• 3 min read
Microsoft fixes 620 flaws in record July patch haul
Microsoft’s July Patch Tuesday fixed more than 620 flaws, including 570 new bugs and actively exploited issues in ADFS and SharePoint.

Image: PCWorld
Microsoft’s July Patch Tuesday was unprecedented: 570 new security vulnerabilities were fixed yesterday alone, and more than 620 patches have shipped since the start of the month. That blows past the previous monthly record of 206 in June. The total number of Microsoft vulnerabilities patched so far in 2026 has reached 1,380, already exceeding 2020's previous record of 1,250. The next scheduled Patch Tuesday is August 11th, 2026.
More than 400 of this month’s fixes affect supported versions of Windows 10, Windows 11, and Windows Server. Microsoft also recently extended the Windows 10 ESU program through October 12th, 2027.
The most urgent Windows issue already being exploited is CVE-2026-56155, a high-risk Elevation of Privilege bug in Active Directory Federation Services (ADFS). According to the report, weak access controls can let an attacker gain administrator rights. Affected systems include Windows Server 2012 through 2025 and older builds of Windows 10 1607 and 1809.
Windows and Office vulnerabilities fixed in July
Of the 413 Windows vulnerabilities Microsoft addressed, 24 are critical Remote Code Execution flaws and seven are critical Elevation of Privilege bugs. Notable examples include:
- CVE-2026-57092 in Hyper-V VMSwitch, a Use-After-Free flaw that could let a low-privileged attacker escape from a guest system and gain elevated privileges on the host
- CVE-2026-56190 in Remote Desktop Protocol, where specially crafted RDP packets can trigger code execution through improperly initialized memory
- CVE-2026-50518 in the DHCP server, one of nine DHCP flaws fixed this month
- CVE-2026-56188 in the Windows Server network driver, which can be exploited with crafted data packets across supported Windows editions up to Server 2025
Microsoft also patched 97 Office vulnerabilities, nearly double June’s total, including 17 critical RCE bugs. In many cases, the preview pane is enough to trigger the attack, meaning a user does not need to open the file itself. Another 48 RCE vulnerabilities can be exploited when a user opens a malicious Office file.

Recommended reading
AI won’t replace penetration testers just yet
SharePoint is a particular concern this month. The EoP flaw CVE-2026-56164 is already being exploited in the wild and can be attacked over the network without user authentication. Microsoft also fixed CVE-2026-55040, a Security Feature Bypass bug that can expose files without authentication, plus the critical SharePoint RCE flaws CVE-2026-50522 and CVE-2026-58644. A working demo exploit for CVE-2026-50522 was shown at Pwn2Own.
Edge, Exchange, and gaming patches
In Exchange Server, Microsoft fixed four vulnerabilities, plus a fifth in Exchange Online. One of them, CVE-2026-55008, is a spoofing bug rooted in cross-site scripting (XSS) that can execute arbitrary JavaScript in the browser when a malicious email is opened in Outlook Web Access.
Microsoft’s latest Edge security update, version 150.0.4078.65, was released on July 9th and is based on Chromium 150.0.7871.115. It fixes 27 Chromium vulnerabilities. PCWorld notes those are not included in the totals above, nor are the nearly 400 Chromium flaws patched during the first week of July; if they were, the count would exceed 1,000.
Microsoft also issued gaming-related fixes. The Minecraft Bedrock dedicated server RCE bug CVE-2026-55010 has already been patched, with no further action required from server operators, according to Microsoft. Age of Empires II: Definitive Edition needs attention, though: CVE-2026-50663 can be exploited through a malicious scenario file that tricks a player into opening it, potentially placing and executing malicious code in an unexpected location.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via PCWorld


