
Microsoft addressed 722 CVEs this month as soon as the 427 Chromium upstream relays are put aside — roughly thrice a traditional cycle and one of many largest single months in current reminiscence. Two vulnerabilities arrive beneath energetic exploitation: an elevation of privilege in Lively Listing Federation Companies (CVE-2026-56155), and an elevation of privilege in SharePoint Server (CVE-2026-56164). A 3rd, a BitLocker safety function bypass (CVE-2026-50661) is publicly disclosed however not but exploited.
The July 2026 Patch Tuesday earns Patch Now suggestions for Home windows, Workplace, Trade, and SQL Server. SharePoint has two crucial RCEs on prime of its exploited zero-day, and Trade Server returns with a crucial on-premises spoofing flaw. Including to our (expensive) administrator’s efforts, SharePoint Server 2016/2019 and SQL Server 2016 all attain finish of help at present. The Readiness workforce has supplied a helpful infographic of the anticipated threat profile of this month’s Patch Tuesday updates.
(Extra details about current Patch Tuesday releases is out there right here.)
Identified points
The July launch be aware flags identified points towards the next updates:
- BitLocker restoration immediate on first restart – the PCR7 restoration situation tracked since April stays reside on the platforms that didn’t obtain the Boot Supervisor servicing repair (Home windows Server 2022 and Home windows 10 22H2). Units with BitLocker on the OS drive, the Group Coverage “Configure TPM platform validation profile for native UEFI firmware configurations” set with PCR7 included, and Safe Boot State PCR7 Binding reported as “Not Potential” could also be prompted for the restoration key on the primary restart after putting in this replace. This month’s publicly disclosed BitLocker safety function bypass (CVE-2026-50661) retains the element in focus.
- WSUS synchronization error particulars suppressed (Home windows Server 2025 and 2022) – WSUS now not shows synchronization error particulars in its error reporting, a deliberate change made to handle the Distant Code Execution Vulnerability CVE-2025-59287. Sync nonetheless works, however directors triaging a failed synchronization lose the element pane and should fall again to the SoftwareDistribution logs.
Home windows Replace can nonetheless change manually put in graphics drivers with older OEM variations from {the catalogue} (the four-part {Hardware} ID rating subject acknowledged on the {Hardware} Dev Middle). The 2-part HWID pilot runs to September 2026.
Main revisions and mitigations
Between the June and July Patch Tuesdays, MSRC Safety Replace Information notices up to date 651 reported CVEs throughout six notification dates (15, 19, 26 June and three, 8, 11 July), 532 of them routine Chromium upstream re-publications. Of the roughly 30 Microsoft revisions, virtually all have been cross-platform Workplace catch-up with no bearing on a Home windows enterprise property. No additional motion required for IT directors for this Home windows replace cycle.
Home windows lifecycle and enforcement updates
That is the deadline cycle June pointed at. The July end-of-support wave lands at present, and it collides with the month’s heaviest patching. SharePoint and SQL Server take a few of their most energetic safety updates ever on platforms receiving their final.
- SharePoint Server 2016 and 2019, Undertaking Server 2016 and 2019, SQL Server 2016 and InfoPath 2013 have all reached finish of help. SQL Server 2014 ESU 12 months 2 reaches finish of help at present. SharePoint 2016/2019 take an actively exploited zero-day and two RCEs this cycle, and SQL Server 2016 takes a crucial RCE, all as their ultimate safety replace. Now’s the time to get shifting on updating these platforms.
The 2011 Safe Boot certificates expiries have now handed; units that by no means took the Home windows UEFI CA 2023 key updates beneath CVE-2023-24932 can now not obtain up to date boot elements, with the Home windows Manufacturing PCA for the boot supervisor nonetheless forward on 19 October 2026. Kerberos RC4 hardening (CVE-2026-20833) has been in enforcement since April 2026; the July 2026 replace removes the RC4DefaultDisablementPhase rollback management that permit directors defer it, making enforcement ultimate.
