The headline: 622 vulnerabilities, triple the old record
Microsoft MSRC · July 14, 2026
Microsoft’s July 2026 Patch Tuesday addresses 622 vulnerabilities by the Security Update Guide’s own count — more than triple June’s previous all-time record of roughly 200. The batch includes 416 flaws in Windows (itself a record), 82 in Office, 46 in Edge, 27 in developer tools, and 17 in SharePoint Server. Roughly one in ten — about 60, depending on whose tally you use — are rated Critical, with 48 of those enabling remote code execution. Twenty-six vulnerabilities carry a CVSS base score above 9.0, and 13 sit at 9.8.
“The mother of all releases.” — Dustin Childs, head of threat awareness, Trend Micro Zero Day Initiative
A note on counting: totals vary by methodology. Microsoft’s Security Update Guide says 622; ZDI independently counts 621 (63 Critical); Tenable counts 569 unique CVEs; BleepingComputer counts 570 by excluding fixes shipped earlier in the month and the 468 Edge/Chromium flaws Google patched upstream. By every method, this is the largest Patch Tuesday ever, and the year-to-date CVE count already exceeds every prior full year.
Source: Microsoft Security Update Guide · ZDI July 2026 review, CyberScoop, Dark Reading
Why the explosion? AI found the bugs — and AI will exploit them
Microsoft / industry analysis · July 9–14, 2026
This wasn’t a surprise. On July 9, Windows executive VP Pavan Davuluri warned customers to expect a higher volume of security updates per release as Microsoft applies its multi-model agentic scanning harness (MDASH) across the Windows codebase — the same AI pipeline that independently found 16 significant vulnerabilities in a prior release. Tenable’s Satnam Narang projects Microsoft could exceed 2,000–3,000 CVEs this calendar year, while stressing that the volume reflects how good AI tooling has become at finding bugs, not necessarily how many pose real-world risk.
The same automation cuts the other way: attackers can diff patches against previous builds and produce working exploits within hours, not weeks. Microsoft has correspondingly tightened its deployment guidance, now recommending organizations defer Windows quality updates by no more than three days, with update deadlines of zero or one day. The traditional “wait and soak” patch cycle is effectively dead; several research teams declared today the start of the continuous-patching era.
One structural change worth noting for anyone who tracks these releases: the Security Update Guide no longer enumerates each vulnerability individually. It now presents a summary table of counts by product family plus a slim “Notable CVEs” section — a format change Rapid7 flagged as a real reduction in day-one, product-by-product detail.
Source: SecurityWeek, CyberScoop, Rapid7, PCWorld
The Top 10 patches — what they are and why they matter
Ranked by real-world urgency: exploited zero-days first, then public disclosures, then the highest-impact criticals.
1. CVE-2026-56155 — Active Directory Federation Services elevation of privilege (exploited zero-day)
CVSSv3 7.8 · Important · Exploited in the wild. Insufficient granularity of access control in AD FS lets an authenticated attacker elevate to administrator locally. Discovery is credited to Microsoft’s own DART incident-response team — a strong signal it surfaced during a live intrusion investigation. AD FS signs the authentication tokens the rest of your estate trusts, so a “local” privilege bug on that box is worth far more to an attacker than the label suggests. CISA has added it to the KEV catalog with a federal remediation deadline of July 28. Patch AD FS servers first, and don’t expose them to the internet.
2. CVE-2026-56164 — SharePoint Server elevation of privilege (exploited zero-day)
CVSSv3 5.3 · Exploited in the wild. Missing authentication for a critical function allows an unauthenticated attacker to elevate privileges over the network against SharePoint Server 2016, 2019, and Subscription Edition, with low attack complexity and repeatable success. The modest score is misleading — this is the month’s clearest example of why you can’t sort by CVSS alone. Credits include Mandiant Incident Response and Google Cloud researchers, another indicator of active-incident origins a year after the ToolShell wave hammered on-prem SharePoint. CISA’s KEV deadline for federal agencies is July 17 — three days. Enabling AMSI with Full request-body scanning provides interim mitigation.
3. CVE-2026-50661 — Windows BitLocker security feature bypass (publicly disclosed)
CVSSv3 6.1 · Important · Public before patch. An attacker with physical access can bypass BitLocker Device Encryption and read encrypted data. Microsoft credits “Anonymous,” but researchers widely believe this patches GreatXML, the zero-day dropped by the pseudonymous researcher Nightmare Eclipse (a.k.a. Chaotic Eclipse) the day after June’s Patch Tuesday. It’s the third physical-access BitLocker bypass patched in two months. Exploit code is public, so treat disclosure as a countdown clock: prioritize laptop fleets and traveling hardware, and use TPM+PIN preboot authentication where the data warrants it.
4. CVE-2026-57092 — Windows VMSwitch guest-to-host escape
CVSS 9.9 · Critical. The highest-scored bug of the month: a flaw in the Hyper-V virtual switch that lets an attacker escape a VM boundary and compromise the host. One compromised guest becomes every workload on the hypervisor, which is why virtualization hosts should be patched ahead of the guests they carry. Several related Critical Hyper-V escalations shipped alongside it.
