Microsoft’s July 2026 Patch Tuesday is the largest security release in the company’s history, delivering fixes for 570 vulnerabilities, including three zero-days. Two of the zero-days were actively exploited in the wild, while the third had been publicly disclosed before patches became available. The release also addresses 59 critical vulnerabilities, including 48 remote code execution flaws, nine elevation of privilege vulnerabilities, one security feature bypass, and one spoofing vulnerability.
Microsoft noted that this dramatic increase in vulnerability volume is partly the result of its expanded use of AI-assisted vulnerability discovery, allowing the company to identify and remediate more flaws before they can be exploited.
Breakdown of Vulnerabilities
- 254 Elevation of Privilege vulnerabilities
- 145 Remote Code Execution vulnerabilities
- 102 Information Disclosure vulnerabilities
- 35 Denial of Service vulnerabilities
- 17 Security Feature Bypass vulnerabilities
- 16 Spoofing vulnerabilities
These totals do not include vulnerabilities patched earlier in Microsoft services such as Mariner, Azure OpenAI, Azure Synapse, Microsoft 365 Copilot, Exchange Online, Microsoft Edge for Android, and Microsoft Entra Provisioning Service. They also exclude 468 Microsoft Edge and Chromium vulnerabilities addressed separately by Google.
Non-security updates released this month include Windows 11 KB5101650 and KB5099414, along with Windows 10 KB5099539 Extended Security Updates.
Zero-Day Vulnerabilities
July’s Patch Tuesday addresses three zero-day vulnerabilities, including two confirmed to be under active attack.
CVE-2026-56155 | Active Directory Federation Services Elevation of Privilege Vulnerability
This actively exploited vulnerability allows an authorized attacker to elevate privileges due to insufficient access control within Active Directory Federation Services. Successful exploitation grants administrative privileges, making this a particularly significant risk in enterprise identity environments. The vulnerability was discovered by Microsoft’s Detection and Response Team (DART), suggesting it was identified during an active incident response investigation.
CVE-2026-56164 | Microsoft SharePoint Server Elevation of Privilege Vulnerability
This actively exploited flaw allows an unauthenticated attacker to elevate privileges over the network because of missing authentication for a critical SharePoint function. Microsoft recommends enabling the Antimalware Scan Interface (AMSI) and configuring Request Body Scan mode to Full as an additional mitigation. The vulnerability was discovered by researchers from Mandiant Incident Response, Google Cloud, FLARE OTF, and an anonymous contributor.
CVE-2026-50661 | Windows BitLocker Security Feature Bypass Vulnerability
This publicly disclosed vulnerability allows an attacker with physical access to bypass BitLocker device encryption and gain access to encrypted data stored on the system drive. Although exploitation requires physical access, the flaw is particularly important for organizations relying on BitLocker as a primary safeguard for endpoint devices.
Other Notable Vulnerabilities
In addition to the zero-days, Microsoft addressed 56 other critical vulnerabilities, including dozens of remote code execution flaws affecting Windows services, enterprise infrastructure, and productivity components. The unusually large number of privilege escalation and remote code execution vulnerabilities makes this one of the most consequential Patch Tuesday releases to date.
Adobe and Other Vendor Updates
Several major vendors also released security updates during July 2026:
- Adobe released updates addressing seven maximum-severity vulnerabilities in ColdFusion and Campaign, including a ColdFusion flaw later confirmed to be exploited in attacks.
- BeyondTrust patched two critical authentication bypass vulnerabilities affecting Remote Support and Privileged Remote Access.
- Cisco released updates for Identity Services Engine, Catalyst Center, ClamAV, and confirmed active exploitation of CVE-2026-20230, originally patched in June.
- Fortinet addressed vulnerabilities across FortiOS, FortiSandbox, FortiPAM, FortiSASE, and FortiProxy.
- Gitea patched a critical authentication bypass affecting its Docker image.
- Ivanti released fixes for vulnerabilities in Ivanti Xtraction.
- Linux kernel developers patched the Januscape vulnerability, which allows virtual machine escape and host code execution.
- NVIDIA issued updates for Triton Inference Server and TensorRT-LLM.
- Progress Software released fixes for a high-severity ShareFile Storage Zone Controllers path traversal vulnerability that prompted emergency shutdowns.
- Ubiquiti patched vulnerabilities in UniFi OS, including a maximum-severity command injection flaw.
- U-Boot maintainers released fixes for vulnerabilities affecting firmware integrity.
- SAP released July security updates addressing four critical vulnerabilities across NetWeaver, Commerce Cloud, and AppRouter.
- VMware issued updates for Avi Load Balancer addressing authentication bypass and remote code execution vulnerabilities.
- Zimbra released a patch for a critical cross-site scripting vulnerability affecting the Classic Web Client.
Recommendations for Users and Administrators
Given the unprecedented size of this month’s release and the presence of actively exploited vulnerabilities affecting Active Directory Federation Services and SharePoint Server, organizations should treat July’s updates as a high-priority deployment. Identity infrastructure, collaboration platforms, and internet-facing systems should be patched immediately.
Administrators running SharePoint should verify AMSI is enabled and configure Request Body Scan mode to Full where supported. Organizations relying on BitLocker should continue enforcing physical security controls alongside software updates, as physical access remains a prerequisite for exploitation of the BitLocker bypass.
Security teams should also review updates from Cisco, Fortinet, VMware, SAP, NVIDIA, and other vendors where authentication bypass, remote code execution, and virtualization vulnerabilities could provide additional attack paths. With Microsoft now leveraging AI-assisted vulnerability discovery, organizations should expect larger Patch Tuesday releases going forward and plan testing and deployment processes accordingly.
Full technical details and patch links are available in Microsoft’s Security Update Guide.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