Microsoft’s July 2026 Patch Tuesday is a security-only launch: 180 test-guidance entries, 14 of them excessive threat (June had one). Printing and graphics are the centre of gravity: win32kfull.sys, the kernel-mode window supervisor, is the most-patched binary (14 entries), and 7 high-risk flags sit alongside it – the Print Spooler, 4 win32k entries, and two GDI+ metafile entries. NTFS is the second theme, with 10 entries, two excessive threat. Each entry studies no purposeful modifications – it’s pure regression validation. The packages span Home windows 11 26H1 again to Server 2012 ESU.
Printing and graphics (excessive threat)
The Print Spooler flag centres on shared printers, whose queue standing should monitor jobs precisely; the win32k flags cowl 32-bit utility printing, font rendering in printed and exported output, on-screen rendering, and window administration; the GDI+ flags cowl metafiles.
- Share a printer from a print server, print from a separate consumer in diversified sizes and codecs, and cancel a job, confirming the queue displays each state change
- Print out of your 32-bit purposes, and print text-heavy, graphics-heavy, and multi-page paperwork to bodily and digital (PDF or XPS) printers, repeating after orientation, scaling, and determination modifications
- Export paperwork with diversified fonts to PDF and make sure fonts and structure survive; render EMF+ recordsdata that apply results to very massive photographs, and convert EMF recordsdata to WMF
- Open and shut home windows quickly, drive frequent dialogs by mouse and keyboard, and shut mother and father with youngsters open – no orphaned home windows
Storage and file programs (excessive threat)
Each NTFS high-risk flags goal integrity – prolonged attributes, and quantity restoration after an surprising shutdown. File Historical past carries its personal high-risk flag on purchasers. A Home windows Server 2025-only bundle throughout boot, BitLocker, and ReFS calls for the complete Safe Boot/BitLocker matrix. Eight entries hit Server 2025 alone, together with WSL, GPU partitioning, and a scripted Home windows Server Backup go repeating restoration after rolling the date 90 days ahead.
- Train NTFS prolonged attributes – older-system EAs, backup workflows that protect them, concurrent same-file operations the place supported – with antivirus, encryption, or storage filters energetic
- Simulate an surprising shutdown throughout file exercise, confirm the quantity mounts intact, run chkdsk, and make sure indexing, shadow copies, and backup nonetheless work
- Run a full File Historical past go: again up, modify and again up once more, exclude folders, change frequency, transfer the vacation spot
- On Server 2025, boot all 4 Safe Boot/BitLocker combos, in commonplace and confidential VMs the place supported
Units, enter and networking (excessive threat)
Three additional high-risk flags land right here: HID enter (hidparse.sys with win32k) – contact, keyboard, mouse, touchpad, by way of disconnects and restarts; the WinSock bundle (afd.sys plus Bluetooth and multicast drivers); and IrDA. The heaviest ask shouldn’t be excessive threat in any respect: the NetAdapterCx driver (24H2/25H2, Server 2025) desires 500-plus adapter enable-disable cycles beneath Driver Verifier.
- Run the connectivity suite: searching, massive downloads, mapped drives, an RDP session idle 30+ minutes, a Groups name, an hour of streaming, and localhost apps similar to Docker or WSL
- Stress Bluetooth: pairing, 10+ minutes of audio, enter after idle, and reconnection after sleep
- The place infrared {hardware} exists, switch a file and run no less than 100 connect-disconnect cycles
- Sweep the remaining: DNS Server (zone knowledge should keep beneath its configured database listing), the consumer resolver (5 entries), DHCP Server (5 entries), SMB, NFS, Message Queuing (5 entries), RRAS administration, consumer VPN, and WinHTTP/WinINet customers
Different home windows elements
Home windows Installer itself is patched: testing ought to embody utility set up, uninstall, restore, and power a rollback. Hyper-V desires virtual-switch site visitors as a part of its testing workouts with Digital Filtering Platform insurance policies enforced. Sixteen media-related safety entries cowl playback, HEVC and MPEG-TS, USB audio, and MIDI 2.0.
