Microsoft released fixes for at least 570 security vulnerabilities in Windows and other software in its July Patch Tuesday batch, a new high-water mark that the company says is partly the result of AI-assisted bug hunting.
The count is almost three times larger than the company’s previous record-setting Patch Tuesday release last month. Nearly 60 of the July vulnerabilities carry Microsoft’s “critical” severity rating, the category reserved for bugs that can let attackers or malware take control of a system remotely with little or no user interaction.
Microsoft also fixed three zero-day vulnerabilities, meaning flaws that were already known to attackers or defenders before a patch was available. According to Microsoft, three of the July bugs are being exploited in the wild.
Two of the exploited flaws are elevation-of-privilege issues, a class of bug that lets someone who already has some access to a machine gain more powerful rights. Microsoft fixed roughly 250 elevation-of-privilege flaws this month, including CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint.
Another bug, CVE-2026-50661, affects Windows BitLocker. Microsoft describes it as a security feature bypass that could expose encrypted data to an attacker with physical access to the device. The company said details of the flaw have been made public, but said it is not aware of active exploitation.
Pavan Davuluri, Microsoft’s executive vice president, wrote in a July 9 blog post that Windows users should expect larger security releases as AI tools help find more vulnerabilities across more code. Microsoft’s claim is straightforward enough: better automated analysis finds more bugs, which produces more patches. The fun part, for anyone responsible for patching fleets of machines, is that “more secure” still arrives as hundreds of updates to test and deploy.
Action1 vulnerability research director Jack Bicer highlighted CVE-2026-48561, a Microsoft Copilot remote code execution vulnerability with a CVSS score of 9.6. Microsoft says an unauthenticated attacker could exploit it by running a malicious website that makes Microsoft Edge for Android send crafted prompts to Copilot when the victim visits the page.
The same AI acceleration Microsoft credits for finding flaws also changes the attacker side of the equation. Satnam Narang, senior staff research engineer at Tenable, said Microsoft’s exploitability index is still built around human-paced exploit development. That index is Microsoft’s estimate of how likely attackers are to produce reliable exploit code for a given vulnerability.
Narang pointed to the SharePoint zero-day as an awkward example: Microsoft initially rated exploitation as “less likely,” although the U.S. Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog on July 1. Narang also cited Anthropic Red Team findings in which its Mythos Preview model generated proof-of-concept exploits for 13 of 14 known vulnerabilities rated “Exploitation Less Likely” or “Exploitation Unlikely.”
Chris Goettl at Ivanti said Microsoft is not alone in shipping bigger and more frequent security updates. Adobe said it will publish security bulletins twice a month, on the second and fourth Tuesdays, and also cited AI as a reason for faster patch cycles. Goettl said Cisco, Mozilla and Oracle have increased update frequency as well, while Google’s June 2026 patch batches added up to more than 900 security fixes.
This story draws on original reporting from Krebs on Security.