Microsoft’s record Patch Tuesday, and it says AI found the bugs Microsoft shipped its largest-ever Patch Tuesday update, fixing a record 622 vulnerabilities, and attributed the surge to AI-powered bug discovery tools. Three zero-days were patched, two of which are already under active attack. The company warned that AI is both accelerating vulnerability detection and enabling attackers to reverse-engineer fixes faster. Microsoft has never shipped a bigger security update. Its July Patch Tuesday https://thenextweb.com/news/nadella-reverse-information-paradox-ai-ip fixed a record haul of flaws, and the company says AI is why the count keeps climbing. The scale is hard to ignore. By Microsoft’s own count https://support.microsoft.com/en-us/servicing/os/windows-11/2026/07/july-14-2026-kb5101649-os-build-28000-2525 , the update patched 622 vulnerabilities. That more than tripled June’s tally, which had set a record of its own. Krebs on Security https://krebsonsecurity.com/2026/07/microsoft-patches-a-record-570-security-flaws/ , which first reported the release, put the figure at 570. Another 428 Chromium bugs in Edge sit on top. Three zero-days, two under attack Fifty-eight of the flaws count as critical. Three are zero-days, which means they were public or exploited before a fix existed. Two of those are already in active use. The first, CVE-2026-56155, lets an attacker raise their privileges through Active Directory Federation Services, the system that signs a network’s logins. The second, CVE-2026-56164, does the same through on-premises SharePoint. Neither carries a scary severity score. Attackers are using both anyway. That is the real lesson. CISA has added both to its known-exploited list and told federal agencies to patch within days. The third zero-day, a BitLocker bypass, needs physical access, so it is less urgent. AI is writing the patch notes Microsoft is blunt about the cause. In a blog post https://blogs.windows.com/windowsexperience/2026/07/09/evolving-windows-vulnerability-management-to-meet-the-speed-of-ai-powered-discovery/ a week earlier, Windows chief Pavan Davuluri warned customers to expect “a higher volume of security updates” as AI helps find more bugs, faster. The tools are doing the digging. Microsoft’s own scanner, MDASH, found 16 of May’s flaws by itself. Anthropic’s Mythos model https://thenextweb.com/news/osfi-canada-banks-claude-mythos-warning has been credited with a surge of fixes across the industry. The monthly count has risen with them, from 79 in March to 206 in June to 622 now. It fits a wider theme. OpenAI recently showed off an in-house AI hacker https://thenextweb.com/news/gpt-red-openai-ai-hacker that hunts flaws in its own models. The same tools help attackers There is a catch. Once a patch ships, attackers can compare it with the old code, spot the hole it plugs, and build an exploit within hours. The old habit of waiting a week to patch is fading. It also breaks how teams triage. When a release carries 600 flaws and dozens rate critical, the label stops sorting anything. This month’s two exploited bugs prove it. Both score mid-tier, and both are in use. Teams are already stretched. Benchmarks built to measure AI’s hacking skills keep getting saturated https://thenextweb.com/news/ai-cyber-benchmarks-outpaced-hacking-tests , and researchers keep tricking coding assistants https://thenextweb.com/news/github-copilot-workflow-jailbreak-alan-turing-institute into unsafe behaviour. A rocky rollout The update has not been smooth. Microsoft paused the rollout https://www.theregister.com/os-platforms/2026/07/15/microsoft-cancels-patch-tuesday-for-some-dell-users-over-surprise-shutdowns-overheating-devices/5271691 for some Dell devices with Intel chips, after reports of sudden shutdowns, overheating, and battery drain. A fix is due within days. For everyone else, the advice is the same as ever, only more urgent. Sort by what is being exploited, not by the number on the box. And patch faster than you used to. Get the TNW newsletter Get the most important tech news in your inbox each week.