All posts

Microsoft patches 722 CVEs in record July Patch Tuesday

Manaal KhanJuly 19, 2026 at 12:48 AM6 min read
Microsoft patches 722 CVEs in record July Patch Tuesday

Key Takeaways

500+ CVEs and a Critical SharePoint Zero-Day | Patch Tuesday July 2026

Microsoft patches 722 CVEs in record July Patch Tuesday
Source: Computerworld
  • Microsoft addressed 722 CVEs this month, roughly three times the normal Patch Tuesday volume
  • Two zero-days under active exploitation affect Active Directory Federation Services and SharePoint Server
  • SharePoint Server 2016/2019 and SQL Server 2016 reach end-of-support on the same day they receive critical final patches

Microsoft released patches for 722 CVEs in July 2026, making this one of the largest Patch Tuesday cycles in recent memory. Two vulnerabilities are already being exploited in the wild: an elevation of privilege flaw in Active Directory Federation Services (CVE-2026-56155) and another in SharePoint Server (CVE-2026-56164). The timing could not be worse for IT teams. SharePoint Server 2016/2019 and SQL Server 2016 all hit end-of-support today, receiving their final security updates on the same day they take some of their most critical fixes ever.

The 722 figure excludes 427 Chromium upstream relays. Add those back, and the true count exceeds 1,100 vulnerabilities addressed in a single cycle. A typical Patch Tuesday handles 50 to 70 CVEs. This month is roughly twelve times that baseline.

Advertisements

Which vulnerabilities are being actively exploited?

CVE-2026-56155 targets Active Directory Federation Services. It allows an attacker to escalate privileges once they have initial access to a federated identity environment. Organizations using ADFS for single sign-on should treat this as urgent.

CVE-2026-56164 hits SharePoint Server. Elevation of privilege in SharePoint typically means a low-privileged user can gain site collection administrator rights or worse. Combined with two critical remote code execution flaws also patched this month, SharePoint administrators face a trifecta of risk.

A third vulnerability, CVE-2026-50661, is publicly disclosed but not yet exploited. It bypasses BitLocker security features. Public disclosure without active exploitation is a countdown. Attackers now have a roadmap.

What gets the Patch Now recommendation?

Microsoft and independent security analysts agree on four categories this month: Windows, Office, Exchange Server, and SQL Server. SharePoint earns its own urgent flag given the zero-day plus two RCEs. Exchange Server returns to the critical list with an on-premises spoofing flaw.

Printing and graphics dominate the test-risk profile. The win32kfull.sys binary, the kernel-mode window manager, is the most-patched component with 14 entries. Seven of those carry high-risk flags. Print Spooler also appears. NTFS takes 10 entries, two high risk. Every entry reports no functional changes, meaning this is pure regression validation.

End-of-support collision: what dies today?

SharePoint Server 2016 and 2019, Project Server 2016 and 2019, SQL Server 2016, SQL Server 2014 ESU Year 2, and InfoPath 2013 all reach end of support on July 8, 2026. These products will receive no further security updates after this cycle.

The collision is brutal. SharePoint 2016/2019 receives an actively exploited zero-day and two RCEs as its farewell gift. SQL Server 2016 takes a critical RCE. If your organization runs these platforms, you are now choosing between migrating under fire or running unpatched infrastructure.

Known issues and ongoing problems

The BitLocker recovery prompt bug tracked since April remains unfixed on Windows Server 2022 and Windows 10 22H2. Devices with BitLocker enabled on the OS drive, specific Group Policy settings for TPM platform validation, and Secure Boot State PCR7 Binding reported as 'Not Possible' may prompt for the recovery key after installing this update. The publicly disclosed BitLocker bypass (CVE-2026-50661) keeps this component in uncomfortable spotlight.

WSUS synchronization error details are now suppressed on Windows Server 2025 and 2022. This is intentional. Microsoft removed the detail pane to address CVE-2025-59287, a remote code execution vulnerability. Synchronization still works, but administrators debugging failed syncs must now dig through SoftwareDistribution logs manually.

Windows Update can still replace manually installed graphics drivers with older OEM versions from the catalogue. The four-part Hardware ID ranking issue acknowledged on the Hardware Dev Center remains in pilot until September 2026.

Advertisements

Kerberos RC4 hardening is now permanent

The July 2026 update removes the RC4DefaultDisablementPhase rollback control that let administrators defer Kerberos RC4 enforcement. RC4 hardening under CVE-2026-20833 has been enforced since April 2026. With this update, enforcement becomes final. There is no going back. If you have applications or services that still depend on RC4 for Kerberos authentication, they will break.

Secure Boot certificate deadlines

The 2011 Secure Boot certificate expiries have passed. Devices that never received the Windows UEFI CA 2023 key updates under CVE-2023-24932 can no longer receive updated boot components. The Windows Production PCA for the boot manager expires October 19, 2026. Organizations that deferred these updates are now locked out of the servicing pipeline for boot-critical components.

ℹ️

Logicity's Take

This Patch Tuesday is a stress test for IT operations maturity. Organizations still running SharePoint 2016/2019 or SQL Server 2016 face an impossible choice: accept permanent vulnerability or execute emergency migrations. The collision of end-of-support with active exploitation is not coincidence. Threat actors monitor these timelines. For enterprises evaluating migration paths, SharePoint Online eliminates on-premises patching burden entirely, while Azure SQL Database or Managed Instance offer similar relief for SQL workloads. The licensing math changes when you factor in the cost of an emergency security incident on unsupported software.

What should IT teams do this week?

  1. Patch Windows, Office, Exchange, and SQL Server immediately. The two exploited zero-days are not theoretical.
  2. Audit SharePoint Server deployments. If you run 2016 or 2019, apply the final patch and begin migration planning today.
  3. Verify Kerberos RC4 dependencies. The rollback option is gone. Test before Monday.
  4. Check Secure Boot certificate status on all devices. Machines that missed the 2023 key updates need manual intervention or replacement.
  5. Prepare for BitLocker recovery prompts if your environment matches the known issue profile. Pre-position recovery keys.
Also Read
CISA orders patches for FortiSandbox flaws under active attack

Another urgent patching mandate from federal authorities this month

Frequently Asked Questions

How many CVEs did Microsoft patch in July 2026?

Microsoft addressed 722 CVEs in July 2026, excluding 427 Chromium upstream relays. Including Chromium, the total exceeds 1,100 vulnerabilities.

Which vulnerabilities are being actively exploited?

Two zero-days are under active exploitation: CVE-2026-56155 (elevation of privilege in Active Directory Federation Services) and CVE-2026-56164 (elevation of privilege in SharePoint Server).

What products reached end of support in July 2026?

SharePoint Server 2016 and 2019, Project Server 2016 and 2019, SQL Server 2016, SQL Server 2014 ESU Year 2, and InfoPath 2013 all reached end of support on July 8, 2026.

Is the BitLocker recovery prompt bug fixed?

No. The PCR7 recovery condition tracked since April remains unfixed on Windows Server 2022 and Windows 10 22H2.

Can I still defer Kerberos RC4 enforcement?

No. The July 2026 update removes the RC4DefaultDisablementPhase rollback control, making enforcement permanent.

ℹ️

Need Help Implementing This?

If your organization needs assistance prioritizing this month's patches, planning SharePoint or SQL Server migrations, or auditing Kerberos and Secure Boot compliance, contact the Logicity team for vendor-neutral guidance.

Source: Computerworld

M

Manaal Khan

Tech & Innovation Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.