Microsoft ships fixes for 570 flaws in July, including two bugs already used in attacks
The July 2026 Patch Tuesday is the largest on record, driven partly by an AI system Microsoft is using to hunt bugs in Windows.

Key points
- Microsoft released fixes for 570 security flaws on 14 July 2026, its largest ever monthly patch batch.
- Two of the flaws were already being used in real attacks: one in Active Directory Federation Services and one in SharePoint Server.
- A third flaw, a BitLocker bypass that lets someone with physical access read encrypted data, was publicly disclosed before the patch shipped.
- 59 of the 570 flaws are rated Critical, including 48 that allow remote code execution (attackers running their own code on a target machine).
- Microsoft says an AI-powered bug-finding system is one reason the numbers keep climbing.
Microsoft's July 2026 Patch Tuesday, the monthly Tuesday when the company ships security fixes, addresses 570 vulnerabilities. That is the largest single-month total Microsoft has ever released, and it includes three zero-days, meaning flaws that were either being exploited or publicly known before a patch existed.
Two of those zero-days were already being used in real attacks.
First reported by BleepingComputer, the numbers exclude another 468 flaws Google fixed in Chromium this month that carry over into Microsoft Edge, plus a handful of cloud-service fixes Microsoft shipped earlier in July.
What are the flaws attackers are already using?
The first is CVE-2026-56155, an elevation-of-privilege bug in Active Directory Federation Services (AD FS). AD FS is the Microsoft component that handles single sign-on, the system that lets staff log in to many company apps with one account. The flaw lets an attacker who already has some access on the server promote themselves to administrator. Microsoft credits its own incident response team, Jeremy Kingston and Scott Clark of DART, which usually means the bug was spotted while investigating a live intrusion.
Microsoft has not said who was attacked or how.
The second is a SharePoint Server bug that lets a remote attacker gain higher privileges without logging in first. Microsoft describes it as "missing authentication for critical function," which in plain English means SharePoint was letting outsiders call an internal function that should have required a password. As a temporary measure, Microsoft says administrators can turn on the Antimalware Scan Interface (AMSI) with Request Body Scan set to Full. The bug was reported by Jayson Frost of Mandiant Incident Response, Genwei Jiang of Google Cloud's FLARE OTF team, and an anonymous researcher.
The third zero-day is a BitLocker bypass. BitLocker is the built-in Windows feature that encrypts a laptop's hard drive so that a thief cannot read the files. This flaw lets an attacker with physical access to the machine defeat that protection and read the data anyway. It was publicly disclosed before Microsoft had a fix ready, though Microsoft says it has not seen it used in attacks yet.
Why are the numbers so big this month?
Microsoft warned last week that Patch Tuesdays would get heavier because it has started using an AI-powered vulnerability discovery system to comb through the Windows source code. The idea is to find bugs before criminals do. The side effect is a lot more CVEs (the standard tracking IDs for security flaws) landing in a single month.
Of the 570 fixes, 59 are rated Critical. Inside that Critical bucket:
- 48 are remote code execution, where an attacker can run their own code on your machine over the network.
- 9 are elevation of privilege.
- 1 is a security feature bypass.
- 1 is a spoofing bug.
Notable Critical fixes include CVE-2026-49164 in Active Directory Domain Services, which controls Windows logins across an entire company, and CVE-2026-54121 in Active Directory Certificate Services.
What should defenders do now?
Prioritise the AD FS and SharePoint patches. Both are being used in the wild, and both sit at the identity layer, which is the layer attackers most want to own. If you cannot patch SharePoint immediately, apply Microsoft's AMSI mitigation.
Ordinary home users do not need to do anything special. Windows Update will pull the fixes down automatically. If your laptop asks to restart this week, let it.



