VYPR
patchPublished Jul 14, 2026· 1 source

Microsoft July 2026 Patch Tuesday Addresses Record 622 Vulnerabilities, Including Actively Exploited Flaws

Microsoft's July 2026 Patch Tuesday release tackles a record 622 vulnerabilities, with two critical flaws exploited in the wild and listed on CISA's KEV catalog.

Microsoft's July 2026 Patch Tuesday has arrived, bringing with it a staggering 622 vulnerability disclosures, setting a new record for the company. Of particular concern, two of these vulnerabilities are already being actively exploited in the wild and have been added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. This significant release underscores the ongoing challenges in securing the vast Windows ecosystem, with 416 of the total vulnerabilities impacting Windows operating systems.

Among the critical disclosures is CVE-2026-55040, a SharePoint authentication bypass vulnerability discovered by Rapid7's Stephen Fewer. This flaw, when chained with another undisclosed vulnerability expected in August's Patch Tuesday, can lead to unauthenticated remote code execution on vulnerable SharePoint servers. Patches are available for SharePoint Server Subscription Edition, 2019, and 2016, highlighting the immediate need for organizations to apply these updates.

Another actively exploited vulnerability, CVE-2026-56164, affects Active Directory Federation Services (AD FS) and allows for privilege escalation. Despite a moderate CVSS score of 5.3, its exploitation in the wild and low attack complexity make it a significant threat. Attackers with existing access can leverage this vulnerability to gain higher privileges on a compromised system. Microsoft has acknowledged this issue and is providing patches, though it was initially mislisted in their Security Update Guide.

The Patch Tuesday also includes fixes for a publicly known security feature bypass in Microsoft BitLocker (CVE-2026-50661), which requires physical access to the target machine but can bypass encryption. Additionally, a vulnerability in Age of Empires II: Definitive Edition (CVE-2026-50663) has been patched, which could allow for code execution if a malicious game scenario file is opened.

This month's release also marks a significant shift in how Microsoft presents its security updates. The Security Update Guide now features a more streamlined summary table of vulnerability counts by product family and a "Notable CVEs" section, moving away from detailed individual listings. This change reflects a broader industry trend of increasing vulnerability report counts and a corresponding increase in remediation efforts.

Adding to the complexity, a researcher known as Nightmare Eclipse has continued to disclose vulnerabilities in Microsoft Defender, including a zero-day nicknamed RoguePlanet (CVE-2026-50656) patched last month, and has hinted at further issues. A new proof-of-concept for a vulnerability dubbed LegacyHive has also emerged from the same source, potentially allowing non-privileged users to access other users' system hives.

The sheer volume of vulnerabilities, coupled with actively exploited zero-days and the evolving disclosure landscape, presents a substantial challenge for IT and security teams. The inclusion of two KEV-listed vulnerabilities emphasizes the critical need for prompt patching and robust vulnerability management programs to mitigate the risk of exploitation.

Organizations are strongly advised to prioritize the patching of vulnerabilities listed on the CISA KEV catalog and to review Microsoft's detailed security bulletins for the July 2026 Patch Tuesday to ensure all critical systems are protected against these newly disclosed threats.

Synthesized by Vypr AI