July 2026 Patch Tuesday: 622 Vulnerabilities, 3 Zero-Days
Microsoft released its July 2026 Patch Tuesday security updates on July 14, 2026, addressing 622 CVEs – one of the largest single releases on record, helped along by Microsoft’s growing use of AI-assisted vulnerability discovery. Three are zero-days: two already exploited before a fix was available (SharePoint Server and AD FS), and one BitLocker bypass that was publicly known ahead of the patch.
In general, Elevation of Privilege and Remote Code Execution dominate the numbers, together accounting for more than two-thirds of the release:
- 257 Elevation of Privilege (EoP) vulnerabilities
- 162 Remote Code Execution (RCE) vulnerabilities
- 109 Information Disclosure vulnerabilities
- 35 Denial of Service (DoS) vulnerabilities
- 29 Spoofing vulnerabilities
- 21 Security Feature Bypass vulnerabilities
- 8 Tampering vulnerabilities
One additional CVE (CVE-2026-13862) is reserved in Microsoft’s advisory with no severity or details published yet, bringing the overall count to 622.
Zero-Day Vulnerabilities Addressed in July 2026 Patch Tuesday
In the July 2026 security updates, Microsoft highlighted three zero-day vulnerabilities. Active exploitation has been detected for two of these, while the third was publicly disclosed prior to the patch release.
CVE-2026-56164 (CVSS 5.3) – Microsoft SharePoint Server Elevation of Privilege (Exploitation Detected)
Because this vulnerability impacts on-premises SharePoint Server, treat it as a top priority anywhere SharePoint is internet-facing or sits in high-trust internal segments. Even though Microsoft’s advisory ranks it as a medium severity issue, it represents a missing-authentication vulnerability that an unauthenticated attacker can exploit with zero user interaction.

Defender focus:
- Patch internet-exposed SharePoint Server first, then internal farms.
- Confirm deployment across all SharePoint farms, including staging and DR where applicable.
- Increase monitoring around SharePoint administrative actions and privilege changes during rollout.
CVE-2026-56155 (CVSS 7.8) – Active Directory Federation Services (AD FS) Elevation of Privilege (Exploitation Detected)
Since AD FS sits on a core authentication trust boundary, prioritize environments where it supports external access, privileged users, or high-value apps. Microsoft also calls out AD FS DKM container ACL hardening as part of this release – handle that as patch plus verification, not patch-only.

Defender focus:
- Patch systems supporting AD FS promptly.
- Follow Microsoft’s guidance for the DKM container ACL hardening behavior and verification.
CISA added both flaws to its Known Exploited Vulnerabilities (KEV) catalog on July 14, 2026, triggering federal remediation deadlines under Binding Operational Directive 22-01: CVE-2026-56164 must be remediated by July 17, 2026, while CVE-2026-56155 carries a longer window, due by July 28, 2026.
CVE-2026-50661 (CVSS 6.1) – Windows BitLocker Security Feature Bypass (Publicly Known)
The third zero-day, CVE-2026-50661, was publicly known ahead of Patch Tuesday. It requires physical access, which shifts urgency toward devices with higher loss or theft risk: laptops and mobile endpoints, especially executive, admin, and travel devices.

Defender focus:
- Prioritize laptops and mobile endpoints with higher physical-risk profiles.
- Keep BitLocker operational controls tight (recovery key governance, compliance monitoring) alongside patching.
Exploitation Update: Active Attacks Detected for CVE-2026-58644 (CVSS 9.8) – Microsoft SharePoint RCE
CVE-2026-58644 is a critical deserialization-of-untrusted-data vulnerability, also affecting SharePoint Server. It is reachable over the network with no user interaction required.

