Microsoft July 2026 Patch Tuesday Shatters Records with 622 CVEs, Including Actively Exploited Flaws
Microsoft's July 2026 Patch Tuesday release is its largest ever, patching a staggering 622 vulnerabilities, including two actively exploited zero-days and critical flaws in Copilot and Exchange.

Microsoft has once again redefined "Patch Tuesday" by releasing an unprecedented 622 security updates for its products in July 2026, dwarfing previous record-breaking months. This massive release includes fixes for 428 non-Microsoft Chromium CVEs affecting the Edge browser, which are not counted in the primary tally. Of the total, 58 vulnerabilities are classified as critical, with two already under active exploitation in the wild, and one publicly disclosed flaw that poses an immediate risk.
The two actively exploited vulnerabilities are CVE-2026-56155, an elevation of privilege flaw in Active Directory Federation Services (ADFS), and CVE-2026-56164, a privilege elevation vulnerability in Microsoft SharePoint. While the ADFS flaw requires local access and existing privileges, it allows attackers to gain administrator control. The SharePoint vulnerability stems from a missing authentication check, enabling unauthorized network users to escalate their permissions within the platform. Despite their CVSS scores, the active exploitation makes patching these issues a top priority.
Adding to the urgency, CVE-2026-50661, a publicly disclosed vulnerability, allows for a physical bypass of BitLocker encryption on machines with local access. This means attackers could potentially gain access to encrypted data without needing to overcome software-based protections, highlighting a critical need for physical security alongside software patching.
Among the 58 critical vulnerabilities addressed, several stand out. CVE-2026-48561, a remote code execution flaw in Microsoft Copilot, carries a CVSS score of 9.6. Exploitation requires only low-privileged Hyper-V guest access and can be triggered without user awareness, for instance, by visiting a malicious website that prompts embedded Copilot features. Similarly, CVE-2026-55008 in Microsoft Exchange is a critical spoofing vulnerability (CVSS 9.6) that can lead to cross-site scripting (XSS) via specially crafted emails.
Microsoft also addressed a significant number of remote code execution (RCE) vulnerabilities in Microsoft Office and its associated applications. A total of 16 RCE flaws, with CVSS scores around 7.8, were patched, stemming from various issues such as heap-based buffer overflows and use-after-free conditions. The sheer volume of these updates underscores the complexity and interconnectedness of Microsoft's software ecosystem.
Beyond Microsoft's extensive release, Adobe also issued significant patches across its product suite. The company addressed 64 unique CVEs in bulletins covering Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Notably, a CVSS 9.9 path traversal vulnerability in ColdFusion (CVE-2026-48318) could lead to arbitrary code execution. Adobe Commerce also saw a CVSS 9.6 privilege escalation vulnerability (CVE-2026-48356) due to improper handling of file uploads.
Other vendors also contributed to the month's patch cycle. Broadcom addressed seven CVEs in its Avi Load Balancer, ranging from authentication bypass to RCE. SAP released 16 security updates, with nine scoring 8.1 or higher, including critical memory corruption and HTTP request smuggling vulnerabilities. The scale of these combined releases suggests a potential acceleration in vulnerability discovery, possibly driven by AI-assisted research, and emphasizes the ongoing challenge for organizations to maintain robust patch management practices.
This record-breaking Patch Tuesday highlights the persistent threat landscape and the critical importance of timely patching. The inclusion of actively exploited vulnerabilities and critical flaws across multiple high-profile products from Microsoft and Adobe necessitates immediate attention from security teams worldwide. Organizations are urged to prioritize these updates to mitigate the risk of compromise.
This latest report from The Hacker News details Microsoft's July Patch Tuesday, which has set a new record by addressing a staggering 622 vulnerabilities. Notably, this includes two zero-day flaws that are already being actively exploited in the wild, underscoring the urgency for users to apply these critical updates. While specific CVEs and affected products for these zero-days remain undisclosed, Microsoft has confirmed their active exploitation and credited incident responders for their discovery.
This latest report from Dark Reading provides further detail on Microsoft's July 2026 Patch Tuesday, noting that the release addresses a record-breaking 622 CVEs, surpassing previous estimates. It highlights the inclusion of three zero-day vulnerabilities, two of which are actively exploited, and emphasizes the significant number of critical flaws, many with CVSS scores above 9.0, that demand immediate attention from security teams.