July 15, 2026
With the July update, Microsoft addresses approximately 570 security vulnerabilities across its product ecosystem as part of the monthly Patch Tuesday. Three of these vulnerabilities were already publicly known before the updates were made available. This update follows the June release, which closed 206 vulnerabilities.
AI-Powered Vulnerability Detection: A Behind-the-Scenes Look
The high number of corrections in this update is linked to a new internal audit procedure. Microsoft recently introduced an agent-based scanning system utilizing multiple AI models that systematically examines the entire Windows codebase for vulnerabilities. This new approach has likely contributed to the significant increase in both detected and resolved security gaps.
Overview of the Update Scope
When adding 427 vulnerabilities in the Chromium foundation of the Edge browser, this patch cycle totals 622 reported security vulnerabilities. The SANS Internet Storm Center also highlights this total number in its evaluation of the update, reporting that 62 of these vulnerabilities are classified by Microsoft as critical. Notably, one of these vulnerabilities was already publicly known before the release, while two others had been actively exploited.
Here’s a breakdown by the impact type:
- Privilege escalation: 249
- Remote code execution: 143
- Information disclosure: 102
- Denial of Service: 35
- Bypass security features: 17
- Spoofing: 16
- Manipulation: 8
- Total: 570
Already Exploited Vulnerabilities
Two vulnerabilities have reportedly been actively exploited prior to the update’s release:
- CVE-2026-56155: A privilege escalation vulnerability in Active Directory Federation Services, rated as “important.”
- CVE-2026-56164: A privilege escalation vulnerability in Microsoft SharePoint Server, rated as “moderate” by Microsoft.
Publicly Known but Not Yet Exploited
CVE-2026-50661 concerns Windows BitLocker and allows for a potential bypass of the security feature. It is currently unclear if this vulnerability is related to a set of vulnerabilities denoted as “Nightmare Eclipse.” The discoverer is known as “Anonymous.”
Two High-Priority Vulnerabilities for Businesses
Two vulnerabilities are rated as critical and deserve focused prioritization:
- CVE-2026-58644: A vulnerability in Microsoft SharePoint that allows remote code execution, resembling patterns seen in previous SharePoint zero-day incidents. Companies operating local SharePoint servers should prioritize applying this fix.
- CVE-2026-58608: A flaw in the Windows Print Spooler that also permits remote code execution. Both SharePoint and Print Spooler vulnerabilities have historically been prime targets for ransomware groups and state-sponsored actors.
Network-Based Vulnerabilities with Exploitation Conditions
Some vulnerabilities can only be exploited under specific conditions:
- CVE-2026-54128: A vulnerability in the Windows DHCP client that allows remote code execution, requiring a connection to a network with a manipulated DHCP server—an issue that could be relevant in public Wi-Fi scenarios. Additionally, several vulnerabilities in the DHCP server service were addressed in the same update.
- CVE-2026-54982 and CVE-2026-54995: Two vulnerabilities in the Windows Reliable Multicast Transport Driver (RMCAST) that allow remote code execution, typically requiring attackers to be on the same network. Similar vulnerabilities have appeared in prior updates, although practical exploitation has not been observed.
Affected Product Areas
The July updates cover several areas, including:
- Windows operating system components
- Microsoft Office
- SharePoint Server
- Remote Desktop Services
- Windows Admin Center
A significant portion of the corrections will need to be manually applied by customers, as they will not be rolled out automatically through cloud services. Privilege escalation remains the most common error class in this cycle, affecting the Windows kernel, the DirectX graphics kernel, the Desktop Window Manager, and the Win32K subsystem. Attackers usually combine such vulnerabilities with initial access points to gain system-level rights.
Recommendations for Handling the Update
Despite the high number of reported vulnerabilities, the adoption rate of Microsoft products remains unchanged in many organizations. While several products, like Office, are affected by numerous individual vulnerabilities, the effort required for patching does not necessarily increase at the same rate. Therefore, it is advisable to prioritize based on risk and actual exploitation, especially for vulnerabilities that have been actively attacked and those deemed critical in SharePoint and the Print Spooler.
Written by the AllAboutSecurity Editorial Team