Details of CVE-2026-58644 (SOCRadar Vulnerability Intelligence)
This vulnerability wasn’t flagged as exploited at initial release on July 14; Microsoft updated the advisory the next day, on July 15, to change its status to exploitation detected.
A closely related bug, CVE-2026-50522, shipped the same day with an identical CVSS 9.8 deserialization root cause in the same product, though it isn’t flagged as exploited. Given the shared codebase and severity, patch both in the same pass regardless.
Defender focus:
- Patch internet-exposed SharePoint Server immediately, then internal farms.
- Enable AMSI integration on SharePoint web applications as a compensating control while patches roll out.
- SharePoint Server 2016 and 2019 reached end of life on July 14, 2026. Treat migration, not just patching, as a priority if you are still on those versions.
Cut Through Patch Noise With SOCRadar XTI
With 622 CVEs, this is one of the largest Patch Tuesdays. Microsoft has been leaning increasingly on AI-assisted tooling to scan its own codebase, and has signaled that vulnerability counts per cycle will keep climbing as that tooling finds more issues, faster. For more on that shift and its implications for defenders, see SOCRadar’s coverage of Microsoft’s AI-driven detection strategy.
Whatever the cause, the effect for defenders is the same: more CVEs per cycle means that triage determines remediation outcomes for the cycle, and high-volume releases like this one make it easy to lose track of what is actually urgent. SOCRadar’s Extended Threat Intelligence (XTI) platform is built to close that gap:
- Attack Surface Management (ASM) module continuously maps your internet-facing assets and the technologies running on them, so when a release like this drops, you already know which affected products (SharePoint, AD FS, DHCP, etc.) are actually exposed to the outside world, instead of finding out during an incident.
- Cyber Threat Intelligence (CTI) module includes SOCRadar’s vulnerability intelligence capability – layers exploitation status and business context on top of severity scores, turning a month’s flood of vulnerabilities into a short, ranked list of what to patch now versus what can wait a cycle.

SOCRadar ASM, Company Vulnerabilities
The Most Critical Vulnerabilities in July 2026 Patch Tuesday
These are the most critical vulnerabilities addressed by Microsoft in the July 2026 Patch Tuesday updates:
- CVE-2026-45499 (CVSS 9.9) – Azure OpenAI Elevation of Privilege (no customer action required)
- CVE-2026-57092 (CVSS 9.9) – Windows VMSwitch Elevation of Privilege
- CVE-2026-57100 (CVSS 9.9) – Microsoft Entra Provisioning Service Elevation of Privilege (no customer action required)
- CVE-2026-50518 (CVSS 9.8) – Windows DHCP Server Remote Code Execution
- CVE-2026-50522 (CVSS 9.8) – Microsoft SharePoint Remote Code Execution
- CVE-2026-55010 (CVSS 9.8) – Minecraft Bedrock Dedicated Server Remote Code Execution (no customer action required)
- CVE-2026-55944 (CVSS 9.8) – Microsoft Dynamics NAV / Business Central (On-Premises) Remote Code Execution
- CVE-2026-56159 (CVSS 9.8) – DHCP Server Service Remote Code Execution
- CVE-2026-56188 (CVSS 9.8) – Windows Server Network Driver Remote Code Execution
- CVE-2026-58644 (CVSS 9.8) – Microsoft SharePoint Remote Code Execution (see Zero-Days above)
- CVE-2026-48561 (CVSS 9.6) – Microsoft Copilot Remote Code Execution
- CVE-2026-50380 (CVSS 9.6) – Windows GDI+ Remote Code Execution
- CVE-2026-55008 (CVSS 9.6) – Microsoft Exchange Server Spoofing
- CVE-2026-41106 (CVSS 9.3) – Microsoft 365 Copilot Elevation of Privilege (no customer action required)
- CVE-2026-55040 (CVSS 9.1) – Microsoft SharePoint Server Security Feature Bypass
Four of these (Azure OpenAI, Microsoft Entra Provisioning Service, Minecraft Bedrock Dedicated Server, and Microsoft 365 Copilot) are marked “no customer action required” since they are fixed service-side. Everything else on this list needs patching in your own environment.
Apply Microsoft’s Security Updates for July 2026 Patch Tuesday
Recommended patch order for July 2026:
1) Immediate (Priority 0):
- Patch SharePoint Server for CVE-2026-56164 and CVE-2026-58644 (exploitation detected), and in the same pass, CVE-2026-50522 (same root cause, same severity, same product).
- Patch AD FS-related systems for CVE-2026-56155 (exploitation detected) and follow the DKM container ACL hardening guidance.
2) Fast follow (Priority 1):
- Patch endpoints for CVE-2026-50661 (BitLocker bypass, publicly known), prioritizing devices with higher physical-risk profiles.
3) Then (Priority 2):
- Work through the remaining CVSS 9.0+ Critical vulnerabilities above based on where those components are present and meaningfully exposed.
- Windows DHCP Server RCEs (CVE-2026-50518, CVE-2026-56159) are network-reachable and unauthenticated – prioritize over the DHCP Client RCE (CVE-2026-54128), which requires local access.
To view the full details on fixes, impacted products, and vendor classifications, check Microsoft’s official release note and update guide.
