Microsoft Patch Tuesday Addresses 204 Vulnerabilities and Highlights New Security Threats

The June 10, 2026, SANS Internet Storm Center Stormcast covered Microsoft’s Patch Tuesday, addressing 204 vulnerabilities in Microsoft products and an additional 360 in Chromium (affecting Edge). Six vulnerabilities impacted Microsoft cloud solutions, requiring no user action, while 38 were critical, including three previously disclosed but unexploited flaws. Notable patches included two new BitLocker bypass vulnerabilities and two HTTP.sys flaws—one a compression bomb in HTTP/2/3 mitigated via a registry setting, and another an integer overflow enabling remote code execution, preventable by limiting request sizes. A stack-based buffer overflow in Active Directory Domain Services was deemed unlikely to be exploited, while critical vulnerabilities in Microsoft Office, Outlook, and Word accounted for most of the remaining critical issues. The video also highlighted the open-source release of the 'Miasma' software supply chain attack toolkit, previously used in GitHub attacks, and a new OS command injection vulnerability in 40 Sandbox via JSON input. Patch priority was advised for exposed HTTP.sys servers, while other updates were recommended for routine vulnerability management.