Record Microsoft Patch Tuesday, fresh zero-day
Microsoft marked its largest-ever Patch Tuesday this month, by shipping fixes for nearly 200 vulnerabilities.
Within hours, “Nightmare Eclipse”, the researcher behind weeks of escalating Windows exploit releases, dropped a proof-of-concept exploit for a new zero-day: “RoguePlanet”, which abuses a race condition in Windows Defender to spawn a command shell running with SYSTEM-level privileges.
Various researchers have confirmed that the PoC exploit works to achieve local privilege escalation.
“In initial development, it was confirmed that this vulnerability was a remote code execution,” Nightmare Eclipse noted, but said that a Windows Defender patch Microsoft pushed out in May might have made remote code execution impossible.
Priorities in a record-breaking release
This month’s Patch Tuesday releases address vulnerabilities in a wide variety of Microsoft’s products, but some require more immediate attention than others, especially in this age of AI-powered security research:
CVE-2026-42897, an actively exploited Microsoft Exchange Server vulnerability, now has a fix.
CVE-2026-45586, a privilege escalation vulnerability in Windows Collaborative Translation Framework (CTFMON), may allow authenticated attackers to gain SYSTEM privileges. The vulnerability is publicly disclosed and Microsoft deems it “more likely” to be exploited. (This is believed to be the vulnerability exploited by Nightmare Eclipse’s “GreenPlasma” exploit.)
CVE-2026-49160, a remotely exploitable vulnerability that affects HTTP.sys, the Windows kernel-mode driver responsible for intercepting and handling network requests over HTTP and HTTPS, may lead to denial of service condition and is also publicly disclosed.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, pointed out that systems using the default MaxRequestBytes registry value used by the Windows HTTP stack are not affected by this flaw.
“You can edit your registry settings if you need protection while you test and deploy the patch. The bulletin includes instructions and even a PowerShell script for doing this action. Microsoft lists this as ‘Exploitation more likely’, so I would definitely check your registry settings,” he opined.
CVE-2026-50507 is a Windows BitLocker bypass that can only be exploited by attackers who have physical access to target devices.
CVE-2026-45585, another Windows BitLocker bypass, has also received a fix. Microsoft acknowledged in the security advisory that this is the fix for the vulnerability exploited by Nightmare Eclipse’s “YellowKey” exploit. (Microsoft shared mitigation advice for it in May 2026.)
Childs also singled out as priority patches two unauthenticated code execution flaws that can be exploited remotely without user interaction:
- CVE-2026-44815, in the DHCP Client Service, which is present and active on every OS.
- CVE-2026-45657, a wormable Windows Kernel bug that stems from how the kernel handles TCP/IP. “This was listed as ‘Exploitation Less Likely’ by Microsoft, but rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit. Test and deploy this patch quickly,” he advised.
The AI-driven patch flood isn’t going away
“Last month, Microsoft published a blog noting the increase in reporting volume over several years and that both its engineers and the security community are ‘increasingly using AI’ to find bugs,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security.
With this in mind, and as more advanced AI models become available, a large (and increasing) volume of patches may become the norm, and not just for Patch Tuesday.
“With nearly 200 CVEs patched this month, I would be remiss not to call out recent reporting by the Anthropic Frontier Red Team, which highlighted the threat posed by N-days – known vulnerabilities that have not been fully remediated across systems,” he added.
“As part of its analysis of N-days, Anthropic’s Frontier Red Team analyzed 21 Windows kernel elevation of privilege vulnerabilities included in the January and February 2026 Patch Tuesday releases. Models including Sonnet, Opus and Mythos Preview were able to produce proof-of-concept (PoC) exploits by performing patch diffs to identify what changed between the previous and the latest release. Mythos Preview even produced PoCs for 13 of the 14 vulnerabilities that were labeled as ‘Exploitation Less Likely’ or ‘Exploitation Unlikely’ according to Microsoft’s Exploitability Index, an assessment system designed for humans, not advanced AI models. As Anthropic prepares to release Mythos, and other AI companies release models on par with Mythos, rapidly closing the patch gap is critical for organizations.”
Tyler Reguly, Associate Director, Security R&D at Fortra, also noted that widespread AI use is making CVSS scores a poor indication of real risk.
“How many of [vulnerabilities with high CVSS scores] are turned into exploits and how many of those exploits are the thing we really need to pay attention to. For the next few weeks, while teams are testing the patches and preparing for deployments across their organizations, I’ll be watching CISA KEV to see if any of these get added,” he commented.
“Right now, I’m guessing that all three publicly disclosed vulnerabilities will end up on the list – CVE-2026-45586 (CFTMON), CVE-2026-50507 (Bitlocker), and CVE-2026-49160 (HTTP.sys).”
Trend Micro’s Childs pointed out that this “inflation” of patches raises concerns: “How many patches were generated using AI to assist in coding or testing? What quality issues may exist in these patches?”
Also: “Should sysadmins adjust their processes for prioritization and patch deployment based on this new volume of updates? Unfortunately, Microsoft is not providing those answers right now. Hopefully that changes in the future.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!