Shell hardening and LSA isolation
These two entries are somewhat totally different from the remainder of the cycle: they ask you to substantiate a safety behaviour actively works, not simply that nothing regressed. A go right here means the safety fired, so deal with them as purposeful checks quite than box-ticking.
- Shortcut dealing with (home windows.storage.dll; Home windows 11 23H2 and earlier, plus Server 2022): drop a shortcut file carrying the Mark of the Net right into a folder and make sure the system refuses to extract its icon and leaks no NTLM credential hash – embody the zero-click paths, the place the icon would in any other case render with out you opening something
- LSA isolation and KeyGuard (24H2/25H2, Server 2025): run the provided PowerShell validation script, which activates Virtualization-based Safety if it isn’t already, workouts KeyGuard key operations in each required and best-effort isolation modes, and studies go or fail – it wants TPM 2.0, UEFI with Safe Boot disabled, and PowerShell 7
- Run that script on a devoted take a look at machine, by no means a shared one: it permits take a look at signing, disables computerized updates, and reboots with out asking
Workplace & SharePoint
July’s Workplace wave is security-only; the whole lot landed on 14 July, and nothing crucial or non-security shipped within the 7 July preview. It’s an MSI-only cycle, so Click on-to-Run estates can sit this one out.
- On MSI Workplace 2016, apply the consumer updates – Excel (KB5002886), Phrase (KB5002890), PowerPoint (KB5002867), and 5 additional Workplace 2016 safety updates (KB5002273, KB5002887, KB5002748, KB5002857, KB5002830) – then train macros, exterior knowledge, embedded objects, and any line-of-business add-ins
- On SharePoint Server, patch 2016 (KB5002891, plus the KB5002892 language pack) and Subscription Version (KB5002882), then examine browser-based enhancing; the steerage lists SharePoint 2019 with a baseline however ships no 2019 bundle, so there’s nothing to put in there
Thoughts the rollback guidelines earlier than you schedule the window: most consumer updates might be uninstalled, however the server updates can not and all the time require a reboot.
Developer instruments & databases
The developer property will get a broad however low-drama sweep this month. Each .NET and SQL Server patch broadly, however the ask is representative-application validation quite than something unique – set up on the matching department and make sure regular behaviour.
- .NET: set up the SDK updates (8.0.423, 9.0.316, 10.0.302, x64 and x86) and the Framework rollups spanning 3.5 by way of 4.8.1 – which attain from Home windows Server 2012 as much as Home windows 11 26H1 and Server 2025 – then run a consultant set of purposes and make sure they operate usually
- SQL Server: the GDR updates span 2016 SP3 by way of 2025 – set up every on its matching department and take a look at that every removes cleanly
- Verify an encrypted consumer connection by way of the individually patched Home windows SQL consumer (dbnetlib.dll), which ships outdoors the server branches
The Readiness workforce recommends the next priorities in your bigger enterprise deployments:
- Begin with printing and graphics: half the high-risk flags sit within the Print Spooler, win32k, and GDI+, so regress shared printers, 32-bit printing, PDF export, metafiles, and window administration earlier than anything
- Take NTFS subsequent – prolonged attributes and crash restoration each contact knowledge integrity – and add a consumer File Historical past backup-and-restore go
- Give Server 2025 its wider matrix – the Safe Boot/BitLocker combos, WSL, GPU partitioning, and the scripted backup go – and work by way of the stress suites
- Run the scripted KeyGuard validation on any VBS property, ideally on a devoted machine.
Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Home windows (each desktop and server)
- Microsoft Workplace
- Microsoft Trade and SQL Server
- Microsoft Developer Instruments (Visible Studio and .NET)
- Adobe (in case you get this far)
Browsers
Edge has had a busier month than ordinary. Microsoft addressed 46 Microsoft Edge (Chromium-based) CVEs this cycle. None crucial, however closely weighted to distant code execution (21 entries) and spoofing (13), led by CVE-2026-58289, a distant code execution flaw. A run of additional RCEs (CVE-2026-57981, CVE-2026-56645, CVE-2026-57974) follows.
