Microsoft Addresses 360 Browser Vulnerabilities Amid Rising Cybersecurity Threats and Uncoordinated Disclosures
Microsoft has reported no known exploitation of vulnerabilities in the wild or public disclosures for the latest round of security issues, a situation that mirrors the previous month. However, several vulnerabilities disclosed in May quickly made their way onto the CISA Known Exploited Vulnerabilities (KEV) list, signaling increasing concern among cybersecurity professionals.
Significant Increase in Browser Vulnerabilities
This month, Microsoft issued patches for an unprecedented 360 browser vulnerabilities, marking a significant rise compared to typical monthly figures observed in recent years. It is important to note that browser vulnerabilities are not included in the Patch Tuesday totals, which traditionally focus on operating system and application vulnerabilities.
The surge in browser vulnerabilities has led Microsoft to stop enumerating Chromium Common Vulnerabilities and Exposures (CVEs) in its Security Update Guide. This decision reflects a broader trend, as other categories of vulnerabilities, particularly those associated with the Linux kernel, are also seeing an uptick in reports, often facilitated by advancements in artificial intelligence tools.
Uncoordinated Disclosures Raise Concerns
In recent weeks, independent researcher Nightmare Eclipse has gained attention for revealing details about six Microsoft vulnerabilities. These include elevation of privilege vulnerabilities in Microsoft Defender and a bypass for Secure Boot disk encryption. The researcher has provided full proof-of-concept code for some vulnerabilities while offering partial details for others. Microsoft confirmed that these disclosures were not coordinated, indicating a strained relationship between the researcher and the company.
Two of these disclosures were made shortly after last month’s Patch Tuesday, maximizing visibility but limiting Microsoft’s ability to respond with timely patches. Currently, Microsoft has released mitigation advice and patches for vulnerabilities including CVE-2026-33825, CVE-2026-45585, CVE-2026-45498, and CVE-2026-41091. However, two elevation of privilege vulnerabilities, referred to as MiniPlasma and GreenPlasma, remain unpatched.
A recent blog post by Nightmare Eclipse titled “7” has led to speculation regarding the existence of at least one additional vulnerability. The post featured only an image of Albert Wesker, a character from the Resident Evil video game series, known for his transition from researcher to rogue agent.
New Disclosures and Ongoing Tensions
Following the June Patch Tuesday updates, Nightmare Eclipse has launched a new blog post and GitHub account, suggesting the imminent release of another vulnerability dubbed RoguePlanet. This new disclosure reportedly details another elevation of privilege vulnerability in Microsoft Defender.
The ongoing situation has raised alarms among Microsoft and cybersecurity professionals. The partial or complete disclosure of proof-of-concept code for vulnerabilities affecting fully patched Windows systems poses significant risks. Concerns have also been voiced within the vulnerability disclosure community regarding Microsoft’s invocation of its Digital Crimes Unit in a May 27 blog post. This move may deter researchers from engaging in mutually beneficial collaborations with Microsoft’s Security Response Center (MSRC).
In a follow-up statement, MSRC clarified that it does not intend to take action against security researchers unless they engage in illegal or malicious activities that cause real harm. This clarification underscores the complexity of the current vulnerability management landscape.
Emerging Denial-of-Service Vulnerabilities
In addition to the ongoing issues with Microsoft vulnerabilities, new denial-of-service vulnerabilities affecting web servers implementing HTTP/2 and HTTP/3 standards have emerged. This class of vulnerabilities is expected to expand as researchers leverage advancements in technology to probe both specific software and the underlying standards. Microsoft warns that exploitation of these vulnerabilities could lead to uncontrolled resource consumption across networks.
One such vulnerability, CVE-2026-49160, has been identified, with Microsoft anticipating increased exploitation attempts. The advisory credits both a third-party research firm and OpenAI’s Codex for their contributions to this discovery.
Another HTTP/2 vulnerability, known as the HTTP/2 Bomb, has also come to light. This vulnerability allows for trivial denial-of-service attacks against the default HTTP/2 configuration of various web server platforms, including Microsoft IIS. Unlike distributed denial-of-service attacks, this vulnerability does not require the attacker to control a significant amount of bandwidth. Patches are currently available for NGINX and Apache, with Microsoft IIS expected to follow suit. Disabling HTTP/2 may serve as a valid mitigation strategy.
PowerToys Vulnerability and Lifecycle Changes
The Microsoft PowerToys utility, which offers various control and configuration options for Windows power users, has revealed an undocumented feature: local elevation of privilege to SYSTEM through the exploitation of CVE-2026-42902. Notably, the fix for this vulnerability was included in PowerToys version 0.99.1 released on April 29, 2026, without any mention in the release notes, which could attract the attention of attackers utilizing patch-diffing toolkits.
There are no significant changes to Microsoft product lifecycles this month. SQL Server 2016 will transition from regular extended support to the pay-to-play Extended Security Updates (ESU) phase after July 14, 2026. On the same date, SharePoint 2016 and 2019 will also move past extended support, with no ESU available. The only remaining option for fully-supported self-hosted SharePoint after mid-next month will be SharePoint Subscription Edition.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-06-11 07:15:00 • By the Editorial Desk
