News Article · Jul 15, 2026 at 11:48 AM
3 min read 0
Member
Microsoft Patch Tuesday July 2026 Sets All-Time Record With 570 Flaws Fixed
Security #zero-day #AI #Microsoft #Patch Tuesday #vulnerability disclosure #CVE-2026-56155 #CVE-2026-56164 #CVE-2026-50661

Microsoft Patch Tuesday July 2026 Sets All-Time Record With 570 Flaws Fixed

Microsoft released a record 570 security fixes in July 2026, nearly triple last month's count. AI tools accelerated discovery, but critics say Microsoft's exploitability index lags behind AI-generated attacks.

Microsoft today released its July 2026 Patch Tuesday update, fixing at least 570 security vulnerabilities across Windows and other software. That is nearly three times the number patched in the company's previous record-setting June release. Nearly 60 of the bugs earned a critical severity rating, meaning attackers could remotely take control of a system without user interaction.

Two zero-day flaws are already being exploited in the wild. CVE-2026-56155, an elevation-of-privilege bug in Active Directory Federation Services, and CVE-2026-56164, a SharePoint vulnerability, both allow attackers to raise their access rights on a target system. A third zero-day, CVE-2026-50661, is a Windows BitLocker security feature bypass that has been publicly disclosed but not yet exploited.

AI Discovery Drives Unprecedented Patch Volume

Microsoft Executive Vice President Pavan Davuluri explained in a July 9 blog post that the surge in fixes stems from AI tools now capable of finding vulnerabilities faster, across more code, with new mechanisms that can accelerate both discovery and analysis. He warned that users should expect a higher volume of security updates going forward. Jack Bicer, director of vulnerability research at Action1, highlighted CVE-2026-48561, a 9.6 CVSS remote code execution flaw in Microsoft Copilot. An attacker could exploit it by hosting a malicious website that causes Microsoft Edge for Android to send crafted prompts to Copilot automatically.

  • 62 vulnerabilities received a critical severity rating, per SecurityWeek.
  • Approximately 250 elevation-of-privilege flaws were fixed, including the two exploited zero-days.
  • Adobe announced it will move to twice-monthly security bulletins, also citing AI acceleration.
  • Google fixed more than 900 security issues in June 2026.
  • Microsoft's Edge browser added fixes for another 427 Chromium vulnerabilities.

Exploitability Index Under Scrutiny

Satnam Narang, senior staff research engineer at Tenable, argued that Microsoft's exploitability index is designed for human-driven attacks and fails to account for AI-generated exploits. He noted that Anthropic's Red Team demonstrated AI tools could produce working proof-of-concept exploits for 13 of 14 vulnerabilities Microsoft rated Exploitation Less Likely or Exploitation Unlikely. Our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, Narang said. CISA added the SharePoint zero-day to its Known Exploited Vulnerabilities list on July 1, despite Microsoft initially rating it less likely to be exploited.

Chris Goettl at Ivanti noted that other major vendors including Cisco, Mozilla, and Oracle are increasing their patch cadence to keep pace with AI-discovered vulnerabilities. Given the record volume, Goettl and other researchers recommended that end users wait a few days before applying these patches to avoid potential stability issues. The coming months will likely test whether Microsoft and its peers can adapt their risk assessments to the machine speed of modern exploit development.

Fact check

  • Microsoft fixed at least 570 security vulnerabilities in July 2026 Patch Tuesday, nearly triple the number from June 2026.

    verified · source

  • Two zero-days exploited in the wild: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint.

    verified · source

  • Microsoft Executive Vice President Pavan Davuluri stated that users will see higher volume of security updates due to AI-assisted vulnerability discovery.

    verified · source

  • Anthropic's Red Team produced proof-of-concept exploits for 13 of 14 vulnerabilities rated 'Exploitation Less Likely' or 'Exploitation Unlikely.'

    reported · source

  • Google fixed more than 900 security issues in June 2026.

    reported · source

Source reporting (4)

0 Comments

No comments yet

Be the first to share your thoughts on this article.

Join the conversation

You need to be registered and logged in to comment on blog articles.

Who Is Online

In total there are 50 users online: 0 registered, 42 guests and 8 bots.

Most users ever online was 4,502 on 28 Jun 2026, 10:02 am.

Bots: AhrefsBot Applebot Baiduspider Bingbot Majestic Other Bot PetalBot SemrushBot

Users active in the past 15 minutes. Total registered members: 369