Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month


Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month

Pierluigi Paganini
July 14, 2026

Patch Tuesday: Microsoft fixes a record 621 CVEs, including 2 exploited zero-days and critical flaws affecting SharePoint, RDP, Hyper-V, and AD FS.

Microsoft’s July 2026 Patch Tuesday is, by a significant margin, the largest single-month security release in the company’s history. The Zero Day Initiative counted 621 new Microsoft CVEs for the month, and the year-to-date total already exceeds every other full-year total in the last two decades. That’s before counting the roughly 480 additional bugs in Chromium and Microsoft Edge that ZDI didn’t cover separately. Of the Microsoft-specific fixes, 63 are rated Critical, six Moderate, one Low, and the rest Important. The IT giant labeled two issues as “under active exploitation,” and one more is publicly known.

The product scope is equally remarkable. Patches this month cover Windows and Windows components, Office, Microsoft Edge, Azure, .NET, Visual Studio, GitHub Copilot, Defender, Exchange Server, Hyper-V, and, at the more unexpected end of the list, Ages of Empire II and Minecraft Server. Eight of the bugs came through ZDI’s own submission program.

“The CVE count year-to-date exceeds all other years’ totals. How to count this mess is anyone’s guess.” states the report published by ZDI.

Patch Tuesday

The following two bugs are being actively exploited:

  • CVE-2026-56155 is an elevation of privilege flaw in Active Directory Federation Services. It requires local access and low privileges to start, which sounds like a limited threat until you remember that AD FS is identity infrastructure, and attackers who are already inside a network use exactly this kind of bug to move sideways and upward. ZDI notes it can be paired with a remote code execution vulnerability, the combination frequently seen in ransomware incidents. Patch it fast.
  • CVE-2026-56164 is a SharePoint Server elevation of privilege vulnerability rated only CVSS 5.3, which is Moderate, and that score has probably caused some organizations to deprioritize it. That would be a mistake. A missing-authentication flaw allows unauthenticated remote attacks without user interaction. Active exploitation makes immediate patching essential, regardless of CVSS score.

The highest-severity bug this month is a critical Microsoft Windows VMSwitch Elevation of Privilege Vulnerability tracked as CVE-2026-57092, which received a CVSS score of 9.9. It is a use-after-free vulnerability that lets a low-privileged attacker escalate all the way to full host compromise across a virtual machine boundary, meaning an attacker inside a VM can reach the host running it. If your Hyper-V deployments use VMSwitch, which they almost certainly do, this is an immediate priority.

Below are other interesting issues addressed by Microsoft this month:

  • CVE-2026-50522 and CVE-2026-58644 are a matched pair of SharePoint remote code execution bugs, both scored CVSS 9.8, both reachable without authentication or user interaction, both stemming from the deserialization of untrusted data. CVE-2026-50522 was demonstrated live at Pwn2Own Berlin, meaning a working exploit was handed to Microsoft. Despite that, the advisory lists exploit maturity as unknown.
  • CVE-2026-56190 is an unauthenticated remote code execution bug in RDP Server, requiring no user interaction, rooted in use of an uninitialized resource. Specially crafted RDP traffic can interact with memory that was never properly set up, giving an attacker a path to corrupt memory and control code execution. RDP servers are a perennial favorite target. Audit which of yours face the internet and start there.
  • CVE-2026-55008 in Exchange Server is listed as a spoofing vulnerability, but ZDI recommends treating it as what it actually is: a stored cross-site scripting flaw in Outlook Web Access with a CVSS of 9.6. A crafted email opened in Outlook Web Access can execute JavaScript in the victim’s browser session without attachments or user interaction beyond viewing it. Patch urgently.
  • CVE-2026-50518 covers a heap-based buffer overflow in Windows DHCP Server, scored CVSS 9.8, unauthenticated and network-reachable. A second DHCP RCE is also in this release with some caveats, but this one has none. DHCP servers shouldn’t be internet-facing, but if yours somehow are, these jump to the very top of the list.

The full list of vulnerabilities addressed by Microsoft in July 2026 is available here

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Patch Tuesday)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


TL;DR

India debates sovereign AI after the US forced Anthropic to kill Fable 5, with proposals for a $5B fund and calls to embrace open-source models.

When the US government ordered Anthropic to shut down Fable 5 and Mythos 5 on 12 June, the export control directive was aimed at restricting foreign nationals from accessing America’s most capable AI. In India, Anthropic’s second-largest market, it landed as a warning shot about what happens when your AI infrastructure runs on someone else’s politics.