- Microsoft Edge – the Edge-specific fixes ship within the Edge secure channel (model 150.0.4078.65, launched 9 July). The focus of RCE and spoofing this month is price a search for managed Edge estates quite than a routine wave-through.
- Chromium upstream – 427 CVEs relayed by way of MSRC this cycle, spanning the weekly Chrome launch cadence for the reason that June report: use-after-free, out-of-bounds learn/write, sort confusion, and inappropriate-implementation flaws throughout V8, Daybreak, ANGLE, Skia, and Tint. The identical fixes ship within the Chrome Steady channel; see the Chrome releases weblog for the upstream notes.
The Chromium quantity seems (fairly) alarming however is routine plumbing: it flows to Edge by way of its personal auto-update channel. Add these browser (Edge) updates to your commonplace launch schedule in your managed environments.
Microsoft Home windows
Home windows carries the majority of this month’s updates: 406 CVEs, 31 rated crucial and 374 vital. Elevation of privilege dominates by quantity (226 entries), adopted by distant code execution (70), data disclosure (70), denial of service (23), and a scatter of security-feature-bypass, tampering, and spoofing entries throughout the next function groupings:
- DHCP – the standout community cluster: DHCP Server distant code execution (CVE-2026-50518, “Exploitation Extra Seemingly,” and CVE-2026-56159), with additional crucial DHCP Server and DHCP Consumer RCEs behind them (CVE-2026-48564, CVE-2026-50370, CVE-2026-54128). DHCP servers are the deployment precedence.
- VMSwitch and Hyper-V – the Home windows VMSwitch elevation of privilege (CVE-2026-57092) is among the month’s highest-severity flaws, joined by two crucial Hyper-V elevation-of-privilege entries (CVE-2026-50680, CVE-2026-54127), guest-to-host threat on virtualisation hosts.
- Community stack RCE – a Home windows Server Community driver RCE (CVE-2026-56188, “Exploitation Extra Seemingly”), plus TCP/IP (CVE-2026-54999), the Dependable Multicast Transport Driver (CVE-2026-54982), and SSTP (CVE-2026-50694).
- Graphics – Home windows GDI+ distant code execution (CVE-2026-50380) and a DirectX Graphics Kernel RCE (CVE-2026-50382), each reachable by way of document-rendering paths.
- Home windows Media – a big cluster: three crucial Media Basis RCEs (CVE-2026-57090, CVE-2026-57094, CVE-2026-57087) lead 14 Home windows Media and 7 Media Basis entries general.
- Identification infrastructure – past the exploited ADFS flaw, Lively Listing Area Companies takes a crucial RCE (CVE-2026-49164) and Lively Listing Certificates Companies a crucial elevation of privilege (CVE-2026-54121). Area controllers take precedence once more.
- Print Spooler, WSUS, and MSMQ – crucial RCE/EoP within the Print Spooler (CVE-2026-58608), Home windows Server Replace Companies (CVE-2026-50444), and Message Queuing (CVE-2026-54992, “Exploitation Extra Seemingly”), all server-role assault floor.
The Home windows Kernel is the most-patched element (28 CVEs, seven “Extra Seemingly”), adopted by NTFS (21), Home windows Runtime (17), Home windows Media (14), ReFS (12), and Win32k (15 throughout its two entries). Add this Home windows replace to your Patch Now deployment schedule.
Microsoft Workplace
Microsoft launched 96 Workplace CVEs this month: 19 crucial, 76 vital. Distant code execution leads (53 entries), forward of knowledge disclosure (27) and spoofing (10). SharePoint is the centre of gravity: it touches 39 of the 96 CVEs and provides the household’s one actively exploited flaw.
- SharePoint Server: has been exploited (who would have guessed) and reaches finish of help at present. CVE-2026-56164, an elevation of privilege, is beneath energetic exploitation. Above it sit two crucial distant code execution flaws, each “Exploitation Extra Seemingly” (CVE-2026-50522, CVE-2026-58644) and a crucial safety function bypass (CVE-2026-55040). SharePoint Server 2016 and 2019 attain finish of help on 14 July, so this exploited, critical-heavy set is the ultimate safety replace these on-premises farms will obtain.
