Microsoft's July 2026 Patch Tuesday Is the Biggest Ever, 622 Fixes at Once
AI tools are finding software flaws faster than companies can fix them. This month's update from Microsoft shows exactly what that looks like in practice.

Key points
- Microsoft released fixes for 622 separate security flaws on 14 July 2026, the largest single Patch Tuesday update in the programme's history.
- Three of those flaws are zero-days, meaning they were unknown or unpatched when criminals first found them; two are already being actively exploited.
- The US government agency responsible for cyber defence, CISA (the Cybersecurity and Infrastructure Security Agency), has ordered federal bodies to patch the two exploited flaws by 28 July 2026 at the latest.
- Artificial intelligence tools are now discovering software vulnerabilities faster than security teams can patch them, forcing a rethink of how organisations decide what to fix first.
- One AI model, Claude Mythos Preview, produced working attack code for 13 of 14 flaws that Microsoft had rated as unlikely to be exploited.
Microsoft's monthly security update, known as Patch Tuesday, usually lands with a thud. July 2026's landed like a freight train.
On 14 July 2026, Microsoft published fixes for 622 distinct CVEs, which are individually numbered and catalogued security vulnerabilities. That beats every previous monthly release on record. Two months earlier, Microsoft's own vice president of engineering had hinted the numbers might climb. Most observers did not expect them to climb quite this fast.
How did the hackers get in?
Two of this month's zero-day flaws are actively being used by criminals right now. The first, CVE-2026-56155, sits inside Active Directory Federation Services, a Microsoft product that handles single sign-on (SSO), the system that lets employees log in once and then move freely between different company apps without typing a password again. The flaw lets an attacker quietly upgrade their own access until they have full system-level control. The second active zero-day, CVE-2026-56164, targets SharePoint Server, Microsoft's document-sharing platform used by millions of organisations. It exploits a missing authentication check, meaning a critical function that should demand a login simply does not bother asking for one.
A third zero-day, CVE-2026-50661, affects Windows BitLocker, the encryption feature that scrambles the files on a laptop so that a thief who steals the physical device cannot read them. This particular flaw lets someone with physical access to a machine bypass that protection entirely. It is publicly documented but not yet exploited in the wild.
Beyond the zero-days, security researchers flagged CVE-2026-57092 (severity score 9.9 out of 10) in Windows VMSwitch as especially alarming. It could let an attacker break out of a virtual machine, which is an isolated software container used heavily in cloud computing, and seize control of the underlying physical server.
Microsoft Exchange Server, the email platform running inside countless company networks, also appears on the list with CVE-2026-55008, a spoofing flaw that lets criminals impersonate trusted senders over a network. Microsoft flags this one as likely to be targeted.
The raw scale of 622 patches points to something new. AI tools are now scanning software codebases and finding vulnerabilities far faster than human researchers ever could. Josh Taylor, lead cybersecurity analyst at Fortra, put it plainly: the real problem is not the number, it is working out which of those 622 flaws to tackle first, given limited time and staff.
Experts quoted by Dark Reading are increasingly sceptical of leaning solely on CVSS, the common vulnerability scoring system that assigns each flaw a severity number. An AI model has already shown it can generate working attack code for flaws rated "unlikely to be exploited." That makes a simple score a poor guide to urgency.
If you work in IT, patch the two actively exploited flaws first, ideally within hours. If your organisation uses SharePoint or Active Directory Federation Services, those are the places to start today.
For everyone else: if you use a Windows laptop, run your available updates now. If your workplace uses Microsoft 365 or shared document platforms, ask your IT team whether July's patches have been applied.



