ON July Patch Tuesday, Microsoft announced patches for a record 622 vulnerabilities, including two zero-day exploits in Active Directory (CVE-2026-56155) and SharePoint Server (CVE-2026-56164). Both flaws allow privilege escalation, with the AD flaw affecting Federation Services and the SharePoint flaw being exploitable without authentication. Additionally, a critical BitLocker bypass flaw (CVE-2026-50661) was highlighted. Windows and Office received fixes for 416 and 164 vulnerabilities, respectively.
Key issues also mentioned include critical flaws in Windows VMSwitch (CVSS 9.9) and multiple RCE vulnerabilities across various services. These updates push the year's total CVE count significantly higher, attributed to accelerated vulnerability discovery processes driven by AI, as confirmed by Microsoft executives. Adobe also released patches for 88 vulnerabilities on the same day.