Microsoft's July 2026 Patch Tuesday Fixes a Record 570 Flaws and 3 Zero-Days
Microsoft's July 2026 Patch Tuesday fixed a record 570 vulnerabilities and 3 zero-days, including exploited SharePoint and ADFS bugs. Here's what to patch first.
What Happened
On July 14, 2026, Microsoft shipped the largest monthly security update in the history of its Patch Tuesday program. The release addresses 570 vulnerabilities across Windows, Microsoft Office, SharePoint, Exchange, SQL Server, Hyper-V, Microsoft Defender, and the Remote Desktop Client โ comfortably eclipsing the previous records that hovered around 150 to 160 fixes in a single month.
Buried inside that unusually large batch are three zero-day vulnerabilities โ two of which attackers are already exploiting in the wild, and a third that was publicly disclosed before a fix was available. Of the 570 flaws, Microsoft rated 59 as "Critical," the highest severity tier. For security teams, the sheer volume makes triage โ not blanket patching โ the immediate priority.
By the Numbers
Microsoft groups the vulnerabilities it fixes by impact type. July's breakdown shows where the risk is concentrated, and it is dominated by privilege escalation and remote code execution:
- 254 Elevation of Privilege flaws โ bugs that let an attacker who already has a foothold gain higher-level access.
- 145 Remote Code Execution flaws โ the most dangerous class, allowing attackers to run their own code on a target machine.
- 102 Information Disclosure flaws โ leaks of data that should be protected.
- 35 Denial of Service flaws โ bugs that can crash or hang a service.
- 17 Security Feature Bypass flaws โ including the BitLocker zero-day below.
- 16 Spoofing flaws.
The count does not include separately-tracked patches for Microsoft Edge (Chromium-based) and other components that ship on their own schedules. Even excluding those, 570 is a step-change in volume that reflects both a wider product surface and increasingly automated vulnerability discovery โ including AI-assisted fuzzing that researchers and attackers alike now use to surface bugs faster than ever.
The Three Zero-Days
A "zero-day" is a flaw that is either already being exploited or has been publicly disclosed before a patch exists โ meaning defenders had zero days of advance warning. July's three deserve immediate attention:
- CVE-2026-56164 โ Microsoft SharePoint Server (Elevation of Privilege, actively exploited). A missing authentication check on a critical function lets an unauthenticated attacker elevate privileges over the network. Because it requires no valid credentials, it is the most dangerous of the three.
- CVE-2026-56155 โ Active Directory Federation Services (Elevation of Privilege, actively exploited). Insufficiently granular access control in AD FS allows an authorized attacker to escalate privileges locally โ a serious risk on the identity infrastructure that brokers single sign-on for many organizations.
- CVE-2026-50661 โ Windows BitLocker (Security Feature Bypass, publicly disclosed). An attacker with physical access to a device can bypass BitLocker full-disk encryption and read data that is supposed to be protected at rest โ a direct threat to lost or stolen laptops.
Two zero-days landing in identity infrastructure โ SharePoint and AD FS โ is the pattern security teams will worry about most. These systems sit at the center of corporate authentication, so a privilege-escalation foothold there can cascade quickly across an entire network.
The SharePoint Problem
Of the three, CVE-2026-56164 stands out. SharePoint servers are typically internet-facing, host sensitive documents, and are deeply integrated with the rest of the Microsoft 365 estate. An unauthenticated privilege-escalation bug on such a system is close to a worst case: an attacker needs no credentials, only network access, to gain elevated rights.
SharePoint has been a repeat target of state-linked and financially-motivated groups, and on-premises SharePoint Server in particular has a history of being chained with other bugs to achieve full server compromise. Because this flaw is already being exploited, Microsoft and independent researchers are urging organizations that still run on-premises SharePoint to treat the fix as an emergency and to hunt for signs of prior intrusion, not just apply the update and move on.
Other Notable Fixes
Beyond the zero-days, the July release touches nearly every major Microsoft server and client product. The most heavily impacted components include:
- Windows (client and server) โ the bulk of the elevation-of-privilege and remote-code-execution fixes.
- Microsoft Office โ Word, Excel, and PowerPoint, where document-parsing bugs remain a favored phishing vector.
- Exchange Server and SQL Server โ high-value back-end systems where remote code execution is especially damaging.
- Hyper-V โ virtualization flaws that can, in the worst cases, allow escape from a guest VM to the host.
- Microsoft Defender and the Remote Desktop Client โ security and remote-access tooling that itself becomes a target.
Several of the 59 Critical-rated bugs are remote code execution flaws in Windows services and Office, any one of which could serve as the initial entry point for an intrusion. The zero-days get the headlines, but for most environments the long tail of Critical RCE fixes is what a complete patch cycle must cover.
What Admins Should Do Now
With 570 fixes, patching everything at once is rarely realistic. Security teams should prioritize by exploitability and exposure rather than working straight down the list:
- Patch the exploited zero-days first. CVE-2026-56164 (SharePoint) and CVE-2026-56155 (AD FS) are being used in real attacks โ they take precedence over everything else.
- Prioritize internet-facing systems โ especially on-premises SharePoint, Exchange, and any AD FS servers โ before internal-only machines.
- For BitLocker (CVE-2026-50661), focus on mobile and field devices most likely to be lost or stolen, since the flaw requires physical access.
- Assume compromise where the exploited bugs apply. For SharePoint in particular, review logs and hunt for signs of prior intrusion rather than assuming the patch alone closes the door.
- Track everything through Microsoft's Security Update Guide. Microsoft publishes per-CVE details and affected-product matrices in its Security Update Guide.
Why It Matters
A single month of 570 fixes is more than a statistical curiosity โ it reflects a widening attack surface and a faster discovery pipeline on both sides of the fence. As AI-assisted tooling makes it cheaper to find bugs at scale, defenders should expect large releases and short windows between disclosure and exploitation to become the norm rather than the exception.
The practical takeaway is that patch management can no longer be a monthly checkbox. When two of three zero-days sit in identity infrastructure and are already being weaponized, the gap between "update released" and "update applied" is exactly the window attackers race to exploit. For organizations running on-premises Microsoft servers, July 2026 is a reminder that speed and prioritization โ not just coverage โ are what keep a Patch Tuesday from becoming an incident report.
Read the original source
Head to the original source for the full announcement and complete details.
Read Original Source