Microsoft’s July 2026 Patch Tuesday Addresses 63 Critical Flaws and Two Actively Exploited Bugs

Security updates cover Windows, Copilot, Exchange, Defender, Azure, and other enterprise platforms.

Windows-11-notebook-tablet

Key Takeaways:

  • Microsoft patched 621 vulnerabilities across its products in July 2026.
  • The release includes 63 critical flaws and two actively exploited vulnerabilities.
  • These updates also introduce new Windows 11 recovery and update management features.

Microsoft has released the July 2026 Patch Tuesday updates for Windows 11 versions 26H1, 26H2, and 24H2. This month, the company has fixed 621 vulnerabilities in Windows, Office, Microsoft Edge, Azure, Github Copilot, Defender, Exchange Server, and Hyper-V.

As pointed out by the Zero Day Initiative, Microsoft’s July 2026 Patch Tuesday is “The Mother of All Releases. To call this record-breaking is an understatement. I looked at the last 20 years of Microsoft releases. The CVE count year-to-date exceeds all other years’ totals.”

621 critical Windows vulnerabilities in July 2026 Patch Tuesday updates

Microsoft’s latest Patch Tuesday updates bring fixes for several flaws, including 63 rated Critical, six rated Moderate, one rated Low, with the rest rated Important in severity. Two of these vulnerabilities are already being exploited by attackers. Here’s what you need to know about the critical vulnerabilities Microsoft fixed this month:

  • CVE-2026-56155: This is an elevation of privilege (EoP) vulnerability in Microsoft Active Directory Federation Services that could be exploited to gain system-level privileges. This bug carries a CVSS score of 7.8.
  • CVE-2026-56164: This is a privilege elevation vulnerability in Microsoft SharePoint that could allow an unauthorized attacker on a network to elevate permissions. Microsoft says this flaw is currently being exploited by attackers.
  • CVE-2026-50661: This is a security feature bypass vulnerability in Windows BitLocker with a CVSS score of 6.1. This flaw allows an attacker with physical access to an affected system to bypass BitLocker’s Device Encryption feature and gain access to encrypted data.
  • CVE-2026-48561: This is a remote code execution (RCE) vulnerability in Microsoft Copilot, which could be exploited by an unauthorized attacker to execute arbitrary code on affected systems. This Copilot flaw carries a CVSS score of 9.6.
  • CVE-2026-55008: This is a spoofing vulnerability in Microsoft Exchange Server with a CVSS score of 9.6. This bug enables an unauthorized attacker to perform spoofing over a network.
  • CVE-2026-57092: This is a critical security flaw in Windows VMSwitch that could be exploited by cybercriminals to escape a VM boundary and compromise the host machine.
  • CVE-2026-55012 and CVE-2026-55011: These remote code execution vulnerabilities in Microsoft Defender carry a CVSS score of 7.8.

You can find below the full list of security patches Microsoft released this month:

Product FamilyDistinct UpdatesVulnerabiliities AddressedUpdates per Product/VersionType of Update
Azure13111Individual
Defender251Cumulative
Developer Tools36271Cumulative
Exchange Server451Cumulative
Microsoft Edge1461Cumulative
Office10821Cumulative (except 2016)
Office 201618821Individual
Other451Individual
SharePoint Server3171Cumulative
SQL Server881Cumulative
Windows354161Cumulative

Quality and experiences updates

On Windows 11, this month’s Patch Tuesday update also marks the release of a new feature that allows users to roll back their PCs to a recent automatic restore point. This update also brings another feature that lets users pause updates for up to 35 days and re‑pause them as needed.

For Windows 11 versions 25H2 and 24H2, the KB5101650 update fixes an issue that affects certain third-party apps that use OLE Automation to interact with Microsoft Office. Moreover, this release introduces a security hardening change, which could cause apps that use sockets over unregistered third-party TDI transports to stop working.

Microsoft says RDP security has been enhanced with support for SHA-2 certificate thumbprints for trusted publishers. Organizations are encouraged to adopt SHA-256 or stronger algorithms and use the new Group Policy guidance to control .rdp file access, which helps reduce phishing and security risks.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.