ITnews

Microsoft’s July security patch fest brings on the ‘bug apocalypse’


This month’s regular round of security patches from Microsoft is likely to cause more than one Patch Wednesday (antipodean time) chronicler to sit up due to the sheer volume of Common Vulnerabilities and Exposures (CVE) indexed bugs, around three times more than for June 2026.



“Here it is. The Mother of All Releases,” security vendor Trend Micro’s Zero Day Initiative researcher Dustin Childs said.

“How to count this mess is anyone’s guess, but I see new Microsoft 621 CVEs for the month of July,” Childs said.

Adding a further 480 vulnerabilities in Chromium, the open source browser engine Microsoft Edge is based on, the July round of security updates clocks in at over 1000 in total.

Of these, “a record-breaking” 416 are Windows vulnerabilities, security vendor Rapid7’s lead software engineer Adam Barnett said.

Of those, 63 carry a Critical rating, and 26 score above 9.0 on the Common Vulnerability Scoring System, the industry’s standard 10-point measure of how severe a flaw is.

Microsoft has changed the format of the vulnerability reporting, and Barnett said the tech giant no longer enumerates Chromium CVEs from June in its Security Update Guide (SUG).

From this month, Microsoft doesn’t list vulnerabilities in its own products in the SUG so while there are way more bugs, there is less detail on them.

A vast range of software is being patched by Microsoft.

“The products covered this month are also astonishing,” Childs said.

Privilege escalation bugs in Microsoft’s SharePoint Server with low attack complexity (CVE-2026-56164) and in Active Directory Federation Services (CVE-2026-56155) are being exploited in the wild, the company said.

Barnett also speculated that the patch for CVE-2026-50661 that handles a publicly-known bypass for Microsoft’s BitLocker full-disk encryption is a fix for June’s GreatXML vulnerability from disgruntled reseacher Nightmare Eclipse.

Even the Age of Empires II: Definitive Edition video game receives a patch this month: CVE-2026-50663 is a remote code execution involving malicious game scenario files which, if users open them, can write arbitrary content outside the designated Age of Empires directory.

Dutch cyber security student Rick de Jager is credited by Microsoft for finding and reporting the Age of Empires vulnerability.

AI powering an avalanche of vulnerabilities discovered

Microsoft attributes the dramatic jump in vulnerabilities and patches to its own growing use of artificial intelligence to hunt for bugs across its codebase.

In May, Microsoft annnounced its MDASH vulnerability scanner which uses AI.

This includes Microsoft’s flagship Windows operating system, in which MDASH found four remote code execution vulnerabilities it rated as critical.

Last week, Microsoft vice president of Windows Devices Pavan Davuluri outlined how the company runs MDASH, which is a multi-model agentic scanning harness, using dedicated cloud infrastructure.

Davuluri framed the use of MDASH as a shift in how Microsoft builds software, describing vulnerability discovery as something now woven into the development and review process rather than treated as a separate, later-stage activity.



Source link