June Patch Tuesday marks a ‘new normal’ with over 200 CVEs, 32 rated ‘critical’
Summary
June's Patch Tuesday has revealed a record number of vulnerabilities, with Microsoft alone releasing fixes for over 200 CVEs, including 32 rated as 'critical' and three zero-days. This surge is attributed to AI-assisted vulnerability discovery, which is compressing the timeline for identifying flaws and leading to a new baseline of over 200 CVEs per update. Microsoft anticipates this trend will continue, with more out-of-band updates likely.
IFF Assessment
The article details a significant increase in critical vulnerabilities, posing a greater risk to defenders due to more complex and rapidly discovered flaws, especially with the influence of AI.
Severity
CISA KEV: Listed as actively exploited. Federal patch due: May 29, 2026. Known ransomware use: Unknown.
Defender Context
Defenders must prepare for an increasing volume of critical vulnerabilities, as AI is accelerating the discovery of flaws. This necessitates a shift towards risk-based prioritization, automated patching, and focusing on vulnerabilities most likely to be exploited.