Microsoft Patch Tuesday July 2026 Sets All-Time Record With 570 Flaws Fixed
Microsoft released a record 570 security fixes in July 2026, nearly triple last month's count. AI tools accelerated discovery, but critics say Microsoft's exploitability index lags behind AI-generated attacks.
Microsoft today released its July 2026 Patch Tuesday update, fixing at least 570 security vulnerabilities across Windows and other software. That is nearly three times the number patched in the company's previous record-setting June release. Nearly 60 of the bugs earned a critical severity rating, meaning attackers could remotely take control of a system without user interaction.
Two zero-day flaws are already being exploited in the wild. CVE-2026-56155, an elevation-of-privilege bug in Active Directory Federation Services, and CVE-2026-56164, a SharePoint vulnerability, both allow attackers to raise their access rights on a target system. A third zero-day, CVE-2026-50661, is a Windows BitLocker security feature bypass that has been publicly disclosed but not yet exploited.
AI Discovery Drives Unprecedented Patch Volume
Microsoft Executive Vice President Pavan Davuluri explained in a July 9 blog post that the surge in fixes stems from AI tools now capable of finding vulnerabilities faster, across more code, with new mechanisms that can accelerate both discovery and analysis.
He warned that users should expect a higher volume of security updates
going forward. Jack Bicer, director of vulnerability research at Action1, highlighted CVE-2026-48561, a 9.6 CVSS remote code execution flaw in Microsoft Copilot. An attacker could exploit it by hosting a malicious website that causes Microsoft Edge for Android to send crafted prompts to Copilot automatically.
- 62 vulnerabilities received a critical severity rating, per SecurityWeek.
- Approximately 250 elevation-of-privilege flaws were fixed, including the two exploited zero-days.
- Adobe announced it will move to twice-monthly security bulletins, also citing AI acceleration.
- Google fixed more than 900 security issues in June 2026.
- Microsoft's Edge browser added fixes for another 427 Chromium vulnerabilities.
Exploitability Index Under Scrutiny
Satnam Narang, senior staff research engineer at Tenable, argued that Microsoft's exploitability index is designed for human-driven attacks and fails to account for AI-generated exploits. He noted that Anthropic's Red Team demonstrated AI tools could produce working proof-of-concept exploits for 13 of 14 vulnerabilities Microsoft rated Exploitation Less Likely
or Exploitation Unlikely.
Our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools,
Narang said. CISA added the SharePoint zero-day to its Known Exploited Vulnerabilities list on July 1, despite Microsoft initially rating it less likely
to be exploited.
Chris Goettl at Ivanti noted that other major vendors including Cisco, Mozilla, and Oracle are increasing their patch cadence to keep pace with AI-discovered vulnerabilities. Given the record volume, Goettl and other researchers recommended that end users wait a few days before applying these patches to avoid potential stability issues. The coming months will likely test whether Microsoft and its peers can adapt their risk assessments to the machine speed of modern exploit development.
Fact check
-
Microsoft fixed at least 570 security vulnerabilities in July 2026 Patch Tuesday, nearly triple the number from June 2026.
verified · source
-
Two zero-days exploited in the wild: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint.
verified · source
-
Microsoft Executive Vice President Pavan Davuluri stated that users will see higher volume of security updates due to AI-assisted vulnerability discovery.
verified · source
-
Anthropic's Red Team produced proof-of-concept exploits for 13 of 14 vulnerabilities rated 'Exploitation Less Likely' or 'Exploitation Unlikely.'
reported · source
-
Google fixed more than 900 security issues in June 2026.
reported · source
Source reporting (4)
- Krebs on Security · Microsoft Patches a Record 570 Security Flaws
- SecurityWeek · Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days
- BleepingComputer · Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days
- SANS Internet Storm Center · Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Here , (Tue, Jul 14th)
Join the conversation
You need to be registered and logged in to comment on blog articles.
Related Articles
Hack Exposes Suno AI's Training Data: Millions of Songs Scraped from YouTube, Deezer, and Genius
Jul 15, 2026
DHS Breach Missed for Weeks, German Firm Collapses as Cyber Threats Escalate Across Sectors
Jul 13, 2026
Ransomware Negotiator Sentenced for Leaking Client Data to BlackCat Hackers
Jul 12, 2026
0 Comments
No comments yet
Be the first to share your thoughts on this article.