Microsoft Releases Record Patch Tuesday Update Covering 570 Security Flaws

Microsoft has issued its July 2026 security updates, addressing at least 570 vulnerabilities across Windows and other products. The total is nearly three times the company’s previous monthly record, s...

Microsoft has issued its July 2026 security updates, addressing at least 570 vulnerabilities across Windows and other products. The total is nearly three times the company’s previous monthly record, set in June, and includes almost 60 flaws rated critical.

Microsoft said the unusually large update reflects the growing use of artificial intelligence in vulnerability research. Pavan Davuluri, a Microsoft executive vice president, said AI-assisted techniques are helping researchers identify and analyze weaknesses across large codebases more quickly.

Three zero-days included

The release contains fixes for three zero-day vulnerabilities. Two are reportedly being exploited in attacks, while the third has been publicly disclosed but has not been linked to active exploitation by Microsoft.

Among the patched issues are roughly 250 elevation-of-privilege vulnerabilities. They include CVE-2026-56155, a flaw in Active Directory Federation Services, and CVE-2026-56164, a Microsoft SharePoint vulnerability. The two bugs could allow an attacker to gain higher permissions on an affected Windows system.

CVE-2026-50661 affects Windows BitLocker and represents a security-feature bypass. An attacker with physical access to a device could potentially use it to access protected data. Microsoft said details of the vulnerability are public, but it has not observed exploitation.

Action1 vulnerability research director Jack Bicer highlighted CVE-2026-48561, a remote-code-execution flaw in Microsoft Copilot assigned a CVSS score of 9.6. According to Microsoft, an attacker could host a malicious website that prompts Microsoft Edge for Android to send specially crafted requests to Copilot when a victim visits the site.

Changing assumptions about exploitability

Security researchers said AI may also shorten the time attackers need to turn disclosed vulnerabilities into working exploits. Satnam Narang of Tenable argued that Microsoft’s exploitability ratings, which estimate how likely a flaw is to be exploited, may not fully account for automated offensive tools. He pointed to a SharePoint zero-day that was initially rated less likely to be exploited despite later appearing on CISA’s Known Exploited Vulnerabilities catalog.

Ivanti’s Chris Goettl noted that vendors are increasing their release frequency. Adobe plans to publish security bulletins twice monthly, while Cisco, Mozilla and Oracle have also accelerated updates. Organizations should review Microsoft’s advisories, back up important systems and test patches before broad deployment.