Tenable June Patch Tuesday Commentary

Microsoft nearly crossed the 200 CVE mark this month, patching 198 CVEs, a record high previously held by October 2025 at 167 CVEs patched. Last month, Microsoft published a blog noting the increase in reporting volume over several years and that both its engineers and the security community are “increasingly using AI” to find bugs. […]

Artificial Intelligence | Assessment & Audit | Risk Management

Posted: Wednesday, Jun 10

KBI.Media
$
Tenable June Patch Tuesday Commentary

Tenable June Patch Tuesday Commentary

Microsoft nearly crossed the 200 CVE mark this month, patching 198 CVEs, a record high previously held by October 2025 at 167 CVEs patched. Last month, Microsoft published a blog noting the increase in reporting volume over several years and that both its engineers and the security community are “increasingly using AI” to find bugs. Some surveys put AI usage among security professionals generally at 90%, so it’s unsurprising that this volume of patches may be the norm. Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday.

This month’s release included fixes for three publicly disclosed zero-days. This includes CVE-2026-45586, an elevation of privilege vulnerability in the service that manages alternative text input called Windows Collaborative Translation Framework Monitor (CTFMON), CVE-2026-50507, a BitLocker bypass vulnerability, and CVE-2026-49160, dubbed HTTP2/Bomb, a denial of service vulnerability affecting most major web servers, including Microsoft Internet Information Services (IIS) (HTTP.sys) that was credited as being discovered by OpenAI’s Codex. Notably missing are some of the outstanding vulnerabilities publicly disclosed by Nightmare Eclipse, also known as Chaotic Eclipse.

With nearly 200 CVEs patched this month, I would be remiss not to call out recent reporting by the Anthropic Frontier Red Team, which highlighted the threat posed by N-days – known vulnerabilities that have not been fully remediated across systems. As part of its analysis of N-days, Anthropic’s Frontier Red Team analysed 21 Windows kernel elevation of privilege vulnerabilities included in the January and February 2026 Patch Tuesday releases. Models including Sonnet, Opus and Mythos Preview were able to produce proof-of-concept (PoC) exploits by performing patch diffs to identify what changed between the previous and the latest release. Mythos Preview even produced PoCs for 13 of the 14 vulnerabilities that were labelled as “Exploitation Less Likely” or “Exploitation Unlikely” according to Microsoft’s Exploitability Index, an assessment system designed for humans, not advanced AI models. As Anthropic prepares to release Mythos, and other AI companies release models on par with Mythos, rapidly closing the patch gap is critical for organisations.