Microsoft Corp. has patched more than 200 security vulnerabilities, the most the company has ever fixed in a single Patch Tuesday, as researchers say artificial intelligence bug-hunting is the reason the number keeps climbing.

The previous record was 175 fixes, set last October. This month’s batch carried 38 critical flaws and Microsoft shipped several of them only after the bugs were already public.

The worst of the bunch was CVE-2026-45657, a use-after-free flaw in the Windows kernel’s TCP/IP stack that scored 9.8 on the Common Vulnerability Scoring System scale. An attacker needed no credentials and no user interaction to exploit it. Microsoft says the bug is wormable on some networks. No public exploit had surfaced as of Wednesday.

Attackers were already exploiting two of the patched vulnerabilities before Tuesday. One is tracked as CVE-2026-42897 and hits the Outlook Web Access component of Exchange Server. CISA added it to its Known Exploited Vulnerabilities catalog in May. The other, CVE-2026-41091, let an attacker escalate privileges through Microsoft Defender. Microsoft shipped an emergency fix for it in May and a formal one this month.

Among the publicly disclosed zero-days is CVE-2026-49160, a denial-of-service flaw in HTTP.sys tied to an attack technique dubbed “HTTP/2 Bomb.” Microsoft credited the bug to OpenAI Group PBC’s Codex, one of the first publicly attributed cases of an AI system reporting a vulnerability in a major Patch Tuesday cycle. Two further zero-days stem from uncoordinated disclosures by a pseudonymous researcher known as Nightmare Eclipse, who published proof-of-concept code for a Windows Defender bug within hours of Tuesday’s release.

The record volume follows Microsoft’s own push into AI-driven vulnerability discovery. The company last month detailed MDASH, an agentic scanning system that uses more than 100 AI agents and surfaced 16 previously unknown flaws patched in May.

Researchers said the surge reflects a structural shift rather than a one-off spike.

“We are heading into a high-stakes summer for cybersecurity,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, who told SiliconANGLE the release is “a stark warning that AI is supercharging flaw discovery at an uncontrollable scale.” Childs noted that the number of vulnerabilities Microsoft has shipped this year already exceeds its total for all of 2018. “It is extraordinary that Microsoft can produce so many patches in a single month and I expect many testers are wondering what quality issues may exist,” he said.

The volume now extends well beyond the Patch Tuesday count itself. Adam Barnett, lead software engineer at managed cybersecurity company Rapid7 Inc., told SiliconANGLE that Microsoft shipped patches for 360 browser vulnerabilities this month, an order of magnitude above recent norms, and it has stopped enumerating Chromium bugs in its Security Update Guide as a result. “Other vulnerability categories, especially Linux kernel vulnerabilities, are seeing a similar increase in AI-assisted vulnerability reports,” he added.

Image: SiliconANGLE/Ideogram