Microsoft shipped 622 CVEs in July's Patch Tuesday, more than tripling June's record of roughly 200 and making it the largest update in the program's history. The July release alone is bigger than the three previous months combined.
Two exploited zero-days are already under active attack. CVE-2026-56164 hits on-premises SharePoint Server, letting an unauthenticated attacker elevate privileges over the network with no credentials or user interaction required.
Microsoft credited Mandiant's incident responders and Google's FLARE team with the discovery. The second, CVE-2026-56155, is an Active Directory Federation Services elevation-of-privilege flaw found by Microsoft's own DART unit.
Both are privilege bugs in identity and collaboration infrastructure, and neither has a headline CVSS score. SharePoint Server 2016 and 2019 also reached end of extended support on the same day, with no paid extended security updates program available.
The raw numbers tell a story of their own. Windows accounts for 416 of the 622 fixes.
Office received patches for 164 (82 unique, double-counted across tracks). Fifty-eight of this month's bugs are rated critical, and the highest-severity single issue is a Windows VMSwitch elevation-of-privilege vulnerability at CVSS 9.9. An additional 428 non-Microsoft Chromium CVEs affecting Edge sit outside the count entirely.
None of this is accidental. Microsoft Executive Vice President Pavan Davuluri warned on July 9 that customers should expect "a higher volume of security updates included in each security release" as AI accelerates vulnerability discovery. The company's internal MDASH system (multi-model agentic scanning harness) found 16 bugs in May's Patch Tuesday alone.
Microsoft has not said how many of July's 622 came from AI pipelines. The volume has already forced changes to how Microsoft communicates. Its Security Update Guide no longer lists individual CVEs, replacing the itemized batch with a summary table grouped by product family and a "Notable CVEs" section.
Individual advisories remain available separately, but defenders and third-party trackers must now piece together the full picture from underlying feeds. The flood of patches is also gutting traditional severity-based triage. This month's two exploited zero-days carry mid-tier scores of 5.3 and 7.8, making the point that "critical" no longer sorts anything when 600-plus CVEs drop in a single day.
Tenable senior staff research engineer Satnam Narang warned that Microsoft's exploitability index, designed around human analysis, cannot keep up with AI-speed exploitation. Anthropic's Red Team demonstrated the problem earlier this year, producing proof-of-concept exploits for 13 of 14 vulnerabilities Microsoft had rated "Exploitation Less Likely" or "Exploitation Unlikely."
A third publicly disclosed but not-yet-exploited bug, CVE-2026-50661, bypasses BitLocker encryption through physical access. Rapid7 linked the advisory to a vulnerability announced under the name GreatXML by the pseudonymous researcher Nightmare Eclipse, who has been posting working exploit code for unpatched Windows flaws to GitHub since April.
Nightmare Eclipse had threatened a fresh exploit release to coincide with July's Patch Tuesday, then partially walked back the threat. A new proof-of-concept called LegacyHive emerged on Tuesday instead, allowing a non-privileged user to mount another user's registry hive.
Cisco engineer Jerry Gamblin found that of more than 35,000 CVEs published by all vendors in the first half of 2026, only 85 (0.24%) had appeared in CISA's Known Exploited Vulnerabilities catalog. "The volume curve has gone vertical," he noted, but the exploitation curve has not yet followed.
Britain's National Cyber Security Centre warned organizations in April to brace for a wave of urgent updates. That wave has arrived.
Microsoft's Tom Gallagher, vice president of engineering at the Security Response Center, said the company expects releases to continue trending larger. The RC4 Kerberos hardening Microsoft began in January also reaches its final phase this month, removing the rollback switch that admins have used to keep legacy authentication working.
For defenders, the calculus has shifted. Sort by what is being exploited, not by CVSS score. Patch faster than you used to. And do not wait for a CISA KEV listing to make an exploited bug official.













