Microsoft addressed 722 CVEs this month once the 427 Chromium upstream relays are set aside — roughly three times a normal cycle and one of the largest single months in recent memory. Two vulnerabilities arrive under active exploitation: an elevation of privilege in Active Directory Federation Services (CVE-2026-56155), and an elevation of privilege in SharePoint Server (CVE-2026-56164). A third, a BitLocker security feature bypass (CVE-2026-50661) is publicly disclosed but not yet exploited.
The July 2026 Patch Tuesday earns Patch Now recommendations for Windows, Office, Exchange, and SQL Server. SharePoint has two critical RCEs on top of its exploited zero-day, and Exchange Server returns with a critical on-premises spoofing flaw. Adding to our (dear) administrator’s efforts, SharePoint Server 2016/2019 and SQL Server 2016 all reach end of support today. The Readiness team has provided a handy infographic of the expected risk profile of this month’s Patch Tuesday updates.
Known issues
The July release note flags known issues against the following updates:
- BitLocker recovery prompt on first restart – the PCR7 recovery condition tracked since April remains live on the platforms that did not receive the Boot Manager servicing fix (Windows Server 2022 and Windows 10 22H2). Devices with BitLocker on the OS drive, the Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” set with PCR7 included, and Secure Boot State PCR7 Binding reported as “Not Possible” may be prompted for the recovery key on the first restart after installing this update. This month’s publicly disclosed BitLocker security feature bypass (CVE-2026-50661) keeps the component in focus.
- WSUS synchronization error details suppressed (Windows Server 2025 and 2022) – WSUS no longer displays synchronization error details in its error reporting, a deliberate change made to address the Remote Code Execution Vulnerability CVE-2025-59287. Sync still works, but administrators triaging a failed synchronization lose the detail pane and must fall back to the SoftwareDistribution logs.
Windows Update can still replace manually installed graphics drivers with older OEM versions from the catalogue (the four-part Hardware ID ranking issue acknowledged on the Hardware Dev Center). The two-part HWID pilot runs to September 2026.
Major revisions and mitigations
Between the June and July Patch Tuesdays, MSRC Security Update Guide notices updated 651 reported CVEs across six notification dates (15, 19, 26 June and 3, 8, 11 July), 532 of them routine Chromium upstream re-publications. Of the roughly 30 Microsoft revisions, almost all were cross-platform Office catch-up with no bearing on a Windows enterprise estate. No further action required for IT administrators for this Windows update cycle.
Windows lifecycle and enforcement updates
This is the deadline cycle June pointed at. The July end-of-support wave lands today, and it collides with the month’s heaviest patching. SharePoint and SQL Server take some of their most active security updates ever on platforms receiving their last.
- SharePoint Server 2016 and 2019, Project Server 2016 and 2019, SQL Server 2016 and InfoPath 2013 have all reached end of support. SQL Server 2014 ESU Year 2 reaches end of support today. SharePoint 2016/2019 take an actively exploited zero-day and two RCEs this cycle, and SQL Server 2016 takes a critical RCE, all as their final security update. Now is the time to get moving on updating these platforms.
The 2011 Secure Boot certificate expiries have now passed; devices that never took the Windows UEFI CA 2023 key updates under CVE-2023-24932 can no longer receive updated boot components, with the Windows Production PCA for the boot manager still ahead on 19 October 2026. Kerberos RC4 hardening (CVE-2026-20833) has been in enforcement since April 2026; the July 2026 update removes the RC4DefaultDisablementPhase rollback control that let administrators defer it, making enforcement final.
Microsoft’s July 2026 Patch Tuesday is a security-only release: 180 test-guidance entries, 14 of them high risk (June had one). Printing and graphics are the centre of gravity: win32kfull.sys, the kernel-mode window manager, is the most-patched binary (14 entries), and seven high-risk flags sit alongside it – the Print Spooler, four win32k entries, and two GDI+ metafile entries. NTFS is the second theme, with 10 entries, two high risk. Every entry reports no functional changes – it’s pure regression validation. The packages span Windows 11 26H1 back to Server 2012 ESU.
Printing and graphics (high risk)
The Print Spooler flag centres on shared printers, whose queue status must track jobs accurately; the win32k flags cover 32-bit application printing, font rendering in printed and exported output, on-screen rendering, and window management; the GDI+ flags cover metafiles.
