Wednesday, July 15, 2026
BCN.
Technology

Microsoft ships its largest-ever Patch Tuesday, with two bugs already under attack

The headline number, 622, is really four different numbers. What matters this week are two elevation-of-privilege zero-days in SharePoint and AD FS that attackers are already using.

Janet Torvalds

July 15, 2026

Microsoft's July security update is the biggest the company has ever shipped. Depending on who is counting, it fixes somewhere between 569 and 622 vulnerabilities, and everyone doing the counting agrees on one thing: nothing else in the program's history is close. June set the previous record at 198. July more than tripled it.

The size is not the part that should make anyone move tonight. Two of the bugs are already being used in real attacks.

What "622" actually counts

The figure in most headlines is 622. Zero Day Initiative counts 621. BleepingComputer and Tenable count 569 to 570. These are not contradictions. They are different definitions of "a July Patch Tuesday CVE." The lower counts use a same-day method that leaves out the 468 Edge and Chromium flaws Google patched on its own schedule, plus the cloud-side fixes (Azure, Entra, Exchange Online) that Microsoft shipped earlier in the month. The higher counts fold some or all of that back in. Pick a methodology and the record still holds.

The severity split is about what you would expect for a pile this size. By BleepingComputer's tally, 59 are rated Critical, and 48 of those are remote code execution. ZDI puts the Critical count at 63. The rest are mostly rated Important. A large number of low-interest bugs is still a large number, but it is not 622 emergencies.

The two that are being exploited

Two flaws were under active attack before a patch existed. Both are elevation-of-privilege bugs in the identity plumbing that a lot of corporate networks run on.

  • CVE-2026-56164, in on-premises SharePoint Server, lets an unauthenticated attacker raise privileges over the network. SharePoint has been a repeat target this year. CISA added a separate SharePoint code-execution flaw to its exploited-vulnerabilities list in early July.
  • CVE-2026-56155, in Active Directory Federation Services, is the other one being used. AD FS brokers single sign-on, so a privilege bug there is a key to a lot of doors at once.

If you run either of those on-prem, they are the reason to patch now instead of on the usual test-and-stage timeline.

A third zero-day, CVE-2026-50661, was publicly disclosed but is not being exploited. It is a BitLocker bypass that needs physical possession of the machine, which puts it in the lost-laptop threat model, not the someone-is-on-the-network one.

The scariest score is not on the exploited list

The highest-rated bug this month is CVE-2026-57092, a use-after-free in Windows VMSwitch with a CVSS of 9.9. It lets a low-privileged attacker inside a virtual machine break out and take over the host running it. For anyone running multi-tenant virtualization, a VM escape is close to the worst category of bug there is. There is no report of it being exploited yet. There is also CVE-2026-48561, a Microsoft Copilot remote-code-execution flaw rated 9.6. Neither is on the active-attack list, which is the only reason they sit lower on the to-do list than two identity bugs with smaller scores.

Why the pile got this big

The interesting question is not why July was heavy. It is why every month from here probably will be. Microsoft told customers to expect it. Windows chief Pavan Davuluri said the company is using an internal system called MDASH, a multi-model agentic scanning harness, to find bugs across the Windows codebase faster than human researchers can. Microsoft described MDASH in May as orchestrating more than 100 specialized AI agents that discover, debate, and prove out exploitable defects end to end. In May's Patch Tuesday, it found 16 of the bugs by itself.

That deserves to be read clearly in both directions. Finding your own vulnerabilities before someone else does is good engineering, and doing it at machine speed is a real capability rather than a slide in a keynote. It also means the monthly patch load is now partly a function of how hard Microsoft aims its own scanners at itself, which makes "record-breaking Patch Tuesday" a headline that will keep firing and keep meaning less each time. The count going up does not tell you the software got more dangerous. It tells you the search got better. What matters, this month and next, is the short list of things actually being exploited. In July, that list has two names on it.

What to do

Patch the two exploited flaws first if you run on-prem SharePoint or AD FS. Treat the VMSwitch escape as urgent if you host VMs. Everything else is the normal test-and-deploy cycle. And get used to the headline number being enormous, because the tool producing it is not going to be pointed anywhere else.

CVE-2026-56155SharePoint zero-dayMicrosoft July 2026 Patch TuesdayAI vulnerability discoveryPatch TuesdayCVE-2026-56164Windows securityCVE-2026-57092 VMSwitchAD FS vulnerabilityWindows security updateCybersecurityzero-day exploitMDASH

Keep reading