Technology

Microsoft deploys record patch Tuesday addressing 622 vulnerabilities including three zero-days

The July 2026 security release from Microsoft has surpassed all previous monthly records by fixing 622 CVEs across its product range, three of them zero-days with two already under active exploitation. The scale reflects the accelerating impact of AI-assisted discovery tools and underscores the necessity of prompt, decentralised patching by users and organisations.
Listen
AI-generated image: Microsoft deploys record patch Tuesday addressing 622 vulnerabilities including three zero-days
AI-generated image for illustrative purposes.
Intelligent summary
  • Microsoft fixed 622 CVEs in its largest-ever Patch Tuesday release during July 2026.
  • Three zero-days were included, two of which were under active exploitation prior to patching.
  • AI-assisted discovery tools such as MDASH have driven the sharp rise in identified vulnerabilities.

Microsoft pushed out its largest Patch Tuesday on record in mid-July 2026, addressing 622 of its own CVEs in a single release that covered Windows, Office, Azure, SharePoint Server, Exchange Server, Microsoft Edge, Defender, SQL Server and additional components.

The volume eclipsed the previous high from June 2026, which had reached approximately 206 CVEs. Two of the three zero-day vulnerabilities fixed were already being exploited in the wild before the updates shipped. CVE-2026-56155 affects elevation of privilege in Active Directory Federation Services. CVE-2026-56164 targets the same class of flaw in SharePoint Server. The third zero-day had been publicly disclosed prior to the patch.

Industry tracking described the release as unprecedented in Microsoft’s history. The company had signalled months earlier that customers should brace for higher volumes once AI-powered code analysis tools entered regular use. Pavan Davuluri, corporate vice president for Windows, stated in a Windows Experience Blog post that as AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release.

Microsoft’s internal MDASH tooling and similar systems now scan codebases at speeds unattainable by manual review. The result is a steady increase in identified flaws reaching production. That pattern does not signal collapsing security so much as a shift toward faster detection before adversaries can weaponise every latent bug. Yet the presence of two exploited zero-days in the same bundle illustrates how quickly discovery can translate into real-world pressure on on-premises systems.

Organisations running SharePoint Server or Active Directory Federation Services faced immediate exposure. The exploited vulnerabilities carry direct privilege-escalation paths that attackers already knew how to trigger. Prompt application of the updates therefore remains the only reliable mitigation. Central mandates cannot substitute for local testing and deployment discipline; enterprises that treat patching as optional governance theatre expose themselves to precisely the threats the record release sought to close.

The updates arrived on either 14 or 16 July depending on regional rollout schedules. They also included Kerberos hardening changes that may require compatibility checks in legacy environments. Microsoft’s broader adoption of automated discovery has altered expectations: monthly bulletins are no longer modest lists but comprehensive sweeps that surface hundreds of issues at once. This pace rewards those who maintain agile update pipelines and penalises those who defer to quarterly maintenance windows.