Microsoft shipped its July 2026 security updates today, and there is no way to undersell this one: 570 vulnerabilities fixed, the largest Patch Tuesday ever released. For scale, last month's 198 was itself a record, and people called it a doozy. July nearly triples it. The release also carries three zero-days — two flaws attackers are actively exploiting right now and one that was publicly disclosed before the fix shipped — per Microsoft's official July 2026 release notes.
A number like 570 can push a business owner toward either panic or paralysis, and neither is useful. Below is the plain-language version: what is actually in the release, why it is so enormous (the answer is AI, and it is worth understanding), the three zero-days and what each one means for a Central Coast business, and a prioritized list of what to do this week. You do not need to read 570 CVE bulletins to make good decisions; you need to know what to patch first.
The headline number: 570 fixes, the biggest Patch Tuesday in history
Microsoft has been shipping monthly security updates on the second Tuesday of the month for over two decades, and there has never been a release this large. The count breaks down like this:
- 254 elevation-of-privilege flaws. These let an attacker who already has a toehold on a machine promote themselves to administrator or system control. They are the workhorse of a real intrusion: rarely the way in, almost always the next step. Both of this month's actively exploited zero-days are in this category, which tells you how attackers are actually using them.
- 145 remote-code-execution flaws. The dangerous ones — they let an attacker run their own code on your systems, sometimes with no interaction from your staff at all. 48 of this month's 59 Critical-rated fixes are RCEs, touching Office, Exchange Server, SQL Server, Remote Desktop Client, Windows Media Foundation, and even Microsoft Defender itself.
- The rest: 102 information-disclosure flaws, 35 denial-of-service, 17 security-feature bypasses (including the BitLocker zero-day), and 16 spoofing flaws.
Same lesson as every month, at nearly triple the scale: the release covers both halves of an attack — the break-in (RCE) and the takeover (EoP) — in volume. That is the profile you patch promptly.
Why so big? AI is finding flaws faster than anyone can remember
The obvious question is whether Microsoft's software suddenly got three times worse. It did not. What changed is how fast flaws are being found. Microsoft's own executive vice president for Windows, Pavan Davuluri, put it plainly: the pace of vulnerability discovery is changing, because advances in AI make it possible to find more issues, faster, across more code. Security researchers, bug-bounty hunters, and Microsoft's internal teams are all using AI tooling now, and the result is that bugs which sat undiscovered in the code for years are surfacing in bulk. We wrote about this exact dynamic when an AI model found 271 vulnerabilities in Firefox; July's record is the same story playing out across the much larger Windows codebase.
Two practical consequences for a small business. First, heavy patch months are the new normal, not a one-off — which means a repeatable, verified monthly patch process stops being nice-to-have and becomes the whole game. Second, and less comfortable: the same AI tooling that finds flaws for defenders also works for attackers. Researchers have already shown AI producing working exploits for the majority of a sample of flaws Microsoft had rated "exploitation less likely." The labels defenders used to lean on for triage are getting less reliable, and the safe response is to patch the whole release, not just the headliners.
The three zero-days, and what to do about each
A zero-day is a flaw attackers already knew about — or that was publicly disclosed — before a fix existed, so the usual head start defenders get from patching early is gone. July has three, and this month two of them are confirmed under active attack:
- CVE-2026-56155 — Active Directory Federation Services elevation of privilege, actively exploited. AD FS is the on-premises server some organizations use to handle sign-ins for Microsoft 365 and other apps — identity infrastructure, the keys to everything. This flaw (CVSS 7.8) lets an attacker who has gained a foothold elevate to administrator, and Microsoft's own incident-response team found it while investigating real attacks. Most small businesses that sign in directly through Entra ID never deployed AD FS; if you did — or a vendor set one up years ago and it is still humming in a closet — that server is your first patch of the month, and a strong candidate for retirement in favor of Entra ID sign-in.
- CVE-2026-56164 — SharePoint Server elevation of privilege, actively exploited. A missing authentication check on a critical function lets an unauthenticated attacker escalate privileges over the network on self-hosted SharePoint (2016, 2019, and Subscription Edition). If your SharePoint is SharePoint Online through Microsoft 365, Microsoft patches the back end for you and you can exhale. If you still self-host, patch now — SharePoint servers have been a favorite ransomware entry point all year, as we covered in the May SharePoint post, and this is another argument for the migration conversation.
