Microsoft Patch Tuesday | July 2026

 570 Vulnerabilities Fixed, Including Three Zero-Day Flaws 

Microsoft has released its July 2026 Patch Tuesday security updates, delivering fixes for a record-breaking 570 vulnerabilities across Windows, Microsoft Office, Active Directory, SharePoint, and other Microsoft products.

The update addresses three zero-day vulnerabilities, including two that were actively exploited in the wild, making this one of the most significant Patch Tuesday releases in recent years.

The sheer volume of vulnerabilities reflects Microsoft's increasing investment in proactive vulnerability discovery, with the company recently confirming it has expanded its use of AI-powered security research to identify weaknesses before threat actors can exploit them.

July 2026 Patch Tuesday at a Glance

Microsoft's July release includes:

  • 570 vulnerabilities patched
  • 3 zero-day vulnerabilities
  • 2 actively exploited zero-days
  • 1 publicly disclosed zero-day
  • 59 Critical vulnerabilities
  • 48 Critical Remote Code Execution (RCE) flaws

Vulnerability Breakdown

Vulnerability Type Number
Elevation of Privilege 254
Remote Code Execution 145
Information Disclosure 102
Denial of Service 35
Security Feature Bypass 17
Spoofing 16

It is worth noting that these figures only include vulnerabilities patched directly by Microsoft on Patch Tuesday.

They do not include fixes previously released for services such as Azure OpenAI, Microsoft 365 Copilot, Exchange Online, Microsoft Edge for Android, Microsoft Entra Provisioning Service, or Mariner.

Similarly, the release excludes the 468 Chromium vulnerabilities already addressed by Google and subsequently incorporated into Microsoft Edge.

Three Zero-Day Vulnerabilities Patched

Microsoft addressed three zero-day vulnerabilities this month, with two already being exploited in real-world attacks.

CVE-2026-56155 – Active Directory Federation Services Privilege Escalation

An actively exploited vulnerability in Active Directory Federation Services (AD FS) allows an authenticated attacker to elevate privileges locally.

The vulnerability stems from insufficient access control within AD FS, enabling attackers with authorised access to obtain administrative privileges.

The flaw was identified by Microsoft's Detection and Response Team (DART), suggesting it was discovered during an active incident response engagement.

Microsoft has not released technical details regarding how the vulnerability was exploited.

CVE-2026-56164 – Microsoft SharePoint Server Elevation of Privilege

Microsoft also fixed an actively exploited privilege escalation vulnerability affecting Microsoft SharePoint Server.

The flaw allows an unauthenticated attacker to elevate privileges remotely due to missing authentication for a critical function.

Microsoft recommends organisations:

  • Enable the Antimalware Scan Interface (AMSI)
  • Configure Request Body Scan Mode to Full

These mitigations can help reduce risk while systems are updated.

Researchers from Mandiant Incident Response, Google Cloud FLARE OTF, and Microsoft contributed to the discovery of this vulnerability.

CVE-2026-50661 – Windows BitLocker Security Feature Bypass

The third zero-day had already been publicly disclosed before Microsoft released a fix.

This vulnerability affects Windows BitLocker and could allow an attacker with physical access to bypass BitLocker encryption protections and gain access to encrypted data.

Although exploitation requires physical access to the device, organisations should prioritise patching laptops, portable workstations, and other mobile assets.

AI Is Driving More Vulnerability Discovery

Earlier this month Microsoft announced it has expanded the use of AI-assisted vulnerability discovery across the Windows codebase.

Rather than indicating Windows is becoming less secure, the larger number of vulnerabilities reflects Microsoft's efforts to identify and remediate flaws internally before attackers can weaponise them.

As AI-assisted security research matures, organisations should expect larger Patch Tuesday releases in the future.

Why This Update Matters

Several aspects make this month's Patch Tuesday particularly significant:

  • Two vulnerabilities were already being actively exploited.
  • Nearly 60 Critical vulnerabilities were addressed.
  • Almost half of all vulnerabilities allow privilege escalation.
  • A substantial number of Remote Code Execution flaws could allow attackers to execute malicious code without physical access.

For organisations delaying updates, the risk window increases significantly once attackers begin analysing Microsoft's patches to develop exploits.

Recommended Actions

Security teams should prioritise the following:

  • Deploy the July 2026 Microsoft security updates as soon as possible.
  • Prioritise internet-facing servers, Active Directory infrastructure, and SharePoint environments.
  • Ensure SharePoint AMSI protection is enabled and configured correctly.
  • Verify BitLocker-protected devices receive the latest updates.
  • Review endpoint detection and monitoring for indicators of compromise.
  • Confirm backup and recovery procedures remain up to date.

Other Security Updates Released This Month

Alongside Microsoft, several major technology vendors also released important security updates, including:

  • Adobe
  • BeyondTrust
  • Cisco
  • Fortinet
  • Ivanti
  • Linux Kernel
  • NVIDIA
  • Progress Software
  • SAP
  • VMware
  • Zimbra
  • Ubiquiti

Organisations should ensure their wider technology stack is also reviewed and patched where applicable.

Stay Ahead of Emerging Threats

Keeping systems up to date remains one of the most effective ways to reduce cyber risk. However, patching alone is only part of the picture.

Continuous vulnerability management, proactive monitoring, and rapid incident response are essential for identifying emerging threats before they become business-impacting security incidents.

With attackers increasingly targeting newly disclosed vulnerabilities within days—or even hours—of patches being released, organisations should ensure their patch management processes are supported by continuous visibility and expert monitoring.

To access the full description of each vulnerability and the systems it affects, you can view the full report here

Latest Insights and Articles

Understand the Cyber Security and Resilience Bill, who it affects, and the practical steps SMEs and IT...

Supply chain attacks have doubled. See why vendor risk is now a major threat to UK SMEs and MSPs, and what to...

Discover the CybaVerse Operator Network for MSPs, MSSPs and resellers. Increase margins with white-label...

See How CybaOps Can Take You
From Chaos To Clarity