- Workplace has skilled a long term of crucial distant code execution entries throughout Workplace, Phrase, and PowerPoint (amongst them CVE-2026-55033 and CVE-2026-55127 in Phrase, CVE-2026-55043 in PowerPoint, and CVE-2026-55018 in Workplace), topped by CVE-2026-55045.
With an exploited zero-day, two RCEs, and an end-of-support deadline all touchdown on SharePoint in the identical cycle, SharePoint environments are the precedence. Add the July Workplace and SharePoint updates to your Patch Now schedule.
Microsoft Trade and SQL Server
Each Trade and SQL Server carry critical-rated safety vulnerabilities this month. Trade Server returns with an on-premises safety replace for Trade Server Subscription Version, the one on-premises launch nonetheless supported after Trade Server 2016 and 2019 reached finish of help in October 2025; SQL Server takes two crucial distant code execution flaws, one in all them towards SQL Server 2016, which reaches finish of help on the identical day.
- Trade Server (on-premises) – CVE-2026-55008, a spoofing vulnerability rated crucial and “Exploitation Extra Seemingly,” is the headline. Behind it, a distant code execution entry (CVE-2026-55005) and two elevation-of-privilege flaws (CVE-2026-55006, CVE-2026-55009) spherical out the on-premises set. A separate Trade On-line elevation of privilege (CVE-2026-54998, crucial) is mounted service-side with no buyer motion.
- SQL Server – two crucial distant code execution flaws: CVE-2026-54117 (SQL Server 2025) and CVE-2026-54118 (which reaches again to SQL Server 2016 SP3), with 5 additional vital elevation-of-privilege and information-disclosure entries behind them. The 2016 publicity issues as a result of SQL Server 2016 reaches finish of help on 14 July: a crucial RCE on a platform taking its ultimate replace.
Each belong on the Patch Now schedule this month: the Trade on-premises replace for its crucial spoofing flaw, and the SQL Server replace for the 2 crucial RCEs.
Microsoft developer instruments
Microsoft launched 24 CVEs throughout its developer tooling this month, all rated vital. The weighting shifts from final month’s Visible Studio Code focus towards .NET and ASP.NET Core, the place a run of denial-of-service entries dominates the quantity:
- ASP.NET Core and .NET – the 2 highest-severity entries are ASP.NET Core elevation-of-privilege entries (CVE-2026-47300, CVE-2026-47303), forward of a .NET safety function bypass (CVE-2026-50528) and two .NET / .NET Framework distant code execution flaws (CVE-2026-50646, CVE-2026-50649).
- Visible Studio and VS Code – a GitHub Copilot / Visible Studio Code safety function bypass (CVE-2026-41109) and a second VS Code safety function bypass (CVE-2026-57102) lead right here, with a VS Code distant code execution entry behind them (CVE-2026-50520) and a Visible Studio RCE (CVE-2026-47305).
Add these Microsoft updates to your commonplace developer replace launch schedule.
Adobe (and third-party updates)
Outdoors Microsoft’s personal catalogue, July is quiet. Adobe issued no Acrobat or Reader safety updates. So, the month belongs to Microsoft, and it’s a heavy one: 722 CVEs, roughly thrice a traditional cycle and one of many largest on file. Value noting that this lands in the identical season Microsoft has been speaking up AI-assisted vulnerability administration, and the AI stack it’s promoting as the reply, Copilot and Azure OpenAI amongst them, sits within the centre of this patch cycle’s personal critical-rated updates. The (AI) tooling could also be getting smarter, however the patch pile is (positively) not getting smaller. This can be the start of an accelerating curve of ever bigger patch cycles. My feeling is that we’re in the midst of the start of this coming patch surge.
This text is printed as a part of the Foundry Professional Contributor Community.
Wish to be part of?