AI coding tools are Patch Tuesday line items now. The board question that follows

Four AI rows in a 206-CVE Patch Tuesday

Microsoft’s June Patch Tuesday landed this week carrying 206 fixed vulnerabilities by Qualys’s count, 200 by BleepingComputer’s, with 33 critical and three publicly disclosed zero-days. The trackers cannot quite agree on the totals, which I find weirdly comforting. Some institutions never change.

The rows worth a second look sit further down the list. GitHub Copilot and Visual Studio Code took a security feature bypass, CVE-2026-45482. M365 Copilot carried two command-injection flaws. Copilot Chat in Edge took an information disclosure. The tools writing code and drafting email inside large companies now appear in the monthly patch rollup the same way Exchange and kernel components do. Quietly. As line items between the printer driver and the file system.

Two kinds of AI vulnerability, two different motions

Here is the part the headline does not show. Those AI rows split into two categories, and the split is the actual news.

The first category patches like normal software. The GitHub Copilot and VS Code bypass shipped inside the Patch Tuesday batch itself, per Lawrence Abrams’s June 9 rundown at BleepingComputer. It flows through the same update machinery as everything else on the list. If the patch SLA already covers developer tooling, this row is handled without anyone holding a meeting about it.

The second category was never patchable. CrowdStrike’s June 9 analysis lists the two M365 Copilot flaws, CVE-2026-45497 at CVSS 7.7 and CVE-2026-42824 at 6.5, noting that “Both stem from command injection flaws (CWE-77).” Microsoft fixed these server-side earlier this month, before disclosure, and BleepingComputer points out they are excluded from the Patch Tuesday count entirely. There is nothing for any customer to install. The fix happened somewhere nobody outside the vendor can see, and the only customer-side work is verification: review what the assistant could reach during the exposure window, check the logs, rotate what needs rotating.

And on the coding-agent side, the same day, the same pattern at smaller scale. Claude Code’s v2.1.169 release on June 9 fixed enterprise managed MCP policies not being enforced on reconnect, on IDE-typed configs, and during the first session after install. Read that twice. Admins had written allow and deny policies, and in three specific paths the harness was not applying them. It is the third such fix in that changelog since late May. The release also added a safe-mode flag that starts the agent with every customization disabled, which gives an admin something most incident drills lack: a one-flag way to start the agent bare and compare.

Three questions the board will ask about coding-agent CVEs

Do the AI rows flow through the normal patch SLA? The boring answer is the correct one. A Copilot bypass should land in the same queue, on the same clock, as any other Important-severity fix. If the current answer involves someone manually checking a vendor blog, that is the gap to close, not the CVE itself.

When the vendor says there is nothing to patch, what do we check? This is the new muscle. For the cloud-fixed Copilot flaws, the work is an exposure-window review: which tenants had the assistant connected to mail, files, and workflows, whether the audit trail actually covers those weeks, and who signs off that it does. A named person, a dated review, one page.

How do we know agent policies are actually loaded? The Claude Code fix is the uncomfortable one, because it means a config repo full of carefully written policy is not the same thing as enforcement.

A policy that exists in a config repo and a policy that is enforced at runtime are two different things, and only one of them shows up in an audit.

The routine that answers this is small: a scheduled check that live sessions report the policy active, owned by one person, with the safe-mode flag as the rehearsed fallback. I have watched teams spend six figures on governance tooling and skip this step, which is a bit like buying a fire door and never checking whether it closes.

The 60-second version for the next board pack

Our AI coding and assistant tools now receive CVEs like any other enterprise software, and this month four rows named them. One we patch ourselves, inside the normal SLA, and it is in the queue. Three were fixed by the vendor in their cloud with nothing for us to install, so we reviewed the exposure window and the logs instead. Separately, one coding-agent vendor fixed cases where written admin policy was not being enforced; we now verify policy load on a schedule rather than assuming it. No incident, no panic. The risk register gains one row: vendor-side fixes we verify rather than apply.

What to watch through June

Count the AI rows in July’s rollup; the trend line matters more than any single CVE. Watch the scoring spread too: one outlet had CVE-2026-45497 at CVSS 9.8 days before CrowdStrike listed 7.7, so a board pack should attribute severity scores to a named tracker rather than stating them as fact. And watch whether the other harness vendors ship their own verification primitives, because safe-mode flags and policy-load checks are about to become the feature comparison that matters.

Patch Tuesday is the least glamorous institution in software, and I mean that as a compliment. The day the agents joined it is the day this category started becoming manageable.