Microsoft released fixes for 622 security vulnerabilities in its July Patch Tuesday update, the largest monthly batch in the program’s history and more than three times the record it set in June.
The number is bigger than the combined total from the previous three months, according to Microsoft’s Security Update Guide. For Windows administrators and security teams, that means a longer triage queue and less help from Microsoft’s usual presentation of the data.
Microsoft has changed the public guide so it no longer shows the full list of individual CVEs in the main Patch Tuesday view. The company now presents a summary table that groups bug counts by product family, plus a section for notable CVEs. The individual advisories still exist separately.
That change matters because patch day starts a second clock. Once Microsoft publishes fixes, attackers can compare patched and unpatched code to identify the bug and build working exploits for systems that lag behind. Defenders usually use the advisory list to rank what gets patched first, especially when hundreds of flaws land at once.
Rapid7’s Adam Barnett wrote that the release reflects a broader rise in vulnerability reporting, with remediations following as vendors work through the findings. Microsoft stopped listing Chromium fixes in the guide last year after browser vulnerability counts climbed sharply.
Microsoft and security analysts have pointed to AI-assisted discovery tools as one reason vulnerability volume is rising, though Microsoft has not said how many of July’s CVEs came from those tools. In May, Tom Gallagher, vice president of engineering at Microsoft’s Security Response Center, said Microsoft had been using an internal AI system called MDASH to find flaws in its own software and expected larger releases to continue.
Two Microsoft flaws are already exploited
Microsoft said two of the July vulnerabilities are being exploited in the wild. CVE-2026-56164 affects on-premises SharePoint Server and lets an unauthenticated attacker raise privileges over the network. Microsoft rated it Important and assigned it a CVSS score of 5.3.
The second exploited bug, CVE-2026-56155, affects Active Directory Federation Services. Microsoft said an authenticated attacker can use it to escalate privileges locally. Microsoft credited its incident-response team, DART, with finding both vulnerabilities.
Neither CVE appeared in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog as of Wednesday morning, although Microsoft marks both as exploited.
A separate SharePoint issue, CVE-2026-55040, also drew scrutiny. Rapid7 said researcher Stephen Fewer discovered the security feature bypass and disclosed it through coordinated channels with Microsoft. Rapid7 said the bug is the first part of an exploit chain that can reach unauthenticated remote code execution on a vulnerable server.
The second vulnerability in that chain remains under embargo, with Microsoft expected to address it in August. Rapid7 rates the bypass at 5.3, while Trend Micro’s Zero Day Initiative gives it a 9.1 score.
More bugs, limited evidence of more exploitation
Britain’s National Cyber Security Centre warned organizations in April to prepare for a wave of urgent updates. The patch volume has arrived, but a matching jump in confirmed exploitation has not been observed, according to Cisco engineer Jerry Gamblin.
Gamblin wrote earlier this month that more than 35,000 CVEs had been published across vendors in the first half of the year. He found that 85 of them, or 0.24%, had appeared in CISA’s Known Exploited Vulnerabilities catalog, while noting that the number will increase as exploitation is confirmed.
Microsoft also patched CVE-2026-50661, a publicly disclosed BitLocker security feature bypass that allows a physical attacker to get around drive encryption. Rapid7 said Microsoft’s advisory matches a vulnerability announced as GreatXML by the pseudonymous researcher Nightmare Eclipse, though Microsoft has not confirmed that link.
Nightmare Eclipse has posted proof-of-concept code for unpatched Windows flaws on GitHub since April. On Tuesday, the same source released a new proof of concept called LegacyHive, which appears to let a low-privileged user mount another user’s registry hive.
Microsoft separately fixed CVE-2026-50656, a Defender elevation-of-privilege bug known as RoguePlanet, in an out-of-band update on July 8 after Nightmare Eclipse published proof-of-concept code. Nightmare Eclipse has since claimed that Microsoft’s fix adds a disk-exhaustion vector.
This story draws on original reporting from The Record.