This month’s Patch Tuesday fixes 206 security flaws in Microsoft software, making it the biggest Patch Tuesday release ever.
The update includes 32 critical vulnerabilities, as well as three publicly disclosed zero-days. Microsoft classifies these as zero-days because information about the vulnerabilities became public before patches were available. None are known to have been actively exploited by attackers.
The huge number of fixed vulnerabilities makes this the largest Patch Tuesday since Microsoft launched the program in October 2003. The company introduced the monthly update schedule after the Blaster worm caused disruption in the early days of Windows.
How to apply patches and check if you’re protected
These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:
1. Open Settings
- Click the Start button (the Windows logo at the bottom left of your screen).
- Click on Settings (it looks like a little gear).
2. Go to Windows Update
- In the Settings window, select Windows Update (usually at the bottom of the menu on the left).
3. Check for updates
- Click the button that says Check for updates.
- Windows will search for the latest Patch Tuesday updates.
- If you have selected to get the latest updates as soon as they’re available, you may see this under More options.
In which case you may see a Restart required message. Restart your system and the update will complete.
- If not, continue with the steps below.
4. Download and install
- If updates are found, they’ll start downloading automatically. Once complete, you’ll see a button that says Install or Restart now.
- Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.
5. Double-check you’re up to date
- After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!
Technical details
One publicly disclosed vulnerability is important to mention. This flaw in Windows BitLocker is tracked as CVE-2026-50507 (CVSS score: 6.8 out of 10) and its description states:
“a protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.”
BitLocker is a built-in Windows security feature that encrypts your entire hard drive, securing your data from unauthorized access if your device is lost or stolen. However, this vulnerability could allow an attacker with physical access to bypass BitLocker Device Encryption and gain access to encrypted data.
Another is CVE-2026-49160 (CVSS score: 7.5 out of 10) in HTTP.sys. This vulnerability can be exploited to launch a remote denial-of-service attack against major web servers using a technique called HTTP/2 Bomb.
The third to discuss is CVE-2026-45586 (CVSS score: 7.8 out of 10) in the Windows Collaborative Translation Framework (CTFMON). An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. These elevation of privilege (EoP) vulnerabilities are especially valuable to attackers because they can be combined with other flaws to gain full control of a compromised system.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.