Microsoft’s Patch Tuesday in July 2026 fixes around 570 security flaws in its products. This comes after June’s big update, which had a record 206 issues and three that were already known to the public.
This big update comes after Microsoft’s recent change to use artificial intelligence for finding security flaws. It uses a special system that scans many models in the Windows code.
| CVE ID | Vulnerability | Impact | Severity | Zero-Day Status |
|---|---|---|---|---|
| CVE-2026-56164 | Microsoft SharePoint Server Elevation of Privilege | Elevation of Privilege | Moderate | Exploited in the wild |
| CVE-2026-56155 | Active Directory Federation Services Elevation of Privilege | Elevation of Privilege | Important | Exploited in the wild |
| CVE-2026-50661 | Windows BitLocker Security Feature Bypass | Security Feature Bypass | Important | Publicly disclosed (no confirmed exploitation) |
CVE-2026-56164 affects Microsoft SharePoint Server. It lets an attacker gain more access in a hacked or logged-in session. This is similar to earlier SharePoint EoP problems that have been linked with RCE bugs to take full control of the server. Because this is being actively exploited, on-site SharePoint farms should be fixed right away, even if they are marked as “Moderate” severity. Real attacks often mix low-severity EoP bugs with other mistakes for greater damage.
CVE-2026-56155 impacts Active Directory Federation Services (AD FS), which is Microsoft’s tool for identity management and single sign-on (SSO). It is known to be used in real attacks. Since AD FS helps with trust in both Azure AD and on-premises setups, if someone exploits this flaw, they could gain more control and attack the larger identity system, like in previous AD FS golden SAML incidents.
CVE-2026-50661 is a vulnerability in Windows BitLocker that lets users bypass security features. This was made public before a fix was available, but there have been no confirmed attacks yet. This is similar to the earlier “YellowKey” issue (CVE-2026-45585) in 2026, where attackers used physical access to take advantage of problems in BitLocker’s recovery area instead of its main encryption, which let them get around disk encryption on lost or stolen devices.
This month’s update has two serious Remote Code Execution flaws in SharePoint and Print Spooler, plus many Important-level Elevation of Privilege and RCE problems in key Windows parts.
| Impact Type | Count |
|---|---|
| Elevation of Privilege | 249 |
| Remote Code Execution | 143 |
| Information Disclosure | 102 |
| Denial of Service | 35 |
| Security Feature Bypass | 17 |
| Spoofing | 16 |
| Tampering | 8 |
| Total | 570 |
The July update includes parts of Windows, Microsoft Office, SharePoint Server, Remote Desktop Services, and Windows Admin Center. Most fixes need the customer to take action instead of being done automatically through the cloud.
Two major flaws are important: CVE-2026-58644, a Microsoft SharePoint issue that allows remote code execution, and CVE-2026-58608, a bug in the Windows Print Spooler that also lets code run from afar. Both have been popular targets for ransomware attacks and state-sponsored hackers.
Elevation of Privilege is still the top type of bug this cycle. It impacts parts like the Windows Kernel, DirectX Graphics Kernel, Desktop Window Manager, and Win32K subsystem. Attackers often use it along with an initial entry point to get SYSTEM-level access.
Enterprises using SharePoint on-site should focus on CVE-2026-58644 because it has a Critical rating and can lead to RCE issues. This reflects the attack methods used in past SharePoint zero-day cases.
Organizations that use Remote Desktop Services, Windows Admin Center, or DHCP Server on internal or hybrid networks should consider CVE-2026-58626, CVE-2026-58631, and CVE-2026-58627 as very important. These vulnerabilities affect systems often targeted in lateral movement attacks.
IT admins need to focus on testing and applying fixes for the two critical RCE problems in SharePoint and Print Spooler in the next 48 hours, as they are often attacked.
InfoSecBulletin Cybersecurity for mankind
