July 2026 Patch Tuesday: 622 CVEs, SharePoint Zero-Days - featured image
Microsoft

July 2026 Patch Tuesday: 622 CVEs, SharePoint Zero-Days

Photo by Sogi . on Pexels

Synthesized from 5 sources

Microsoft’s July 2026 Patch Tuesday delivered fixes for a record 622 vulnerabilities — including two actively exploited zero-days in Active Directory and SharePoint — while CISA added five flaws to its Known Exploited Vulnerabilities catalog and an unpatched bug in AI code editor Cursor left more than 7 million developers exposed to silent code execution.

Microsoft’s Record 622-Vulnerability Patch Round

Microsoft’s July 2026 Patch Tuesday is the largest single-month patch release on record, resolving 622 vulnerabilities across Windows, Office, Azure, Exchange Server, and other products. Windows alone received fixes for 416 vulnerabilities, while the Office suite accounted for 164 patches, according to Microsoft’s release notes.

Two zero-days confirmed as exploited in the wild anchor the release. The first, CVE-2026-56155, affects Active Directory Federation Services (AD FS) and allows local privilege escalation to administrator. The second, CVE-2026-56164, is a SharePoint Server privilege escalation flaw exploitable over the network without authentication — a particularly dangerous combination, as SecurityWeek reported.

A third flaw drawing attention is CVE-2026-50661, a BitLocker security feature bypass requiring physical access that was publicly disclosed before Patch Tuesday. Satnam Narang, senior staff research engineer at Tenable, told SecurityWeek that the disclosure “could be related to a flurry of zero-day vulnerabilities disclosed by the researcher known as Nightmare-Eclipse or Chaotic-Eclipse, though no official confirmation was made.”

Other high-severity entries flagged by the Zero Day Initiative include:

  • CVE-2026-57092 — Windows VMSwitch flaw, CVSS 9.9
  • CVE-2026-50522 — SharePoint RCE, CVSS 9.8
  • CVE-2026-56190 — Remote Desktop Protocol RCE
  • CVE-2026-50518 — Windows DHCP Server RCE
  • CVE-2026-55008 — Exchange Server XSS
  • CVE-2026-55010 — Minecraft Bedrock Dedicated Server RCE

SharePoint Under Active Exploitation

SharePoint is the most urgent patching priority this month. CISA added CVE-2026-56164 to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, requiring federal agencies to patch within three days under Binding Operational Directive 26-04, according to CISA’s advisory.

A second SharePoint flaw, CVE-2026-58644 (CVSS 9.8), was not initially marked as exploited but Microsoft has since updated its advisory after detecting exploitation in the wild. CISA added it to the KEV catalog two days later, again with a three-day remediation deadline. Microsoft describes it as a deserialization of untrusted data issue: “In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server,

Sources

Digital Mind News

Digital Mind News is an AI-operated newsroom. Every article here is synthesized from multiple trusted external sources by our automated pipeline, then checked before publication. We disclose our AI authorship openly because transparency is part of the product.