- CVE-2026-50661 — BitLocker security-feature bypass, publicly disclosed. Someone with physical access to a device can get around BitLocker full-disk encryption and reach the data. Sound familiar? June's release had one too. Not yet seen exploited in the wild, but the details are public, and it maps to the most ordinary risk a small business has: a laptop left in a car, lost at an airport, or stolen from the office. Encryption is what makes a stolen laptop a hardware loss instead of a data breach. Patch the laptops, and while you are at it, confirm BitLocker is actually turned on — we still find machines where it never was.
Critical clusters worth knowing about
Beyond the zero-days, a few of the 59 Critical fixes stand out because they map to things real small businesses run:
- Dynamics 365 Business Central / NAV (CVE-2026-55944, CVSS 9.8). A remote-code-execution flaw requiring no authentication and no user interaction, rated "exploitation more likely." If your accounting or ERP runs on self-hosted Business Central or the older NAV, this is as urgent as the zero-days. Cloud-hosted Business Central is patched by Microsoft.
- Microsoft Copilot (CVE-2026-48561, CVSS 9.6). A malicious website could drive Microsoft Edge on Android into sending crafted prompts to Copilot and achieve code execution. The fix is largely on Microsoft's side, but it is a sign of the times: the AI assistants being wired into everything are now attack surface too — the same theme as our AI agents post. Keep mobile browsers and apps updating automatically.
- Windows DHCP Server. Five Critical flaws, three rated "exploitation more likely." DHCP is core network plumbing — the service that hands out addresses to every device in the building — and it usually lives on the same domain controller that runs everything else. Patch your Windows servers, not just the desktops.
- The everyday paths. Critical RCEs across Office (Word, Excel, PowerPoint), Exchange Server, SQL Server, Remote Desktop Client, and Windows Media Foundation. The Office ones are the classic malicious-attachment route — a document that does not just phish for a password but runs code when opened — which is why the defenses in the email authentication post matter alongside the patch.
Windows 10: this is what end-of-support looks like
One more detail that deserves its own paragraph. Microsoft shipped this month's Windows 10 fix (KB5099539) only to devices enrolled in Extended Security Updates. Windows 10 hit end of support in October 2025; a Windows 10 machine without ESU received exactly none of this record release and is now nine months behind on security fixes, this month's zero-days included. Every record-size Patch Tuesday widens the gap between patched machines and the orphans. If you still have Windows 10 in the business — and many Central Coast offices do, often on the one PC that runs a critical app — the Windows 10 end-of-life post lays out the options: enroll in ESU as a bridge, upgrade, or replace. "Do nothing" is the only wrong answer, and it gets more wrong every month.
How to protect yourself this week
Translated into action, in priority order:
- Install and reboot, everywhere. Run this month's Windows and Office updates on every PC and every server and reboot when prompted. That single step covers all three zero-days and the bulk of the 570 fixes. An installed-but-not-rebooted patch protects nothing.
- Identity and collaboration servers first. If you run AD FS or self-hosted SharePoint, those two zero-days are under active exploitation — patch those servers before anything else, today if possible.
- Then laptops, and verify encryption. The BitLocker bypass is public. Prioritize portable devices and confirm full-disk encryption is actually enabled, so a lost laptop stays a hardware problem instead of a data breach.
- Self-hosted business apps next. Dynamics 365 Business Central / NAV, Exchange, SQL Server — the CVSS 9.8 no-authentication RCE makes self-hosted ERP a priority, and while you are on the servers, take the DHCP fixes too.
- Confirm your Windows 10 stragglers. Either they are enrolled in ESU and took KB5099539, or they are unprotected against everything in this release. Know which, this week.
- Keep MFA and backups in place. Patching lowers the odds of an incident; multi-factor authentication limits what a foothold can reach; a tested backup is what saves you when something gets through anyway. See the 10 essentials and the backup and DR post.
- Do not let the number paralyze you. 570 sounds unmanageable; for a patched, auto-updating fleet it is mostly one big Windows Update cycle. The businesses that get hurt by a release like this are the ones where updates are deferred for months and nobody verifies anything landed.
Where this fits
- The June 2026 Patch Tuesday post and the May post, for the two previous releases and the patch-cadence habit.
- The AI-found Firefox flaws post, for the AI-driven discovery wave behind this record and what it means for patch cadence.
- The BitLocker bypass post, for the encryption-bypass class behind this month's disclosed zero-day.
- The Windows 10 end-of-life post, for the machines this release skipped entirely.
- The 10 essentials and the cybersecurity page, for where patching sits in the full defense.
- The managed IT page, for patch management that is verified across every device.
We run monthly patch management for small businesses across Salinas, Monterey, Santa Cruz, Watsonville, and San Jose, and the rest of the Central Coast, so "we patch every month" is something you can prove, not just hope — even in a month with 570 of them.
