All posts

Microsoft Patch Tuesday hits 622 CVEs, tripling June record

Huma ShaziaJuly 16, 2026 at 12:02 PM5 min read
Microsoft Patch Tuesday hits 622 CVEs, tripling June record

Key Takeaways

Windows July 2026 Patch Tuesday Fixes a Record 570 Security Vulnerabilities!

Microsoft Patch Tuesday hits 622 CVEs, tripling June record
Source: www.theregister.com
  • Microsoft patched 622 CVEs in July 2026, tripling June's previous record of 206
  • Two vulnerabilities are under active exploitation: one in Active Directory Federation Services, one in SharePoint
  • A Copilot RCE vulnerability rated CVSS 9.6 can be triggered without user interaction

Microsoft's July 2026 Patch Tuesday addresses 622 CVEs, tripling last month's record of 206 and signaling that massive monthly patch volumes may be the new baseline for enterprise IT. Two of those vulnerabilities are already under active exploitation. Add another 428 Chromium CVEs affecting Edge, and security teams are staring at more than 1,050 fixes to assess, test, and deploy.

The infosec community flagged this risk after June's surge: AI-assisted bug hunting could permanently inflate patch counts. Microsoft has not confirmed how much AI contributed this month, but the sheer scale suggests automated discovery played a role.

Advertisement

Which vulnerabilities are already being exploited?

CVE-2026-56155 is an elevation of privilege flaw in Active Directory Federation Services. Microsoft attributes it to insufficient granularity of access control. An attacker with local access can escalate to administrator. The CVSS score is 7.8, modest only because exploitation requires an existing foothold.

CVE-2026-56164 targets SharePoint. A missing authentication check lets an unauthorized network attacker elevate SharePoint permissions. CVSS 5.3 sounds low until you remember the vulnerability is already being used in the wild. Scores measure theoretical severity; active exploitation changes the math.

A third issue, CVE-2026-50661, has been publicly disclosed but not yet exploited. It allows physical bypass of BitLocker security on machines an attacker can touch. If your threat model includes physical access, patch fast or expect this to move from disclosed to weaponized.

Critical flaws: Copilot, Exchange, and Office

Among the 58 critical-severity fixes, the Copilot remote code execution bug stands out. CVE-2026-48561 carries a CVSS of 9.6. The flaw stems from improper input neutralization. An attacker with low-privileged Hyper-V guest access can trigger code execution, and a malicious website can invoke the exploit without any user action by prompting embedded Copilot features to process a crafted prompt on page load.

Microsoft Exchange takes another hit with CVE-2026-55008, a spoofing vulnerability also rated CVSS 9.6. Failure to neutralize input enables cross-site scripting via a crafted email. Open the wrong message, and arbitrary JavaScript runs in your session.

Sixteen RCE vulnerabilities hit Microsoft Office applications. Root causes include heap-based buffer overflows and use-after-free conditions. All hover around CVSS 7.8. Given Office's ubiquity, these deserve priority even if they are not rated critical.

Adobe patches 64 CVEs across seven products

Adobe released fixes for 64 CVEs spanning Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Every bulletin includes at least a couple of critical issues.

The worst is CVE-2026-48318, a path traversal vulnerability in ColdFusion scored at CVSS 9.9. It allows arbitrary code execution. Details remain sparse, but a 9.9 rating leaves little room for delay.

Advertisement

What this means for patch management

A 3x jump in CVE volume month over month is not noise. It forces a hard question: can your current patching cadence keep pace? Testing 622 fixes before deployment is unrealistic for most teams within a standard maintenance window. Prioritization by exploitability and asset criticality is the only viable path.

Microsoft's guidance is straightforward: install everything as soon as possible. That advice is correct but operationally incomplete. Staging environments, automated regression tests, and phased rollouts are table stakes now, not optional maturity markers.

ℹ️

Logicity's Take

If AI-assisted vulnerability discovery is driving these numbers, expect them to stay elevated. Security teams should treat June and July not as anomalies but as a new baseline. That means revisiting patch automation tooling, SLA commitments, and headcount. Tools like Microsoft Defender for Endpoint, CrowdStrike Falcon, and Tanium offer varying degrees of automated patch orchestration, typically in the $15-50 per endpoint per month range. The ROI calculation just shifted: manual patching at this volume is a staffing problem masquerading as a security problem.

Frequently asked questions

Frequently Asked Questions

How many CVEs did Microsoft patch in July 2026?

Microsoft addressed 622 CVEs specific to its products, plus an additional 428 Chromium CVEs affecting Edge, for a combined total exceeding 1,050 vulnerabilities.

Which July 2026 Patch Tuesday vulnerabilities are under active exploitation?

CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint are both confirmed under active exploit.

What is the Copilot RCE vulnerability?

CVE-2026-48561 is a CVSS 9.6 remote code execution flaw caused by improper input neutralization. It can be triggered without user interaction via a malicious website.

Why are Patch Tuesday CVE counts increasing?

AI-enabled bug hunting is suspected to be a contributing factor. Microsoft has not confirmed this, but the tripling of CVE volume between June and July suggests automated discovery is accelerating.

Did Adobe release patches this month?

Yes. Adobe patched 64 CVEs across seven products, including a CVSS 9.9 path traversal vulnerability in ColdFusion.

ℹ️

Need Help Implementing This?

If your team is struggling to keep pace with monthly patch volumes, Logicity can connect you with managed security providers and patch automation consultants. Contact us at partners@logicity.in.

Source: www.theregister.com

Advertisement
H

Huma Shazia

Senior AI & Tech Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.