- Share a printer from a print server, print from a separate client in varied sizes and formats, and cancel a job, confirming the queue reflects every state change
- Print from your 32-bit applications, and print text-heavy, graphics-heavy, and multi-page documents to physical and virtual (PDF or XPS) printers, repeating after orientation, scaling, and resolution changes
- Export documents with varied fonts to PDF and confirm fonts and layout survive; render EMF+ files that apply effects to very large images, and convert EMF files to WMF
- Open and close windows rapidly, drive common dialogs by mouse and keyboard, and close parents with children open – no orphaned windows
Storage and file systems (high risk)
Both NTFS high-risk flags target integrity – extended attributes, and volume recovery after an unexpected shutdown. File History carries its own high-risk flag on clients. A Windows Server 2025-only bundle across boot, BitLocker, and ReFS demands the full Secure Boot/BitLocker matrix. Eight entries hit Server 2025 alone, including WSL, GPU partitioning, and a scripted Windows Server Backup pass repeating recovery after rolling the date 90 days forward.
- Exercise NTFS extended attributes – older-system EAs, backup workflows that preserve them, concurrent same-file operations where supported – with antivirus, encryption, or storage filters active
- Simulate an unexpected shutdown during file activity, verify the volume mounts intact, run chkdsk, and confirm indexing, shadow copies, and backup still work
- Run a full File History pass: back up, modify and back up again, exclude folders, change frequency, move the destination
- On Server 2025, boot all four Secure Boot/BitLocker combinations, in standard and confidential VMs where supported
Devices, input and networking (high risk)
Three further high-risk flags land here: HID input (hidparse.sys with win32k) – touch, keyboard, mouse, touchpad, through disconnects and restarts; the WinSock bundle (afd.sys plus Bluetooth and multicast drivers); and IrDA. The heaviest ask is not high risk at all: the NetAdapterCx driver (24H2/25H2, Server 2025) wants 500-plus adapter enable-disable cycles under Driver Verifier.
- Run the connectivity suite: browsing, large downloads, mapped drives, an RDP session idle 30+ minutes, a Teams call, an hour of streaming, and localhost apps such as Docker or WSL
- Stress Bluetooth: pairing, 10+ minutes of audio, input after idle, and reconnection after sleep
- Where infrared hardware exists, transfer a file and run at least 100 connect-disconnect cycles
- Sweep the rest: DNS Server (zone data must stay under its configured database directory), the client resolver (five entries), DHCP Server (five entries), SMB, NFS, Message Queuing (five entries), RRAS administration, client VPN, and WinHTTP/WinINet consumers
Other windows components
Windows Installer itself is patched: testing should include application install, uninstall, repair, and force a rollback. Hyper-V wants virtual-switch traffic as part of its testing exercises with Virtual Filtering Platform policies enforced. Sixteen media-related security entries cover playback, HEVC and MPEG-TS, USB audio, and MIDI 2.0.
Shell hardening and LSA isolation
These two entries are a little different from the rest of the cycle: they ask you to confirm a security behaviour actively works, not just that nothing regressed. A pass here means the protection fired, so treat them as functional checks rather than box-ticking.
- Shortcut handling (windows.storage.dll; Windows 11 23H2 and earlier, plus Server 2022): drop a shortcut file carrying the Mark of the Web into a folder and confirm the system refuses to extract its icon and leaks no NTLM credential hash – include the zero-click paths, where the icon would otherwise render without you opening anything
- LSA isolation and KeyGuard (24H2/25H2, Server 2025): run the supplied PowerShell validation script, which turns on Virtualization-based Security if it isn’t already, exercises KeyGuard key operations in both required and best-effort isolation modes, and reports pass or fail – it needs TPM 2.0, UEFI with Secure Boot disabled, and PowerShell 7
- Run that script on a dedicated test machine, never a shared one: it enables test signing, disables automatic updates, and reboots without asking
Office & SharePoint
July’s Office wave is security-only; everything landed on 14 July, and nothing critical or non-security shipped in the 7 July preview. It’s an MSI-only cycle, so Click-to-Run estates can sit this one out.
- On MSI Office 2016, apply the client updates – Excel (KB5002886), Word (KB5002890), PowerPoint (KB5002867), and five further Office 2016 security updates (KB5002273, KB5002887, KB5002748, KB5002857, KB5002830) – then exercise macros, external data, embedded objects, and any line-of-business add-ins
- On SharePoint Server, patch 2016 (KB5002891, plus the KB5002892 language pack) and Subscription Edition (KB5002882), then check browser-based editing; the guidance lists SharePoint 2019 with a baseline but ships no 2019 package, so there is nothing to install there
Mind the rollback rules before you schedule the window: most client updates can be uninstalled, but the server updates cannot and always require a reboot.
Developer tools & databases
The developer estate gets a broad but low-drama sweep this month. Both .NET and SQL Server patch widely, but the ask is representative-application validation rather than anything exotic – install on the matching branch and confirm normal behaviour.
