Microsoft's July 2026 Patch Tuesday addresses 622 CVEs, a new record. Dozens are rated critical, the remainder mostly important. Two vulnerabilities are actively exploited at time of release; a third was publicly known before patching.
Actively Exploited Vulnerabilities
CVE-2026-56155 is a privilege escalation in Active Directory Federation Services (AD FS) with a CVSS score of 7.8. A locally authenticated low-privilege attacker can jump to administrator rights. Microsoft discovered the flaw through its own incident response team during live attacks. Since AD FS secures authentication trust between on-premises directories and Entra ID, exploitation can give attackers deep access to identity infrastructure.
CVE-2026-56164 in SharePoint Server is also under active attack. Despite a CVSS score of just 5.3, the risk is significant: missing authentication on a critical function allows an unauthenticated network attacker to escalate privileges. Affected versions include SharePoint Server 2016, 2019, and the Subscription Edition. Microsoft recommends enabling the Antimalware Scan Interface and setting the Request Body Scan to Full mode.
CVE-2026-50661, publicly known before patching, allows bypassing BitLocker device encryption (CVSS 6.1) but requires physical device access.
Critical Remote Code Execution
The most dangerous flaws this month allow unauthenticated remote code execution. CVE-2026-50518 in the Windows DHCP server (CVSS 9.8) is a heap-based buffer overflow triggerable over the network without authentication. CVE-2026-56190 in Remote Desktop Protocol (CVSS 9.8) exploits an uninitialized resource: crafted RDP traffic can corrupt memory and gain code execution. CVE-2026-56188 in a Windows Server network driver (CVSS 9.8) is a race condition with worm-like propagation potential.
The month's highest score goes to CVE-2026-57092 in Windows VMSwitch (CVSS 9.9). A use-after-free lets a low-privilege attacker escape a virtual machine and fully compromise the host. Two cloud flaws share the same top score: CVE-2026-45499 in Azure OpenAI and CVE-2026-57100 in the Entra Provisioning Service, both fixed server-side.
SharePoint, Exchange and Databases
Beyond the actively exploited flaw, SharePoint carries two more critical RCE bugs. CVE-2026-50522 and CVE-2026-58644 (CVSS 9.8 each) stem from deserializing untrusted data without authentication, with the first variant demonstrated at Pwn2Own Berlin.
Exchange Server is affected by CVE-2026-55008, a persistent XSS in Outlook Web Access (CVSS 9.6). SQL Server gets fixes for two code execution flaws (CVE-2026-54117 and CVE-2026-54118, CVSS 8.8 each), and the Windows kernel receives a patch for CVE-2026-49798 (CVSS 9.3).
Update Notes
Cumulative update KB5101650 resolves a June-update issue that prevented applications from launching Office via OLE automation. It also introduces new known issues: a hardening change requiring TDI transport registration can break applications relying on unregistered third-party transports. Microsoft is withholding the update on some Dell devices with Intel processors due to a reported incompatibility.