5. CVE-2026-55040 — SharePoint JWT authentication bypass (half of an unauthenticated RCE chain)
CVSS disputed: 5.3 (Rapid7/Microsoft “Important”) vs. 9.1 (ZDI “Critical”). Discovered by Rapid7’s Stephen Fewer for Pwn2Own Berlin, this JWT authentication bypass chains with a second, still-embargoed RCE bug to achieve unauthenticated remote code execution against SharePoint. The RCE half isn’t scheduled for a patch until August — meaning this month’s bypass fix is what breaks the chain. Patch it in the same pass as the SharePoint zero-day above. Also relevant: SharePoint 2016 and 2019 just exited extended support, so Subscription Edition is now the only fully supported self-hosted option.
6. CVE-2026-58644 & CVE-2026-50522 — SharePoint Server deserialization RCE pair
CVSS 9.8 · Critical. Two deserialization-of-untrusted-data flaws allowing unauthenticated remote code execution over the network. Combined with the two entries above, SharePoint accounts for 17 CVEs this month and is unmistakably the product family under the most attacker attention. If you run on-prem SharePoint, today is a drop-everything day.
7. CVE-2026-55944 — Dynamics NAV / Dynamics 365 Business Central RCE
CVSS 9.8 · Critical · “Exploitation More Likely.” A crafted login request triggers deserialization of untrusted data on an affected Dynamics NAV or Business Central server — no authentication, no user interaction. It’s the same bug class as the SharePoint pair but easy to overlook because it lives in the ERP stack rather than the collaboration stack. Finance-adjacent systems make attractive targets; don’t let this one slide to next cycle.
8. CVE-2026-56188 — Windows Server Network driver race condition (wormable)
CVSS 9.8 · Critical · “Exploitation More Likely.” A race condition in the Windows Server Network driver allows an unauthenticated attacker to execute code over the network — the profile that earns the “wormable” label. Unauthenticated, network-reachable, no interaction: this is the class of bug that historically powers self-propagating attacks once an exploit lands.
9. The DHCP cluster — CVE-2026-50518, CVE-2026-50370, CVE-2026-54128 and friends
Up to CVSS 9.8 · five RCEs across DHCP Server and Client. Nine DHCP-related CVEs shipped this month, five rated Critical and three assessed “Exploitation More Likely.” The standouts are heap-based buffer overflows in DHCP Server exploitable over the network (CVE-2026-50518) and an adjacent network (CVE-2026-50370), plus a use-after-free in the DHCP Client (CVE-2026-54128). DHCP is on by default in essentially every Windows environment and rarely thought about — exactly the kind of ambient attack surface a cluster like this turns dangerous.
10. CVE-2026-48561 — Microsoft Copilot remote code execution
CVSS 9.6 · Critical. A command injection flaw lets an unauthenticated attacker execute arbitrary code over the network through Microsoft Copilot. Beyond the score, it’s emblematic of the month’s most important trend: AI-assistant attack surface is now a fixture of every Patch Tuesday, with additional entries this month in GitHub Copilot, Visual Studio/VS Code Copilot integrations, and a vaguely described Outlook Copilot tampering issue.
Honorable mentions
Beyond the top ten: CVE-2026-55008, an Exchange Server spoofing flaw (CVSS 9.6) flagged “more likely” to be exploited; two Microsoft Defender RCEs (CVE-2026-55011, CVE-2026-55012) delivered via engine updates; a trio of 9.8s in Remote Desktop Client (CVE-2026-54990), Windows FTP Service (CVE-2026-49172), and MSMQ (CVE-2026-50447); an unusual 21-bug cluster across NTFS and ReFS filesystem drivers suggesting a shared root cause; and — proof that AI scanning sweeps the whole portfolio — Critical RCEs in Minecraft Bedrock Dedicated Server (CVE-2026-55010) and a code-execution flaw in Age of Empires II: Definitive Edition (CVE-2026-50663). This release also permanently removes the Kerberos RC4 rollback switch (RC4DefaultDisablementPhase), completing Microsoft’s multi-year RC4 deprecation — audit any lingering RC4-dependent service accounts before deploying.
Bottom line
Patch in this order: the two exploited zero-days (AD FS and SharePoint — CISA deadlines are July 17 and July 28 for federal agencies, and those are sane targets for everyone else), then the publicly disclosed BitLocker bypass on mobile hardware, then internet-facing and identity infrastructure, then virtualization hosts, then the 9.8-class network RCEs. Volume is the story of 2026, but triage discipline — KEV first, EPSS and exposure over raw CVSS — is the defense. June’s record lasted exactly one month; there’s no reason to believe July’s will fare better.
Coverage window: July 14, 2026 (Patch Tuesday release day).
Primary sources: Microsoft Security Update Guide · Zero Day Initiative July 2026 review · Tenable · Rapid7 · Cisco Talos · Qualys · Dark Reading · SecurityWeek · CyberScoop