- .NET: install the SDK updates (8.0.423, 9.0.316, 10.0.302, x64 and x86) and the Framework rollups spanning 3.5 through 4.8.1 – which reach from Windows Server 2012 up to Windows 11 26H1 and Server 2025 – then run a representative set of applications and confirm they function normally
- SQL Server: the GDR updates span 2016 SP3 through 2025 – install each on its matching branch and test that each removes cleanly
- Check an encrypted client connection through the separately patched Windows SQL client (dbnetlib.dll), which ships outside the server branches
The Readiness team recommends the following priorities for your larger enterprise deployments:
- Start with printing and graphics: half the high-risk flags sit in the Print Spooler, win32k, and GDI+, so regress shared printers, 32-bit printing, PDF export, metafiles, and window management before anything else
- Take NTFS next – extended attributes and crash recovery both touch data integrity – and add a client File History backup-and-restore pass
- Give Server 2025 its wider matrix – the Secure Boot/BitLocker combinations, WSL, GPU partitioning, and the scripted backup pass – and work through the stress suites
- Run the scripted KeyGuard validation on any VBS estate, preferably on a dedicated machine.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office
- Microsoft Exchange and SQL Server
- Microsoft Developer Tools (Visual Studio and .NET)
- Adobe (if you get this far)
Browsers
Edge has had a busier month than usual. Microsoft addressed 46 Microsoft Edge (Chromium-based) CVEs this cycle. None critical, but heavily weighted to remote code execution (21 entries) and spoofing (13), led by CVE-2026-58289, a remote code execution flaw. A run of further RCEs (CVE-2026-57981, CVE-2026-56645, CVE-2026-57974) follows.
- Microsoft Edge – the Edge-specific fixes ship in the Edge stable channel (version 150.0.4078.65, released 9 July). The concentration of RCE and spoofing this month is worth a look for managed Edge estates rather than a routine wave-through.
- Chromium upstream – 427 CVEs relayed through MSRC this cycle, spanning the weekly Chrome release cadence since the June report: use-after-free, out-of-bounds read/write, type confusion, and inappropriate-implementation flaws across V8, Dawn, ANGLE, Skia, and Tint. The same fixes ship in the Chrome Stable channel; see the Chrome releases blog for the upstream notes.
The Chromium volume looks (quite) alarming but is routine plumbing: it flows to Edge through its own auto-update channel. Add these browser (Edge) updates to your standard release schedule for your managed environments.
Microsoft Windows
Windows carries the bulk of this month’s updates: 406 CVEs, 31 rated critical and 374 important. Elevation of privilege dominates by volume (226 entries), followed by remote code execution (70), information disclosure (70), denial of service (23), and a scatter of security-feature-bypass, tampering, and spoofing entries across the following feature groupings:
- DHCP – the standout network cluster: DHCP Server remote code execution (CVE-2026-50518, “Exploitation More Likely,” and CVE-2026-56159), with further critical DHCP Server and DHCP Client RCEs behind them (CVE-2026-48564, CVE-2026-50370, CVE-2026-54128). DHCP servers are the deployment priority.
- VMSwitch and Hyper-V – the Windows VMSwitch elevation of privilege (CVE-2026-57092) is one of the month’s highest-severity flaws, joined by two critical Hyper-V elevation-of-privilege entries (CVE-2026-50680, CVE-2026-54127), guest-to-host risk on virtualisation hosts.
- Network stack RCE – a Windows Server Network driver RCE (CVE-2026-56188, “Exploitation More Likely”), plus TCP/IP (CVE-2026-54999), the Reliable Multicast Transport Driver (CVE-2026-54982), and SSTP (CVE-2026-50694).
- Graphics – Windows GDI+ remote code execution (CVE-2026-50380) and a DirectX Graphics Kernel RCE (CVE-2026-50382), both reachable through document-rendering paths.
- Windows Media – a large cluster: three critical Media Foundation RCEs (CVE-2026-57090, CVE-2026-57094, CVE-2026-57087) lead 14 Windows Media and seven Media Foundation entries overall.
- Identity infrastructure – beyond the exploited ADFS flaw, Active Directory Domain Services takes a critical RCE (CVE-2026-49164) and Active Directory Certificate Services a critical elevation of privilege (CVE-2026-54121). Domain controllers take priority again.
- Print Spooler, WSUS, and MSMQ – critical RCE/EoP in the Print Spooler (CVE-2026-58608), Windows Server Update Services (CVE-2026-50444), and Message Queuing (CVE-2026-54992, “Exploitation More Likely”), all server-role attack surface.
