TL;DR
Microsoft’s July 2026 Patch Tuesday fixes 570 vulnerabilities, including 57 rated critical and 510 rated important. Attackers are exploiting two zero-days in the wild: CVE-2026-56155 in Active Directory Federation Services (AD FS) and CVE-2026-56164 in SharePoint Server. A third zero-day, CVE-2026-50661 in Windows BitLocker, was publicly disclosed, but no in-the-wild exploitation has been confirmed.
Why It Matters
CISA has added both exploited flaws to its Known Exploited Vulnerabilities Catalog. Federal agencies must patch CVE-2026-56164 by July 17, 2026, and CVE-2026-56155 by July 28, 2026. These short deadlines signal active attacks against identity and collaboration infrastructure. AD FS handles enterprise sign-on, while SharePoint stores sensitive business data. As a result, a single compromise can hand attackers administrator rights or a durable network foothold. Moreover, the sheer size of this release raises the stakes. With 145 remote code execution bugs and 254 privilege escalation bugs, unpatched systems present a wide attack surface.
How the Attacks Work
CVE-2026-56155: AD FS Elevation of Privilege
This flaw stems from insufficient granularity of access control in AD FS. An authenticated attacker can abuse the gap to elevate privileges locally. Successful exploitation grants administrator privileges on the federation server. From there, an attacker could tamper with authentication flows across the connected environment.
CVE-2026-56164: SharePoint Server Elevation of Privilege
SharePoint misses authentication for a critical function. Consequently, an unauthenticated attacker can elevate privileges over the network without any credentials. Microsoft notes that enabling the Antimalware Scan Interface (AMSI) and setting Request Body Scan mode to Full can blunt attack attempts while patches roll out.
CVE-2026-50661: BitLocker Security Feature Bypass
A protection mechanism failure affects Windows BitLocker. An attacker with physical access could bypass BitLocker Device Encryption and read data on the system drive. This flaw was publicly disclosed before the patch. However, no active exploitation has been confirmed so far.
Breakdown of the July 2026 Release
The July 2026 Patch Tuesday release breaks down as follows: 145 remote code execution flaws (48 critical), 254 elevation of privilege flaws (7 critical), 102 information disclosure flaws, 35 denial-of-service flaws, 17 security feature bypasses, and 16 spoofing flaws. In addition, Microsoft shipped 468 CVEs for Edge/Chromium. Of those, the Chrome CNA issued 360 upstream Chromium fixes, and Microsoft issued the rest for Edge and Edge for Android.
Notable Critical Vulnerabilities
Several critical bugs deserve early attention. CVE-2026-49164 is a heap-based buffer overflow in Active Directory Domain Services that allows unauthenticated remote code execution. Four DHCP Server flaws (CVE-2026-56159, CVE-2026-50370, CVE-2026-48564, and CVE-2026-50518) expose core network services to code execution. CVE-2026-50694 hits the Secure Socket Tunneling Protocol with a use-after-free reachable over the network. Meanwhile, CVE-2026-55008 enables spoofing against Microsoft Exchange Server through cross-site scripting. Even Microsoft Defender needs patching, since CVE-2026-55011 and CVE-2026-55012 allow local code execution in the security tool itself. Microsoft has not confirmed in-the-wild exploitation or public proof-of-concept code for these critical flaws at this time.
- Total: 60 CVEs
- Severity: 12 Critical · 46 High · 2 Medium
- Actively exploited: 2 (zero-day / KEV)
- Highest severity: 9.9 (Critical · CVSSv3) — CVE-2026-57092
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-57092 | 9.9 | CWE-416 | 10.0.14393.9339, 10.0.17763.9020, 10.0.19044.7548 (+7) | Not exploited |
| CVE-2026-55944 | 9.8 | CWE-502 | 11.0.50704.0 | Not exploited |
| CVE-2026-56188 | 9.8 | CWE-362 | 10.0.14393.9339, 10.0.17763.9020, 10.0.19044.7548 (+7) | Not exploited |
| CVE-2026-58644 | 9.8 | CWE-502 | 16.0.5556.1005, 16.0.10417.20153, 16.0.19725.20384 | Not exploited |
| CVE-2026-50522 | 9.8 | CWE-502 | 16.0.5561.1001, 16.0.10417.20175, 16.0.19725.20434 | Not exploited |
| CVE-2026-56159 | 9.8 | CWE-122 | 10.0.14393.9339, 10.0.17763.9020, 6.2.9200.26226 (+3) | Not exploited |
| CVE-2026-56155 | 7.8 | CWE-1220 | 10.0.14393.9339, 10.0.17763.9020, 6.2.9200.26226 (+3) | Exploited |
| CVE-2026-56164 | 5.3 | CWE-306 | 16.0.5561.1001, 16.0.10417.20175, 16.0.19725.20434 | Exploited |
Affected Products
The updates span Windows Media, HTTP.sys, Hyper-V, NTFS, BitLocker, the Bluetooth Port Driver and Service, Microsoft Copilot, Microsoft Defender, and Exchange Server. Office apps, including Word and PowerPoint, receive fixes as well. Server-side products such as SQL Server, SharePoint, Dynamics 365 Business Central, WSUS, and Minecraft Bedrock Dedicated Server also appear on the list.
Patch and Mitigation Steps
Administrators should deploy the July 2026 cumulative updates now, starting with the two exploited zero-days. For SharePoint, enable AMSI with Request Body Scan set to Full as an interim safeguard. For BitLocker, restrict physical access to at-risk devices until patches land. Finally, review each advisory in the Microsoft Security Update Guide to confirm affected versions and build numbers for your environment.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.