Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs Microsoft released patches for 622 CVEs in its July 2026 Patch Tuesday, tripling last month's record and including 58 critical vulnerabilities, two under active exploit. The massive volume raises concerns that AI-enabled bug hunting may make such large patch cycles the new normal. security Patchpocalypse Now: Microsoft tops last month's record with 622 Patch Tuesday CVEs Remember when last month's 206 CVEs seemed eye-watering? Yeah, those were the days Remember last month when we were awed by Microsoft’s record-setting Patch Tuesday https://www.theregister.com/patches/2026/06/09/ai-is-making-patch-tuesday-kinda-fun-again/5253225 that addressed 206 CVEs? That was a quaint era compared to this month: Redmond just rolled out patches for 622 CVEs specific to its products, slightly more than tripling last month’s all-time high. Redmond’s Patch Tuesday release https://msrc.microsoft.com/update-guide/releaseNote/2026-Jul is once again one for the record books, with everything under the sun getting some security fixes – including 428 non-Microsoft Chromium CVEs affecting Edge that aren’t included in that 622 count. Fifty-eight of those are critical, two are under active exploit, and one has already been publicly disclosed, meaning it could join those other two in short order. There is a lot to dig through, and we can hardly cover the whole gamut given the size of this release. As we noted last month, there was concern in the infosec community that AI-enabled bug hunting https://www.theregister.com/security/2026/07/10/microsoft-warns-customers-ai-will-mean-busier-patch-tuesdays/5269618 might mean massive patch volumes are the new normal https://www.theregister.com/patches/2026/06/09/ai-is-making-patch-tuesday-kinda-fun-again/5253225 . Microsoft didn’t disclose how much AI may have contributed to the massive patch list this month, but given the volume it’s safe to say human contributors probably had some assistance. Microsoft’s massive month To start, let’s cover the pair of actively exploited issues that Microsoft patched. The first, CVE-2026-56155 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155 , is an Active Directory Federation Services elevation of privilege vulnerability. Attackers who exploit the issue, which Microsoft only described as being due to “insufficient granularity of access control on ADFS,” could gain administrator privileges. They do need to have access already and be local, however, which is why this is only rated with a CVSS score of 7.8. The second actively exploited vulnerability, CVE-2026-56164 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164 , is another privilege elevation issue, this time in Microsoft SharePoint. SharePoint is apparently missing authentication for a critical function, which could let an unauthorized attacker on a network elevate their SharePoint permissions. As with the other issue under exploit, this one is somewhat limited, earning it a CVSS of just 5.3. With both under active exploitation, that score doesn’t matter as much as eliminating the vulnerability through good patch management, however. As for the publicly reported but not-yet-exploited issue, CVE-2026-50661 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50661 , that involves BitLocker being able to have its security measures physically bypassed by anyone with local access to a BitLocker-secured machine. Now let’s round up a few of those 58 critical issues. Everyone’s favorite untrustworthy AI https://www.theregister.com/software/2026/04/02/even-microsoft-know-copilot-cant-be-trusted/5221005 is packing a CVSS 9.6 remote code execution vulnerability. CVE-2026-48561 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48561 finds Copilot improperly neutralizing its input, allowing an unauthorized attacker to execute code with nothing but low-privileged Hyper-V guest access. Exploiting the vulnerability can be done without user awareness by, for example, hosting a malicious website that prompts the many embedded Copilot features https://www.theregister.com/off-prem/2026/04/30/survey-us-workers-are-not-keen-on-microsofts-ai/5229367 of Windows machines to process a prompt upon landing on the page. Microsoft Exchange is suffering from a CVSS 9.6 spoofing vuln due to failure to neutralize input, leading to cross-site scripting being possible from within a maliciously crafted email. CVE-2026-55008 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55008 allows an unauthorized attacker to perform spoofing over a network by sending said malicious email to a target, allowing arbitrary JavaScript execution. Finally, we’re not picking out one vulnerability for your third notice in this massive list, but are highlighting a full 16 remote code execution vulnerabilities in Microsoft Office and its associated applications. They’re caused by a variety of issues in the Office suite, like heap-based buffer overflow and use after free vulns, and all are scored around a CVSS 7.8. Needless to say, we recommend following Microsoft’s advice and getting all those hundreds of security patches installed ASAP. Adobe throws mud at critical issues in multiple products Microsoft tends to command the headlines on Patch Tuesday it’s hard not to when you address more than 600 CVEs in a single day , but Adobe released a bunch of patches across its ecosystem too, 64 unique CVEs across seven bulletins for Commerce https://helpx.adobe.com/security/products/magento/apsb26-73.html , Experience Manager https://helpx.adobe.com/security/products/experience-manager/apsb26-74.html , Creative Cloud Desktop https://helpx.adobe.com/security/products/creative-cloud/apsb26-77.html , Illustrator https://helpx.adobe.com/security/products/illustrator/apsb26-79.html , Content Credentials SDK https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-80.html , ColdFusion https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html , and Animate https://helpx.adobe.com/security/products/animate/apsb26-83.html . Every one of the bulletins included at least a couple of critical CVEs. The highest-severity issue among Adobe’s many Patch Tuesday entries comes in the form of a CVSS 9.9 path traversal vulnerability in ColdFusion that can allow arbitrary code execution. CVE-2026-48318 does not yet appear in online CVE directories, but even with limited information, we’d say a 9.9-level issue is one you want to address with a quickness. The second-worst issue that Adobe addressed today is in its Commerce suite. CVE-2026-48356 is a CVSS 9.6 privilege escalation vulnerability that an attacker can trigger thanks to Commerce failing to restrict the upload of dangerous file types. Adobe Experience Manager also includes a pair of CVSS 9.6 issues CVE-2026-48259 and CVE-2026-48359 . Both allow arbitrary code execution: one because of a server-side request forgery vulnerability, and the other because of improper restriction of XML external entity references. Other notable Patch Tuesday releases Broadcom addressed seven CVEs https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37926?utm campaign=VCF FY26 VCF VMSA-2026-0005 MKT CM 6254&utm content=VCF FY26 VCF VMSA-2026-0005 6254 SecurityAlert MKT TRANS EM 12268&utm medium=email&utm source=eloqua in its Avi Load Balancer today, which it rates from 7.1 to 9.8 on the CVSS scale. The vulnerabilities include authentication bypass, RCE, privilege escalation, and directory traversal. SAP published https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2026.html 16 security updates and one GitHub advisory today; nine of those updates have a CVSS score of 8.1 or higher. CVE-2026-44747 https://www.cve.org/CVERecord?id=CVE-2026-44747 CVSS 9.9 is a memory corruption issue in SAP NetWeaver Application Server ABAP that could allow an authenticated attacker to gain unauthorized access to system data; CVE-2026-27690 https://www.cve.org/CVERecord?id=CVE-2026-27690 , CVSS 9.1, would let an unauthenticated attacker smuggle an HTTP request through SAP Approuter leading to system unavailability; and CVE-2026-44761, CVSS 9.1, involves the retention of a sample OAuth2 client in SAP Commerce Cloud that isn’t documented and, if known, could let an attacker break in. Let’s hope August is a bit quieter, though, given the fact the past two months have set consecutive records for the number of vulnerabilities Microsoft patched; we have our doubts. Godspeed, sysadmins and security teams. ®