Microsoft’s July 2026 Patch Tuesday delivered fixes for 622 vulnerabilities, the largest single monthly release the company has ever shipped, including two flaws confirmed to be exploited in the wild.
The first, tracked as CVE-2026-56155, affects Active Directory Federation Services (AD FS) and allows a local attacker to escalate privileges to administrator. The second, CVE-2026-56164, is a SharePoint Server privilege escalation vulnerability that can be exploited remotely over the network without any authentication, making it particularly dangerous for internet-facing SharePoint deployments.
Microsoft also flagged CVE-2026-50661, a BitLocker security feature bypass that requires physical access to exploit. The flaw was publicly disclosed before this month’s patches were released. Tenable senior staff research engineer Satnam Narang suggested a possible link to a wave of zero-day disclosures attributed to a researcher known as Nightmare-Eclipse or Chaotic-Eclipse, though Microsoft has not officially confirmed any connection.
Critical Bugs Demand Priority
Of the 622 vulnerabilities, Windows accounts for 416 and Office for 164. Security researchers at the Zero Day Initiative highlighted several critical-severity issues that warrant fast-tracked patching, including a Windows VMSwitch flaw (CVE-2026-57092, CVSS 9.9) and a SharePoint vulnerability (CVE-2026-50522, CVSS 9.8).
Additional bugs deserving elevated attention include an Exchange Server cross-site scripting flaw (CVE-2026-55008) and remote code execution issues in RDP (CVE-2026-56190), Windows DHCP Server (CVE-2026-50518), the Windows Server Network driver (CVE-2026-56188), and Minecraft Bedrock Dedicated Server (CVE-2026-55010). Fixes also cover Azure, Defender, Developer Tools, Exchange Server, Edge, and SQL Server.
Record CVE Count and AI-Assisted Discovery
The July rollout pushes Microsoft’s year-to-date vulnerability count above prior years’ totals. The company says this is expected given its increasing reliance on automated discovery. Windows executive VP Pavan Davuluri recently disclosed that Microsoft is using a multi-model agentic scanning harness (MDASH) to surface bugs faster across the Windows codebase, describing vulnerability discovery as now integrated into how Windows is built and reviewed rather than treated as a separate activity.
Separately, Adobe released fixes for 88 vulnerabilities on the same Patch Tuesday, including critical issues in ColdFusion, Commerce, Experience Manager, and Illustrator.
Security teams should prioritize the AD FS and SharePoint zero-days immediately given active exploitation, and treat the BitLocker bypass as high priority for organizations with elevated physical access risk.
