Microsoft’s June 2026 Patch Tuesday, the largest in program history at 206 CVEs, includes two unauthenticated wormable RCEs in HTTP.sys and the Windows kernel TCP/IP stack (both CVSS 9.8), three publicly disclosed zero-days including a BitLocker bypass with a circulating PoC, and a Nuance PowerScribe vulnerability. Organizations running internet-facing Windows web servers, domain controllers, and DHCP infrastructure must treat this as an emergency deployment cycle. The BitLocker PoC adds an immediate physical-access threat to endpoint fleets.