The suspension cut off Indian developers and enterprises from Claude’s most advanced models overnight. India’s Claude run-rate revenue had doubled since October 2025, and Tata Consultancy Services had announced a partnership just one day earlier, on 11 June, to train 50,000 employees on Claude and build a dedicated Anthropic business unit. That deal is now in limbo.

The timing has turned what was already a simmering debate about AI sovereignty into a full strategic reckoning. Proposals that sounded ambitious a week ago now sound urgent.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Mohandas Pai, former Infosys CFO and one of India’s most prominent tech investors, has called for a ₹50,000 crore (roughly $5 billion) annual sovereign AI fund. He has also proposed a ₹2 lakh crore (approximately $21 billion) credit guarantee to finance cloud infrastructure, hardware procurement, and semiconductor development. The figures dwarf the government’s existing commitment.

India approved its IndiaAI Mission in March 2024 with a budget of ₹10,372 crore, approximately $1.25 billion. The programme has deployed around 38,000 GPUs so far. Pai’s proposal would quadruple annual spending and add a credit backstop an order of magnitude larger.

Sridhar Vembu, the founder of Zoho, has gone further. He argued that India should embrace smaller and open-source models, including Chinese ones, rather than depend on American frontier systems that can be switched off by executive order. “Technology is the ultimate weapon,” Vembu said. “Globalization is dead and Bharat must find her own way ahead.

The argument has teeth because the suspension demonstrated exactly the vulnerability Vembu is describing. Amazon’s CEO reportedly triggered the government crackdown by telling Treasury Secretary Scott Bessent that researchers had used Fable 5 to obtain information that could be used in cyberattacks. Anthropic called the action disproportionate, but compliance was immediate and global.

Policy expert Prasanto Roy put it bluntly: “American AI models are bound to American geopolitics.” For Indian enterprises that had built workflows around Claude, the lesson was that access to frontier AI is a privilege that can be revoked without notice, without consultation, and without regard for the commercial relationships it disrupts.

The Indian startup ecosystem is already adapting. Sarvam, a Bengaluru-based AI company, released 30-billion and 105-billion parameter open-source models at the India AI Impact Summit in 2026. Krutrim, founded by Ola’s Bhavish Aggarwal, has pivoted from building foundational models to providing cloud and AI infrastructure services, reporting ₹3 billion in revenue for fiscal year 2026.

Neither company is close to matching the capabilities of Fable 5 or Mythos 5. But the argument for sovereign AI was never about matching frontier performance immediately. It is about ensuring that the floor does not fall out when Washington makes a unilateral decision about who gets to use which models.

Aakrit Vaish, founder of the AI startup Activate, said the suspension “completely changes things” for the sovereign AI debate. Vijay Rayapati, CEO of Atomicwork, raised concerns about what the precedent means for Indian companies with multi-country teams that depend on American AI providers. If the US can shut off model access to enforce export controls, any country that relies on American AI is one policy decision away from disruption.

Not everyone agrees that India needs to build its own frontier models. Hemant Mohapatra, a partner at Lightspeed Venture Partners, argued that talent and compute access matter more than capital for building competitive AI. India has the engineering workforce, but the compute gap is significant, and closing it requires either massive domestic investment or continued access to foreign cloud infrastructure.

Anthropic opened a Bengaluru office as part of its India expansion, and the TCS partnership was designed to be a cornerstone of its enterprise strategy in the country. Whether those plans survive the suspension intact depends on how quickly Anthropic can restore access and whether Indian enterprises still trust a provider whose most capable models can vanish overnight.

The broader pattern is unmistakable. The US has spent four years tightening controls on AI technology, from chip export restrictions to model-level interventions. Each escalation pushes more countries toward the conclusion that dependence on American AI infrastructure carries political risk. India, with its 1.4 billion people and rapidly growing technology sector, is now asking whether it can afford that risk, and what it would cost to eliminate it.

The Opendoor layoffs in June 2026, which shut the company’s India office and affected roughly 250 employees, added another dimension. CEO Kaz Nejatian cited AI-native teams as the reason, suggesting that some US companies are using AI to reduce their reliance on Indian engineering talent at the same time that India is debating its reliance on American AI. The relationship is becoming less complementary and more competitive.

For now, the sovereign AI proposals remain proposals. Pai’s fund has no legislative vehicle, Vembu’s call for open-source adoption has no coordinated policy framework, and the IndiaAI Mission’s GPU deployment is still in early stages.

But the Anthropic suspension has done something that years of policy papers and conference speeches could not: it has given the sovereign AI movement a concrete, recent, and viscerally felt example of why dependence on foreign AI is a strategic liability. The debate is no longer theoretical.



Source link