cd /news/ai-tools/patchpocalypse-now-microsoft-tops-la… · home topics ai-tools article
[ARTICLE · art-59676] src=theregister.com ↗ pub= topic=ai-tools verified=true sentiment=↓ negative

Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs

Microsoft released patches for 622 CVEs in its July 2026 Patch Tuesday, tripling last month's record and including 58 critical vulnerabilities, two under active exploit. The massive volume raises concerns that AI-enabled bug hunting may make such large patch cycles the new normal.

read5 min views1 publishedJul 14, 2026
Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs
Image: The Register

security

Remember when last month's 206 CVEs seemed eye-watering? Yeah, those were the days

Remember last month when we were awed by Microsoft’s record-setting Patch Tuesday that addressed 206 CVEs? That was a quaint era compared to this month: Redmond just rolled out patches for 622 CVEs specific to its products, slightly more than tripling last month’s all-time high.

Redmond’s Patch Tuesday release is once again one for the record books, with everything under the sun getting some security fixes – including 428 non-Microsoft Chromium CVEs affecting Edge that aren’t included in that 622 count. Fifty-eight of those are critical, two are under active exploit, and one has already been publicly disclosed, meaning it could join those other two in short order.

There is a lot to dig through, and we can hardly cover the whole gamut given the size of this release. As we noted last month, there was concern in the infosec community that AI-enabled bug hunting might mean massive patch volumes are the new normal. Microsoft didn’t disclose how much AI may have contributed to the massive patch list this month, but given the volume it’s safe to say human contributors probably had some assistance.

Microsoft’s massive month

To start, let’s cover the pair of actively exploited issues that Microsoft patched.

The first, CVE-2026-56155, is an Active Directory Federation Services elevation of privilege vulnerability. Attackers who exploit the issue, which Microsoft only described as being due to “insufficient granularity of access control on ADFS,” could gain administrator privileges. They do need to have access already and be local, however, which is why this is only rated with a CVSS score of 7.8.

The second actively exploited vulnerability, CVE-2026-56164, is another privilege elevation issue, this time in Microsoft SharePoint. SharePoint is apparently missing authentication for a critical function, which could let an unauthorized attacker on a network elevate their SharePoint permissions. As with the other issue under exploit, this one is somewhat limited, earning it a CVSS of just 5.3.

With both under active exploitation, that score doesn’t matter as much as eliminating the vulnerability through good patch management, however.

As for the publicly reported but not-yet-exploited issue, CVE-2026-50661, that involves BitLocker being able to have its security measures physically bypassed by anyone with local access to a BitLocker-secured machine.

Now let’s round up a few of those 58 critical issues.

Everyone’s favorite untrustworthy AI is packing a CVSS 9.6 remote code execution vulnerability. CVE-2026-48561 finds Copilot improperly neutralizing its input, allowing an unauthorized attacker to execute code with nothing but low-privileged Hyper-V guest access. Exploiting the vulnerability can be done without user awareness by, for example, hosting a malicious website that prompts the many embedded Copilot features of Windows machines to process a prompt upon landing on the page.

Microsoft Exchange is suffering from a CVSS 9.6 spoofing vuln due to failure to neutralize input, leading to cross-site scripting being possible from within a maliciously crafted email. CVE-2026-55008 allows an unauthorized attacker to perform spoofing over a network by sending said malicious email to a target, allowing arbitrary JavaScript execution.

Finally, we’re not picking out one vulnerability for your third notice in this massive list, but are highlighting a full 16 remote code execution vulnerabilities in Microsoft Office and its associated applications. They’re caused by a variety of issues in the Office suite, like heap-based buffer overflow and use after free vulns, and all are scored around a CVSS 7.8.

Needless to say, we recommend following Microsoft’s advice and getting all those hundreds of security patches installed ASAP.

Adobe throws mud at critical issues in multiple products

Microsoft tends to command the headlines on Patch Tuesday (it’s hard not to when you address more than 600 CVEs in a single day), but Adobe released a bunch of patches across its ecosystem too, 64 unique CVEs across seven bulletins for Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Every one of the bulletins included at least a couple of critical CVEs.

The highest-severity issue among Adobe’s many Patch Tuesday entries comes in the form of a CVSS 9.9 path traversal vulnerability in ColdFusion that can allow arbitrary code execution. CVE-2026-48318 does not yet appear in online CVE directories, but even with limited information, we’d say a 9.9-level issue is one you want to address with a quickness.

The second-worst issue that Adobe addressed today is in its Commerce suite. CVE-2026-48356 is a CVSS 9.6 privilege escalation vulnerability that an attacker can trigger thanks to Commerce failing to restrict the upload of dangerous file types.

Adobe Experience Manager also includes a pair of CVSS 9.6 issues (CVE-2026-48259 and CVE-2026-48359). Both allow arbitrary code execution: one because of a server-side request forgery vulnerability, and the other because of improper restriction of XML external entity references.

Other notable Patch Tuesday releases

Broadcom addressed seven CVEs in its Avi Load Balancer today, which it rates from 7.1 to 9.8 on the CVSS scale. The vulnerabilities include authentication bypass, RCE, privilege escalation, and directory traversal.

SAP published 16 security updates and one GitHub advisory today; nine of those updates have a CVSS score of 8.1 or higher. CVE-2026-44747 (CVSS 9.9) is a memory corruption issue in SAP NetWeaver Application Server ABAP that could allow an authenticated attacker to gain unauthorized access to system data; CVE-2026-27690, CVSS 9.1, would let an unauthenticated attacker smuggle an HTTP request through SAP Approuter leading to system unavailability; and CVE-2026-44761, CVSS 9.1, involves the retention of a sample OAuth2 client in SAP Commerce Cloud that isn’t documented and, if known, could let an attacker break in.

Let’s hope August is a bit quieter, though, given the fact the past two months have set consecutive records for the number of vulnerabilities Microsoft patched; we have our doubts. Godspeed, sysadmins and security teams. ®

── more in #ai-tools 4 stories · sorted by recency
── more on @microsoft 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/patchpocalypse-now-m…] indexed:0 read:5min 2026-07-14 ·