Microsoft Patch Tuesday July 2026 delivered the company’s largest security update to date, addressing 622 Microsoft CVEs, more than tripling the roughly 200 vulnerabilities patched in June. Among the fixes are two zero-day vulnerabilities—CVE-2026-56164 and CVE-2026-56155—that Microsoft confirmed are being actively exploited, making them the highest-priority updates in this month’s release.
According to Microsoft’s July 2026 Security Updates, the release includes patches across multiple product families. Windows accounts for the largest share with 416 vulnerabilities, followed by Office with 82, Microsoft Edge with 46, Developer Tools with 27, SharePoint Server with 17, Azure with 11, SQL Server with eight, Defender and Exchange Server with five each, and four additional updates categorized under Other. Microsoft also republished 428 non-Microsoft Chromium CVEs.
Microsoft Patch Tuesday July 2026 Highlights Exploited Vulnerabilities
The two most significant flaws in Microsoft Patch Tuesday July 2026 are CVE-2026-56164 and CVE-2026-56155, both elevation-of-privilege vulnerabilities affecting critical enterprise infrastructure.
CVE-2026-56164 impacts on-premises Microsoft SharePoint Server and allows an unauthenticated attacker to elevate privileges remotely over the network without requiring credentials or user interaction. Microsoft said the vulnerability was discovered by Mandiant incident responders and Google’s FLARE team, suggesting it was identified during investigations into active attacks. However, the company has not disclosed how the flaw was exploited or who was responsible.
Microsoft also noted that enabling the Antimalware Scan Interface (AMSI) in Full Mode can help reduce the attack risk. The update arrives on the same day that SharePoint Server 2016 and SharePoint Server 2019 reach the end of extended support. Unlike Windows Server and SQL Server, these products do not have a paid Extended Security Updates (ESU) program. SharePoint has remained a frequent target since the ToolShell attack chain affected unpatched servers in 2025.
The Second Vulnerability (CVE-2026-56155)
The second actively exploited vulnerability, CVE-2026-56155, affects Active Directory Federation Services (AD FS). Microsoft said the flaw enables an authenticated attacker to elevate privileges locally because of weak access controls.

The company’s Detection and Response Team (DART) reported the issue. While Microsoft has not disclosed the exact privileges attackers gained or how the vulnerability was used, AD FS plays a critical role by issuing authentication tokens across enterprise environments, increasing the potential impact of a successful attack.
Beyond these two zero-days, Microsoft identified CVE-2026-50661, a Windows BitLocker Security Feature Bypass vulnerability, as publicly known.
As of publication, neither CVE-2026-56164 nor CVE-2026-56155 has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. However, Microsoft has already classified both as exploited through its own exploitability assessment. The company also assigned the SharePoint flaw a relatively low severity rating, highlighting that active exploitation should take precedence over severity scores when prioritizing remediation.

