required. Affected systems include Windows 11 versions 23H2 through 26H1 on x64 and ARM64, and Windows Server 2022 and 2025 including Server Core.

No confirmed public exploit exists yet for CVE-2026-45657, but security researchers are already reverse-engineering the patch. Given the vulnerability’s characteristics, the window before a reliable public exploit appears is likely measured in days, not weeks.

Six zero-days, one actively exploited

Among the 208 CVEs are six zero-day vulnerabilities, five of which were publicly disclosed before today’s patches. One — CVE-2026-42897, a Microsoft Exchange spoofing vulnerability — was being actively exploited in the wild before Microsoft published the fix. The other notable zero-days include GreenPlasma (CVE-2026-45586), a privilege escalation in the Windows Collaborative Translation Framework; YellowKey (CVE-2026-45585) and Bitskrieg (CVE-2026-50507), both BitLocker bypass flaws; and HTTP/2 Bomb (CVE-2026-49160), a denial-of-service vulnerability in HTTP.sys that allows an unauthenticated attacker to crash affected web servers over the network.

The 208-CVE count, as tallied by Trend Micro’s Zero Day Initiative researcher Dustin Childs, surpasses the previous single-month record of 167 CVEs. Of the total, 33 are rated Critical, with 28 of those being remote code execution flaws.

RoguePlanet: a new Defender zero-day lands the same day

Hours after Microsoft’s update dropped, Nightmare Eclipse — a researcher who has released a string of Windows zero-days over recent months under names like BlueHammer, RedSun, and GreenPlasma — published RoguePlanet, a new local privilege escalation exploit targeting Microsoft Defender. The flaw exploits a race condition in Defender’s internal file handling, redirecting a file operation performed by Defender to execute attacker-controlled code with SYSTEM privileges on fully patched Windows 10 and Windows 11 machines.

The exploit is not 100% reliable — it’s a race condition, so success rates vary by machine configuration — but ThreatLocker confirmed it works against Windows 11 systems with June’s KB5094126 update installed. Organizations using application allowlisting can block this attack vector.

Nightmare Eclipse has been in an ongoing public dispute with Microsoft over vulnerability disclosure practices and bug bounty payments. After Microsoft had the researcher’s repositories removed from GitHub and GitLab, Nightmare Eclipse shifted to a self-hosted platform at projectnightcrawler.dev and has continued releasing new exploits. The CVE for RoguePlanet has not yet been assigned.

What to prioritize

Security teams should move quickly on CVE-2026-45657 (the wormable kernel TCP/IP flaw) and CVE-2026-42897 (the Exchange zero-day under active attack) before addressing the rest of the batch. For the RoguePlanet Defender flaw, there is no patch yet — application allowlisting and endpoint detection rules are the available mitigations while Microsoft works on a fix. As reported by BleepingComputer, the full list of CVEs and affected products is available in Microsoft’s June 2026 Security Update Guide.