• 3 min read
Microsoft hits 622 CVEs in record Patch Tuesday
Microsoft patched 622 product CVEs in July, plus 428 Chromium flaws in Edge. Two bugs are already being exploited, and Adobe fixed 64 more CVEs.

Image: The Register
Microsoft has blown past last month’s Patch Tuesday record, shipping fixes for 622 CVEs in its own products — more than triple June’s 206. That total does not include 428 non-Microsoft Chromium CVEs affecting Edge. Of the 622, 58 are rated critical, two are under active exploit, and one has already been publicly disclosed.
The two exploited flaws are both privilege elevation bugs. CVE-2026-56155 affects Active Directory Federation Services, where Microsoft said “insufficient granularity of access control on ADFS” could let an attacker gain administrator privileges. It requires existing local access and carries a CVSS 7.8. CVE-2026-56164 affects Microsoft SharePoint, where missing authentication for a critical function could let an unauthorized attacker on a network raise their SharePoint permissions; it is rated CVSS 5.3.
The publicly disclosed issue, CVE-2026-50661, affects BitLocker. According to the advisory, someone with local access to a BitLocker-protected machine could physically bypass its security measures.
Among the critical issues, CVE-2026-48561 stands out: a CVSS 9.6 remote code execution flaw in Copilot caused by improper input neutralization. Microsoft said an unauthorized attacker with low-privileged Hyper-V guest access could execute code, including through a malicious website that causes embedded Copilot features on Windows systems to process a prompt. Another CVSS 9.6 bug, CVE-2026-55008, affects Microsoft Exchange. A failure to neutralize input could enable spoofing and cross-site scripting through a specially crafted email, allowing arbitrary JavaScript execution.
Microsoft also patched 16 remote code execution vulnerabilities across Microsoft Office and related applications. The bugs stem from issues including heap-based buffer overflows and use-after-free flaws, with scores around CVSS 7.8.

Recommended reading
Telegram’s t.me links return after sanctions hiccup
Adobe, Broadcom, and SAP fixes
Adobe also issued a substantial Patch Tuesday release, covering 64 unique CVEs across seven bulletins for Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Every bulletin included at least a few critical issues.
The most severe appears to be CVE-2026-48318, a CVSS 9.9 path traversal bug in ColdFusion that could allow arbitrary code execution. Adobe also fixed CVE-2026-48356, a CVSS 9.6 privilege escalation flaw in Commerce tied to improper restrictions on dangerous file uploads. In Adobe Experience Manager, CVE-2026-48259 and CVE-2026-48359 are both rated CVSS 9.6 and could lead to arbitrary code execution via server-side request forgery and improper restriction of XML external entity references, respectively.
Elsewhere, Broadcom patched seven CVEs in Avi Load Balancer, with scores ranging from 7.1 to 9.8, including authentication bypass, remote code execution, privilege escalation, and directory traversal. SAP published 16 security updates and one GitHub advisory; nine of those updates have a CVSS 8.1 or higher. The sharpest entries include:
- CVE-2026-44747 (CVSS 9.9), a memory corruption flaw in SAP NetWeaver Application Server ABAP that could let an authenticated attacker access system data
- CVE-2026-27690 (CVSS 9.1), which could let an unauthenticated attacker smuggle an HTTP request through SAP Approuter and cause system unavailability
- CVE-2026-44761 (CVSS 9.1), involving an undocumented sample OAuth2 client in SAP Commerce Cloud that could be used for unauthorized access
For Microsoft, the bigger immediate number is still 622 — a second straight month of record-breaking patch volume for Windows admins and security teams.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via The Register


