Microsoft July 2026 Patch Tuesday Fixes Record 570 Flaws Including Three Zero-Days
- Microsoft has released the July 2026 Patch Tuesday security updates, addressing a record 570 vulnerabilities across its Windows operating system and associated software.
- The July update reflects a broader trend in cybersecurity, where artificial intelligence is accelerating vulnerability discovery.
- Vulnerability Breakdown and Three Zero-Days Fixed The 570 vulnerabilities are categorized as follows: 254 elevation of privilege issues, 145 remote code execution problems, 102 information disclosure flaws, 35...
Microsoft has released the July 2026 Patch Tuesday security updates, addressing a record 570 vulnerabilities across its Windows operating system and associated software. The update includes two zero-day exploits actively used in attacks and one publicly disclosed zero-day vulnerability. Of the 570 flaws, 59 are rated as Critical, with 48 related to remote code execution, nine to privilege elevation, one to security bypass, and one to spoofing. The company has linked the increase in patched vulnerabilities to an AI-powered system designed to identify security flaws in the Windows codebase before they can be exploited.
The July update reflects a broader trend in cybersecurity, where artificial intelligence is accelerating vulnerability discovery. Microsoft’s AI system, part of its ongoing efforts to enhance proactive security, has identified more flaws than previous Patch Tuesdays. This shift aligns with industry developments, such as Anthropic’s Mythos model uncovering vulnerabilities in U.S. government systems during testing and Nebula Security’s VEGA AI agent detecting a 15-year-old Linux kernel flaw.
Vulnerability Breakdown and Three Zero-Days Fixed
The 570 vulnerabilities are categorized as follows: 254 elevation of privilege issues, 145 remote code execution problems, 102 information disclosure flaws, 35 denial of service vulnerabilities, 17 security feature bypasses, and 16 spoofing vulnerabilities. The update excludes flaws fixed in Microsoft Edge and Chromium by Google, as well as vulnerabilities addressed in Mariner, Azure OpenAI, and other services earlier in July.
Three zero-day vulnerabilities were resolved in this release:
- CVE-2026-56155: An active exploit in Active Directory Federation Services (AD FS) allowing privilege escalation. Microsoft’s Detection and Response Team (DART) identified the flaw, which stems from insufficient access control granularity in AD FS. The company has not disclosed details on how the vulnerability was exploited.
- CVE-2026-56164: A SharePoint Server flaw enabling remote code execution through unauthenticated access. Mandiant, Google Cloud, and anonymous researchers credited with its discovery. Microsoft recommends enabling the Antimalware Scan Interface (AMSI) and setting the Request Body Scan mode to Full.
- CVE-2026-50661: A publicly known BitLocker bypass vulnerability allowing physical access to encrypted data. An anonymous researcher disclosed the flaw, which affects BitLocker Device Encryption.
Critical Flaws Across Windows, Office, SharePoint, and More
The update addresses multiple critical-severity vulnerabilities, including remote code execution (RCE) flaws in Windows, Office, SharePoint, and SQL Server. Key examples include:

- CVE-2026-49164: Active Directory Domain Services RCE
- CVE-2026-54121: Active Directory Certificate Services privilege elevation
- CVE-2026-48561: Microsoft Copilot RCE
- CVE-2026-55012 and CVE-2026-55011: Microsoft Defender RCE
- CVE-2026-55129: Microsoft Office RCE
- CVE-2026-54118 and CVE-2026-54117: Microsoft SQL Server RCE
- CVE-2026-58608: Windows Print Spooler RCE
- CVE-2026-50694: Windows Secure Socket Tunneling Protocol RCE
- CVE-2026-50392 and CVE-2026-42982: Windows Secure Kernel Mode privilege elevation
These flaws affect Windows client and server systems, Office applications, SharePoint, Exchange, SQL Server, .NET Framework, Visual Studio, Copilot, and other components.
AI Drove This Record Patch and What Users Should Do
Microsoft attributed the increased number of vulnerabilities to its AI-powered discovery system, which identifies flaws before they are exploited. The company announced the larger-than-usual update last week, citing the system’s ability to scan the Windows codebase more comprehensively.
Users are advised to install the July Patch Tuesday updates immediately. For Windows 11 and 10:
- Open Settings > Windows Update and click "Check for updates."
- Install cumulative updates KB5101650 and KB5099414 (Windows 11) or KB5099539 (Windows 10 Extended Security Updates).
- Restart devices when prompted.
Administrators should prioritize specific fixes:
- SharePoint Server: Install updates for CVE-2026-56164, enable AMSI, and review access logs.
- Active Directory Federation Services: Apply patches for CVE-2026-56155 and audit administrative logs.
- BitLocker Users: Update to address CVE-2026-50661 and secure recovery keys.
Non-Security Updates and Availability
The July updates include non-security fixes for Windows 11 and 10, detailed in Microsoft’s release notes. The patches are available via Windows Update, the Microsoft Update Catalog, and WSUS. Enterprise users should synchronize update repositories through SCCM, Intune, or other tools.

Users running Windows 10 not enrolled in Extended Security Updates (ESU) will not receive the update. ESU enrollment, valid through October 12, 2027, can be initiated through four methods outlined by Microsoft.
Why This Matters
The scale of this update underscores the growing complexity of modern operating systems and the evolving role of AI in cybersecurity. Microsoft’s AI system has shifted the paradigm from reactive to proactive vulnerability management, but the presence of actively exploited zero-days highlights the persistent risks. Cybersecurity experts warn that delaying patches increases exposure to attacks, as threat actors are already leveraging some of the addressed flaws.
Organizations and individual users must prioritize timely updates to mitigate risks. With AI-driven discovery accelerating the identification of vulnerabilities, the pace of patching will likely remain a critical challenge for IT teams in the coming years.
