Microsoft’s June 2026 Patch Tuesday — the largest in the program’s 23-year history at 206 CVEs — includes four unauthenticated critical flaws reaching CVSS 9.8 across the Windows Kernel, HTTP.sys, DHCP Client, and Nuance PowerScribe, plus a BitLocker bypass zero-day exploitable with physical or low-privilege access. Separately, CrowdStrike has documented two research disclosures showing Microsoft’s ClickOnce deployment framework being weaponized as a no-admin-required malware delivery and persistence mechanism that evades most email gateways and signature-based endpoint controls. The combined exposure touches every major Windows asset class — servers, endpoints, domain controllers, and developer workstations — and demands emergency triage sequencing rather than standard monthly patch cadence.