Defender Under Attack, "HTTP/2 Bomb" - and Other Record Patch Tuesday Notes

Microsoft’s June Patch Tuesday set a new benchmark, releasing more than 200 patches in a single month. The unprecedented volume mirrors a broader industry trend: software flaws have become the primary catalyst for data breaches, as highlighted by Verizon’s DBIR, which for the first time places exploit‑based attacks ahead of credential theft. This shift forces security teams to prioritize rapid patch deployment and continuous monitoring, especially as cloud services like Azure’s managed Postgres (HorizonDB) reveal critical CVSS 10 vulnerabilities that could have far‑reaching implications for data integrity and compliance.

Among the most consequential fixes are the Defender elevation‑of‑privilege bug (CVE‑2026‑41091) and the newly disclosed “RoguePlanet” race condition, both actively exploited in the wild. The “HTTP/2 Bomb” (CVE‑2026‑49975) introduces a low‑bandwidth denial‑of‑service vector that can cripple IIS servers by exhausting memory, prompting immediate mitigations such as disabling HTTP/2. Additionally, an undocumented elevation‑of‑privilege flaw in PowerToys (CVE‑2026‑42902) slipped into a release without clear notice, highlighting the need for thorough release‑note scrutiny and patch‑diffing vigilance.

The discussion now pivots to the role of artificial intelligence in the vulnerability lifecycle. Researchers like Dustin Childs speculate that AI tools are increasingly used to both discover bugs and automate patch coding, accelerating response times but potentially compromising code quality. Organizations should therefore augment AI‑driven processes with rigorous manual review and testing, ensuring that speed does not erode security assurance. As Microsoft continues to push large‑scale updates, a balanced approach that leverages AI efficiency while maintaining strict quality controls will be essential for safeguarding enterprise environments.