Microsoft Patch Tuesday July 2026: Record 570 CVEs Patched Including 3 Zero-Days
Tags Infrastructure · Enterprise

Microsoft released updates for 570 CVEs on July 14, 2026 — a record volume attributed to AI-assisted vulnerability discovery. Three zero-days were addressed: CVE-2026-56155 (AD FS elevation of privilege, exploited in wild), CVE-2026-56164 (SharePoint Server EoP, exploited, low complexity), and CVE-2026-50661 (BitLocker bypass requiring physical access). The release includes 254 EoP, 145 RCE, and 102 information disclosure flaws; 59 rated critical (48 RCE). Google patched 460+ Edge/Chromium flaws the same month; Adobe moved to biweekly cadence.
Technical significance
The 570-CVE volume represents a structural shift: AI-driven fuzzing, variant hunting, and static analysis are discovering vulnerabilities faster than enterprises can remediate. Qualys and Bugcrowd characterize this as a new floor, not a ceiling. The two actively exploited zero-days in AD FS and SharePoint highlight identity and collaboration surfaces as priority targets. CISA's urgent SharePoint hardening directive underscores operational urgency. Organizations must adopt EPSS/KEV-based prioritization and tiered SLAs (24-36 hours for KEV/EPSS>0.5) over CVSS-only triage.