Microsoft fixes 206 vulnerabilities in largest Patch Tuesday

Microsoft released its largest Patch Tuesday to date, delivering fixes for 206 security vulnerabilities across Windows and other Microsoft components. The update bundle includes 32 flaws Microsoft rated critical and three publicly disclosed zero-day vulnerabilities.

Microsoft classified three issues as zero-days because technical details were made public before fixes were available; none are known to have been actively exploited, Microsoft said.

Notable fixes include CVE-2026-50507, a BitLocker protection mechanism failure with a CVSS score of 6.8 that can allow an attacker with physical access to bypass BitLocker Device Encryption and access data on the system storage device. BitLocker is Windows’ built-in full-disk encryption feature.

Another patched issue, CVE-2026-49160 in HTTP.sys (CVSS 7.5), can be used to trigger a remote denial-of-service against web servers by exploiting the HTTP/2 protocol. CVE-2026-45586 in the Windows Collaborative Translation Framework (CTFMON) carries a CVSS score of 7.8 and could permit an attacker to obtain SYSTEM privileges if exploited.

Microsoft warned elevation-of-privilege vulnerabilities such as the CTFMON flaw are often chained with other exploits to gain full control of a compromised system.

Users can install the updates through Windows Update. Open Settings, select Windows Update, click Check for updates, allow any found updates to download, then install and restart when prompted. After reboot, return to Windows Update to confirm the system reports it is up to date.

Microsoft formalized the monthly Patch Tuesday cycle in October 2003 after the Blaster worm. Security teams and device owners are advised to install the available updates to address the fixed vulnerabilities.