June 2026 Patch Tuesday

Key Takeaways

The Patch Apocalypse (acceleration of vulnerabilities resolved and patches being released by vendors) is increasing rapidly starting in February’s Patch Tuesday and escalating in April’s Patch Tuesday.
High profile third-party apps are continuously resolving a higher volume of vulnerabilities requiring many organizations to rethink their remediation strategies. Google Chrome, as an example, had a massive release resolving 429 CVEs on June 3 followed by the June 9 Patch Tuesday update that resolved 74 CVEs including a zero-day exploit (CVE-2026-11645) both of which also impact Microsoft Edge.
Microsoft resolved 198 CVEs including three publicly disclosed vulnerabilities. No known exploits this month. This is the new high for CVEs resolved in a single patch Tuesday by Microsoft (Previous high was October 2025 resolving 175 CVEs).

Security bulletin summary showing three vendors—Adobe, Google, and Microsoft—with counts of bulletins and severity levels.

Bar chart titled “CVEs Resolved per Release — Jun 2025 – Jun 2026” showing monthly counts of vulnerabilities fixed by Firefox, Chrome, Acrobat, Windows, and Edge. Small monthly bars through 2025 rise sharply in early 2026, with Chrome and Edge reaching several hundred fixes by June 2026. Vertical dashed lines mark milestones: “First AI-credited CVEs (FF148, Feb ’26)” and “AI-scale discovery (FF150 · Chr148, Apr ’26).” — Source: Graph generated using Claude (Anthropic) on June 9, 2026, based on author-designed prompts and dataset by Chris Goettl.

You may have seen or heard a reference to the Patch Apocalypse, if not, you can dig into some more details here. The graph above shows a sample of several of the top vendor applications in all our environments. You can see a trailing twelve-month history of the number of CVEs resolved each month in these applications. Prior to February 2026, the scariest thing each month was the OS updates. Microsoft, Apple, Android, Linux flavors of every kind. This was the foundation that organizations built their monthly maintenance around and really focused on Patch Tuesday as the starting point of that monthly maintenance.

Looking at the three dotted lines on the graph you can see February was the first month when that blue line representing the Microsoft Windows OS started to see some competition. This was the first attribution of CVEs discovered by AI tools. In April, the second dotted line, we witnessed the announcement of Project Glasswing and a significant spike in CVEs discovered.

Fast forward to June Patch Tuesday and we see a massive green line next to a massive blue line. This is Google Chrome and Microsoft Edge (Chromium) which released a pair of updates already in June resolving over 500 CVEs in total including a zero-day exploit (CVE-2026-11645). Today, we are in the Patch Apocalypse. The Patch Apocalypse is now.

This is not intended to be a scare tactic. It is meant to outline the challenge that many organizations were anticipating, but the new generation of LLMs has accelerated significantly in the first half of 2026.

There are going to be more CVEs resolved by vendors at a faster and more continuous pace than we have ever seen previously. Unfortunately, this will also include more zero-day and n-day exploits than previously seen as well. The window from release from a vendor to exploitation had already shortened to 5 days as of 2023 threat intelligence data.

Many vendors have been acknowledging the need to utilize AI tools in their security research to identify and resolve security flaws in their products. Oracle recently announced their move to include the CSPU or monthly security update, which June will be the second instance of that new release cadence. Google Chrome had already moved to a weekly cadence back in 2023. Mozilla has typically released one to two security releases each month and is now tracking a nearly weekly cadence now as well.

Ivanti is tracking a 30-40% increase in patches released each month across the vendors supported in our Patch Catalog and we anticipate this to continue to accelerate for a while until we reach a new stable threshold, but the expectation is that this is not a spike. It is the new normal.

With that we return to the regularly scheduled June 2026 Patch Tuesday for a point in time update. Microsoft has resolved 198 CVEs, Google Chrome resolved 74 including the zero-day exploit (CVE-2026-11645), and Adobe resolved 123 CVEs across 11 updates.

I feel a bit desensitized at this point, but need to call it out that this is the largest CVE count resolved by Microsoft in a single Patch Tuesday. October 2025 was the previous high at 175 CVEs resolved. It seems inconsequential compared to CVE compared to the Chrome and Edge CVE count of 429 in the June 3, 2026 update from the prior week.

Expanding the conversation to the continuous release challenge: Based on Ivanti’s Patch Catalog, a quick tally of security related updates between May and June Patch Tuesday’s included 89 updates resolving 513 CVEs (Chrome and Edge are de-duplicated in this count). These updates should be included in your upcoming maintenance if you don’t have a continuous update approach in place today.

These releases include multiple releases for all major browsers (Chrome, Firefox, Edge, Opera, etc), PDF editors and viewers (Foxit, Adobe, Nitro), development tools (Node.js, VSCodium, Docker), common utilities and apps (Notepad++, PuTTY, PyCharm, Wireshark, Splunk UF), productivity and telecommunications apps (Teams, Zoom) and more.

Microsoft’s publicly disclosed vulnerabilities

Microsoft resolved a Security Feature Bypass Vulnerability in Windows Bitlocker (CVE-2026-50507). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 6.8, but has been publicly disclosed. The CVE lists exploit code maturity as Proof-of-Concept which puts this at a higher risk of exploitation. An attacker with physical access could use this vulnerability to bypass a security feature gaining access to encrypted data.

Microsoft resolved a Denial-of-Service Vulnerability in HTTP.sys (CVE-2026-49160). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.5, but has been publicly disclosed. The CVE lists exploit code maturity as unproven meaning to sample code was disclosed at the time this was released. An unauthorized attacker could take advantage of uncontrolled resource consumption in HTTP/2 to cause a denial of service over a network.

Microsoft resolved an Elevation of Privilege Vulnerability in Windows Collaborative Translation Framework (CVE-2026-45586). The vulnerability is rated Important by Microsoft and has a CVSS v3.1 score of 7.8, but has been publicly disclosed. The CVE lists exploit code maturity as unproven meaning to sample code was disclosed at the time this was released. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges on the target system.

Ivanti security advisories

Ivanti has released two security updates for June. The updates affect Ivanti Endpoint Manager Mobile and Ivanti Sentry and resolve a total of four CVEs. More details and information about mitigations can be found in the June Security Advisory.

Third-party vulnerabilities

Adobe released 11 updates resolving 123 CVEs. Adobe has prioritized the ColdFusion update as the highest priority.

Google Chrome resolved 74 CVEs in the latest Chrome update including a zero-day exploit (CVE-2026-11645). This comes on the heels of the largest Chrome release on June 3 that resolved 429 CVEs. Microsoft Edge also needs to be updated to resolve these CVEs.

June update to-do list

Google Chrome and Microsoft Edge are the top priority this month to resolve 500+ CVEs resolved in the past week and a zero-day exploit (CVE-2026-11645).
The Windows OS update is the next highest priority as it resolves over 110+ CVEs depending on edition.