Releasing hours after Patch Tuesday means maximum attention and minimum time for Microsoft to respond.
Microsoft patched 200+ vulnerabilities in June, but 360 browser CVEs and emerging HTTP/2 DoS flaws highlight a surge in AI-assisted vulnerability discovery. Researcher Nightmare Eclipse disclosed six Microsoft vulnerabilities with proof-of-concept code, timing releases strategically after Patch Tuesday to maximize pressure on the vendor.
- Microsoft addressed 360 browser vulnerabilities in June, an order of magnitude above typical monthly volumes
- Researcher Nightmare Eclipse disclosed six Microsoft flaws with proof-of-concept code; two remain unpatched
- CVE-2026-49975 (HTTP/2 Bomb) allows trivial denial-of-service against default HTTP/2 configurations on IIS and other platforms
- Microsoft's Digital Crimes Unit warning sparked concern that researchers may avoid responsible disclosure
Microsoft's June Patch Tuesday addresses over 300 browser vulnerabilities while managing escalating tensions with independent researcher Nightmare Eclipse, who has disclosed multiple unpatched elevation-of-privilege flaws in Windows Defender and other systems.
Microsoft's June Patch Tuesday arrived this week carrying the weight of more than 300 browser vulnerabilities—a staggering number that has forced the company to stop listing Chromium CVEs individually in its official Security Update Guide. But the raw count of patches tells only half the story. Running parallel to this surge in vulnerability reports is an escalating conflict between the software giant and an independent researcher operating under the pseudonym Nightmare Eclipse, who has spent recent weeks publishing detailed exploits for Microsoft flaws that remain unpatched, complete with working proof-of-concept code.
The scale of what Microsoft is addressing this month is genuinely unusual. Browser vulnerabilities alone represent an order of magnitude increase over typical monthly volumes from recent years. The spike reflects a broader shift in how vulnerabilities are being discovered: artificial intelligence is now assisting researchers in probing not just individual software packages, but the underlying standards those packages implement. Linux kernel vulnerabilities are experiencing a similar surge. This acceleration has outpaced Microsoft's ability to track and enumerate every flaw in its traditional reporting channels.
Nightmare Eclipse's campaign began weeks ago with the disclosure of six Microsoft vulnerabilities, several of them elevation-of-privilege flaws affecting Windows Defender and a critical bypass in Secure Boot disk encryption. The researcher provided complete working code for some exploits and substantial—though deliberately incomplete—technical detail for others. Microsoft confirmed these disclosures were uncoordinated, and the relationship between vendor and researcher has deteriorated sharply. Two of the initial disclosures landed in the hours immediately following last month's Patch Tuesday, a timing choice that maximized public visibility while minimizing Microsoft's window to respond without emergency out-of-cycle patches.
As of now, Microsoft has patched four of the disclosed vulnerabilities: CVE-2026-33825, CVE-2026-45585, CVE-2026-45498, and CVE-2026-41091. Two elevation-of-privilege flaws—internally nicknamed MiniPlasma and GreenPlasma—remain unpatched. But Nightmare Eclipse's recent cryptic blog post, titled simply "7" and containing only an image of Albert Vesker, a character from Resident Evil who worked as a corporate researcher before turning rogue, strongly suggests at least one more vulnerability is coming. Hours after Microsoft published this month's Patch Tuesday updates, a seventh disclosure appeared: a flaw called RoguePlanet, which describes another path to SYSTEM-level privilege escalation in Defender.
The tension between Microsoft and the research community has become impossible to ignore. In late May, Microsoft's Digital Crimes Unit issued a blog post that many in the security community interpreted as a warning to researchers—a move that has sparked genuine concern among leading voices in vulnerability disclosure. The worry is straightforward: if researchers fear legal consequences for responsible disclosure, they may simply stop reporting flaws to vendors altogether. Microsoft issued a clarification days later, stating it has no intention of pursuing researchers engaged in legitimate security work, only those who break laws or cause direct harm. The distinction has done little to ease the underlying tension.
Beyond the Nightmare Eclipse saga, Microsoft is grappling with other emerging vulnerability classes. A new category of denial-of-service flaws affecting HTTP/2 and HTTP/3 implementations is expanding rapidly as researchers use large language models to probe the standards themselves, not just the software built on them. CVE-2026-49160 exemplifies this trend, with credits going to both a third-party research firm and OpenAI's Codex. More immediately concerning is CVE-2026-49975, known as HTTP/2 Bomb, which became public a week ago. This flaw allows trivial denial-of-service attacks against default HTTP/2 configurations on multiple platforms, including Microsoft's own IIS web server. Unlike distributed denial-of-service attacks, exploitation requires no significant bandwidth—only the ability to exhaust server memory. Patches exist for NGINX and Apache; IIS patches are presumably forthcoming. For now, disabling HTTP/2 entirely remains a valid mitigation.
One more detail worth noting: Microsoft PowerToys, a utility offering advanced configuration options for Windows power users, contained an undocumented elevation-of-privilege vulnerability, CVE-2026-42902, that was silently patched in version 0.99.1 on April 29 without mention in release notes. Attackers with patch-diffing tools will likely notice this discrepancy and begin reverse-engineering the fix. What began as a routine monthly patch cycle has become a multifaceted crisis of discovery, disclosure, and trust—one that shows no signs of resolution.
Notable Quotes
Microsoft confirmed that these disclosures were not coordinated, and the relationship between this researcher and Microsoft is less than cordial.— Microsoft (via MSRC)
Multiple leading voices in the vulnerability disclosure community expressed concern that Microsoft's invocation of the Digital Crimes Unit may prove counterproductive, especially if it causes researchers to back away from mutually beneficial engagements.— Security research community
The Hearth Conversation Another angle on the story
Why does it matter that Microsoft stopped listing Chromium CVEs separately?
It's a signal that the volume has become unmanageable through traditional channels. When you can't enumerate something anymore, you're admitting the scale has changed fundamentally.
So Nightmare Eclipse is deliberately timing these disclosures to hurt Microsoft?
It looks that way. Releasing hours after Patch Tuesday means maximum attention and minimum time for Microsoft to respond. It's a pressure tactic, and it's working.
But doesn't that make the researcher look reckless? Publishing proof-of-concept code?
That's the tension. From Microsoft's view, absolutely reckless. From the researcher's view, Microsoft wasn't moving fast enough, so public pressure became the only lever.
What's the real risk if researchers start fearing legal action?
They go silent. Vulnerabilities get discovered anyway—by criminals, not security researchers. Microsoft loses the early warning system it depends on.
Is the HTTP/2 Bomb thing a separate problem or connected?
Separate, but it shows the same underlying issue: AI is finding vulnerabilities faster than humans can patch them. The standards themselves are being probed now, not just implementations.
And PowerToys being patched without announcement?
That's almost worse than the vulnerability itself. It tells attackers exactly where to look. Silent patches are a confession that something was wrong.