Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month

Pierluigi Paganini July 14, 2026

Patch Tuesday: Microsoft fixes a record 621 CVEs, including 2 exploited zero-days and critical flaws affecting SharePoint, RDP, Hyper-V, and AD FS.

Microsoft’s July 2026 Patch Tuesday is, by a significant margin, the largest single-month security release in the company’s history. The Zero Day Initiative counted 621 new Microsoft CVEs for the month, and the year-to-date total already exceeds every other full-year total in the last two decades. That’s before counting the roughly 480 additional bugs in Chromium and Microsoft Edge that ZDI didn’t cover separately. Of the Microsoft-specific fixes, 63 are rated Critical, six Moderate, one Low, and the rest Important. The IT giant labeled two issues as “under active exploitation,” and one more is publicly known.

The product scope is equally remarkable. Patches this month cover Windows and Windows components, Office, Microsoft Edge, Azure, .NET, Visual Studio, GitHub Copilot, Defender, Exchange Server, Hyper-V, and, at the more unexpected end of the list, Ages of Empire II and Minecraft Server. Eight of the bugs came through ZDI’s own submission program.

“The CVE count year-to-date exceeds all other years’ totals. How to count this mess is anyone’s guess.” states the report published by ZDI.

Patch Tuesday

The following two bugs are being actively exploited:

  • CVE-2026-56155 is an elevation of privilege flaw in Active Directory Federation Services. It requires local access and low privileges to start, which sounds like a limited threat until you remember that AD FS is identity infrastructure, and attackers who are already inside a network use exactly this kind of bug to move sideways and upward. ZDI notes it can be paired with a remote code execution vulnerability, the combination frequently seen in ransomware incidents. Patch it fast.
  • CVE-2026-56164 is a SharePoint Server elevation of privilege vulnerability rated only CVSS 5.3, which is Moderate, and that score has probably caused some organizations to deprioritize it. That would be a mistake. A missing-authentication flaw allows unauthenticated remote attacks without user interaction. Active exploitation makes immediate patching essential, regardless of CVSS score.

The highest-severity bug this month is a critical Microsoft Windows VMSwitch Elevation of Privilege Vulnerability tracked as CVE-2026-57092, which received a CVSS score of 9.9. It is a use-after-free vulnerability that lets a low-privileged attacker escalate all the way to full host compromise across a virtual machine boundary, meaning an attacker inside a VM can reach the host running it. If your Hyper-V deployments use VMSwitch, which they almost certainly do, this is an immediate priority.

Below are other interesting issues addressed by Microsoft this month:

  • CVE-2026-50522 and CVE-2026-58644 are a matched pair of SharePoint remote code execution bugs, both scored CVSS 9.8, both reachable without authentication or user interaction, both stemming from the deserialization of untrusted data. CVE-2026-50522 was demonstrated live at Pwn2Own Berlin, meaning a working exploit was handed to Microsoft. Despite that, the advisory lists exploit maturity as unknown.
  • CVE-2026-56190 is an unauthenticated remote code execution bug in RDP Server, requiring no user interaction, rooted in use of an uninitialized resource. Specially crafted RDP traffic can interact with memory that was never properly set up, giving an attacker a path to corrupt memory and control code execution. RDP servers are a perennial favorite target. Audit which of yours face the internet and start there.
  • CVE-2026-55008 in Exchange Server is listed as a spoofing vulnerability, but ZDI recommends treating it as what it actually is: a stored cross-site scripting flaw in Outlook Web Access with a CVSS of 9.6. A crafted email opened in Outlook Web Access can execute JavaScript in the victim’s browser session without attachments or user interaction beyond viewing it. Patch urgently.
  • CVE-2026-50518 covers a heap-based buffer overflow in Windows DHCP Server, scored CVSS 9.8, unauthenticated and network-reachable. A second DHCP RCE is also in this release with some caveats, but this one has none. DHCP servers shouldn’t be internet-facing, but if yours somehow are, these jump to the very top of the list.

The full list of vulnerabilities addressed by Microsoft in July 2026 is available here

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Patch Tuesday)



you might also like

leave a comment