The Windows Kernel is the most-patched component (28 CVEs, seven “More Likely”), followed by NTFS (21), Windows Runtime (17), Windows Media (14), ReFS (12), and Win32k (15 across its two entries). Add this Windows update to your Patch Now deployment schedule.
Microsoft Office
Microsoft released 96 Office CVEs this month: 19 critical, 76 important. Remote code execution leads (53 entries), ahead of information disclosure (27) and spoofing (10). SharePoint is the centre of gravity: it touches 39 of the 96 CVEs and supplies the family’s one actively exploited flaw.
- SharePoint Server: has been exploited (who would have guessed) and reaches end of support today. CVE-2026-56164, an elevation of privilege, is under active exploitation. Above it sit two critical remote code execution flaws, both “Exploitation More Likely” (CVE-2026-50522, CVE-2026-58644) and a critical security feature bypass (CVE-2026-55040). SharePoint Server 2016 and 2019 reach end of support on 14 July, so this exploited, critical-heavy set is the final security update those on-premises farms will receive.
- Office has experienced a long run of critical remote code execution entries across Office, Word, and PowerPoint (among them CVE-2026-55033 and CVE-2026-55127 in Word, CVE-2026-55043 in PowerPoint, and CVE-2026-55018 in Office), topped by CVE-2026-55045.
With an exploited zero-day, two RCEs, and an end-of-support deadline all landing on SharePoint in the same cycle, SharePoint environments are the priority. Add the July Office and SharePoint updates to your Patch Now schedule.
Microsoft Exchange and SQL Server
Both Exchange and SQL Server carry critical-rated security vulnerabilities this month. Exchange Server returns with an on-premises security update for Exchange Server Subscription Edition, the only on-premises release still supported after Exchange Server 2016 and 2019 reached end of support in October 2025; SQL Server takes two critical remote code execution flaws, one of them against SQL Server 2016, which reaches end of support on the same day.
- Exchange Server (on-premises) – CVE-2026-55008, a spoofing vulnerability rated critical and “Exploitation More Likely,” is the headline. Behind it, a remote code execution entry (CVE-2026-55005) and two elevation-of-privilege flaws (CVE-2026-55006, CVE-2026-55009) round out the on-premises set. A separate Exchange Online elevation of privilege (CVE-2026-54998, critical) is fixed service-side with no customer action.
- SQL Server – two critical remote code execution flaws: CVE-2026-54117 (SQL Server 2025) and CVE-2026-54118 (which reaches back to SQL Server 2016 SP3), with five further important elevation-of-privilege and information-disclosure entries behind them. The 2016 exposure matters because SQL Server 2016 reaches end of support on 14 July: a critical RCE on a platform taking its final update.
Both belong on the Patch Now schedule this month: the Exchange on-premises update for its critical spoofing flaw, and the SQL Server update for the two critical RCEs.
Microsoft developer tools
Microsoft released 24 CVEs across its developer tooling this month, all rated important. The weighting shifts from last month’s Visual Studio Code concentration toward .NET and ASP.NET Core, where a run of denial-of-service entries dominates the volume:
- ASP.NET Core and .NET – the two highest-severity entries are ASP.NET Core elevation-of-privilege entries (CVE-2026-47300, CVE-2026-47303), ahead of a .NET security feature bypass (CVE-2026-50528) and two .NET / .NET Framework remote code execution flaws (CVE-2026-50646, CVE-2026-50649).
- Visual Studio and VS Code – a GitHub Copilot / Visual Studio Code security feature bypass (CVE-2026-41109) and a second VS Code security feature bypass (CVE-2026-57102) lead here, with a VS Code remote code execution entry behind them (CVE-2026-50520) and a Visual Studio RCE (CVE-2026-47305).
Add these Microsoft updates to your standard developer update release schedule.
Adobe (and third-party updates)
Outside Microsoft’s own catalogue, July is quiet. Adobe issued no Acrobat or Reader security updates. So, the month belongs to Microsoft, and it is a heavy one: 722 CVEs, roughly three times a normal cycle and one of the largest on record. Worth noting that this lands in the same season Microsoft has been talking up AI-assisted vulnerability management, and the AI stack it is selling as the answer, Copilot and Azure OpenAI among them, sits in the centre of this patch cycle’s own critical-rated updates. The (AI) tooling may be getting smarter, but the patch pile is (definitely) not getting smaller. This may be the beginning of an accelerating curve of ever larger patch cycles. My feeling is that we are in the middle of the beginning of this coming patch surge.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
Read the full article here

