Microsoft pushed out its largest Patch Tuesday on record in mid-July 2026, addressing 622 of its own CVEs in a single release that covered Windows, Office, Azure, SharePoint Server, Exchange Server, Microsoft Edge, Defender, SQL Server and additional components.
The volume eclipsed the previous high from June 2026, which had reached approximately 206 CVEs. Two of the three zero-day vulnerabilities fixed were already being exploited in the wild before the updates shipped. CVE-2026-56155 affects elevation of privilege in Active Directory Federation Services. CVE-2026-56164 targets the same class of flaw in SharePoint Server. The third zero-day had been publicly disclosed prior to the patch.
Industry tracking described the release as unprecedented in Microsoft’s history. The company had signalled months earlier that customers should brace for higher volumes once AI-powered code analysis tools entered regular use. Pavan Davuluri, corporate vice president for Windows, stated in a Windows Experience Blog post that as AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release.
Microsoft’s internal MDASH tooling and similar systems now scan codebases at speeds unattainable by manual review. The result is a steady increase in identified flaws reaching production. That pattern does not signal collapsing security so much as a shift toward faster detection before adversaries can weaponise every latent bug. Yet the presence of two exploited zero-days in the same bundle illustrates how quickly discovery can translate into real-world pressure on on-premises systems.
Organisations running SharePoint Server or Active Directory Federation Services faced immediate exposure. The exploited vulnerabilities carry direct privilege-escalation paths that attackers already knew how to trigger. Prompt application of the updates therefore remains the only reliable mitigation. Central mandates cannot substitute for local testing and deployment discipline; enterprises that treat patching as optional governance theatre expose themselves to precisely the threats the record release sought to close.
The updates arrived on either 14 or 16 July depending on regional rollout schedules. They also included Kerberos hardening changes that may require compatibility checks in legacy environments. Microsoft’s broader adoption of automated discovery has altered expectations: monthly bulletins are no longer modest lists but comprehensive sweeps that surface hundreds of issues at once. This pace rewards those who maintain agile update pipelines and penalises those who defer to quarterly maintenance windows.