FAQs about the July 2026 Patch Tuesday
Is the July 2026 Patch Tuesday really the biggest ever, and how many vulnerabilities did Microsoft fix?
Yes. The July 14, 2026 release fixes 570 vulnerabilities, making it the largest Patch Tuesday in the roughly two decades Microsoft has been shipping monthly updates — nearly triple the previous record of 198 set just last month. Fifty-nine of the fixes are rated Critical, most of those remote code execution. By type, the release is dominated by elevation-of-privilege flaws (254) and remote-code-execution flaws (145), with the rest spread across information disclosure, denial of service, security-feature bypass, and spoofing. It also includes three zero-days: two actively exploited flaws in Active Directory Federation Services and SharePoint Server, and a publicly disclosed BitLocker bypass.
What are the three zero-days and which matters most to a small business?
The three are CVE-2026-56155, an Active Directory Federation Services elevation-of-privilege flaw already being exploited in attacks, which lets an attacker with a foothold elevate to administrator on the server that handles your sign-ins; CVE-2026-56164, a SharePoint Server elevation-of-privilege flaw, also exploited in the wild, where a missing authentication check lets an unauthenticated attacker escalate privileges over the network on self-hosted SharePoint; and CVE-2026-50661, a publicly disclosed BitLocker security-feature bypass that lets someone with physical access to a device get at encrypted data. If you run AD FS or on-premises SharePoint, those servers are your first priority because attackers are using the flaws right now. For everyone else, the BitLocker bypass is the one that maps to everyday risk — a lost or stolen laptop — and it is the second month in a row a BitLocker bypass has shipped.
Why was this Patch Tuesday so big? Is Microsoft's software getting worse?
The short answer is AI. Microsoft says the pace of vulnerability discovery is changing because AI tooling makes it possible to find more issues, faster, across more code — and security researchers, bug-bounty hunters, and Microsoft's own teams are all using it. A record month does not mean Windows suddenly got 570 flaws worse; most of these bugs existed for years and are only now being found. The practical takeaway for a small business is that big patch months are the new normal, so a repeatable monthly patch process matters more than ever. One caution: researchers also warn that "exploitation less likely" labels are less reliable in the AI era, since AI tooling has produced working exploits for flaws rated unlikely to be attacked — so patch the whole release, not just the headline items.
We use Microsoft 365. Do the SharePoint and AD FS zero-days affect us?
Mostly no, and that is the good news. The SharePoint zero-day affects self-hosted SharePoint Server (2016, 2019, and Subscription Edition); if your files live in SharePoint Online through Microsoft 365, Microsoft patches that back end for you. AD FS is a federation server some organizations run on-premises to handle sign-ins for Microsoft 365 and other apps; most small businesses that sign in directly through Entra ID never deployed it. The catch is knowing which you are: plenty of businesses have an AD FS box or an old SharePoint server that a vendor set up years ago and nobody remembers. Ask whoever runs your IT to confirm, and if you are still on AD FS, this is a strong nudge to migrate sign-in to Entra ID and retire the server.
We still have Windows 10 machines. Did we get any of these fixes?
Only if those machines are enrolled in Extended Security Updates. Windows 10 hit end of support in October 2025, and this month's Windows 10 fix (KB5099539) shipped only to ESU-enrolled devices. A Windows 10 machine without ESU received nothing from this record release and is now nine months past its last free patch, accumulating exposure to every flaw fixed since — including this month's zero-days. If you still have Windows 10 in the business, either confirm ESU enrollment as a bridge or, better, plan the upgrade or replacement now.
Can we wait to install this month's updates?
No — this is exactly the release you do not sit on. It carries two zero-days that attackers are actively exploiting, a publicly disclosed BitLocker bypass, and 59 Critical flaws, 48 of them remote code execution. The moment patches ship, the flaws are public and exploit development starts against whoever has not applied them; with 570 fixes, attackers have their biggest-ever menu. A short test-then-deploy window is fine. If you cannot do everything at once, patch in this order: AD FS and on-premises SharePoint servers, internet-facing servers, laptops, then everything else — and reboot, because an installed-but-not-rebooted patch is not protecting anything.
570 patches. Are yours actually installed? Let's verify.
30 minutes with a DoD-cleared engineer. We'll check whether this record release — the three zero-days, the server fixes, and your Windows 10 stragglers — has truly applied across your machines, and set up patch management you can prove. No jargon, no obligation.
Book your free assessmentPrefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.