Microsoft's June Patch Tuesday fixed six zero-days and 200 flaws

Microsoft's June 2026 Patch Tuesday was a heavy one: around 200 vulnerabilities fixed in a single release, including six zero-days. A zero-day is a flaw that was already known to attackers, or already being used, before a fix existed. Six of them in one month is not a record anyone wants to set.

Patch Tuesday is the second Tuesday of each month, when Microsoft ships its scheduled security fixes for Windows, Office and the rest of its software. It is predictable on purpose, so IT teams can plan around it. The flip side is that attackers plan around it too, picking apart the patches to work out what was broken and building exploits for everyone who has not updated yet.

What to do

On a personal Windows machine, open Settings, go to Windows Update and click Check for updates. Install what it offers and restart when asked. The restart is the part that actually applies the fixes, and it is the step people put off for days.

If you manage Windows machines for an organisation, prioritise the six zero-days for immediate deployment rather than waiting for your normal patch cycle. The ones under active exploitation are the ones attackers are using right now, not in some hypothetical future. With 200 fixes in the batch, testing matters, but the actively exploited bugs do not get the luxury of a long test window.

The broader point: 200 vulnerabilities in one month from one vendor is the normal weather now, not a storm. Keeping automatic updates on is the single highest-value security habit most people can adopt, and it costs nothing but the occasional restart.