Live update: Microsoft is still finalizing this month's data, as it usually does in the days after Patch Tuesday. We keep the numbers below and our Patch Tuesday trackers updated as more is known.
Microsoft shipped its July 2026 security updates today, and it is the largest Patch Tuesday on record: 622 CVEs in Microsoft's official release note, including 56 rated Critical, and three zero-day vulnerabilities, two already being exploited in the wild. Microsoft attributes the surge partly to AI-assisted vulnerability discovery. The short version for busy admins: do not try to read all 622, patch the exploited zero-days tonight, and rank the rest by risk.
What actually matters in July
- A record release: 622 CVEs, including 56 Critical. The largest Patch Tuesday Microsoft has ever shipped, several times the size of a normal month. The count is not the story; what is exploited is.
- Three zero-days, two under active attack. Patch these first: CVE-2026-56155 in Active Directory Federation Services (AD FS) and CVE-2026-56164 in SharePoint Server are both being exploited in the wild; CVE-2026-50661, a BitLocker security-feature bypass, is publicly disclosed.
- A Kerberos RC4 breaking change, with no rollback. This is the item most likely to bite you. If your environment still relies on RC4 for Kerberos, test before you deploy broadly, because there is no clean toggle to undo it. Microsoft's guidance explains the change (CVE-2026-20833) and how to prepare.
- Do not forget the July 9 out-of-band fix. Earlier this month Microsoft shipped an emergency patch for a race-condition elevation-of-privilege issue (nicknamed RoguePlanet, CVE-2026-50656) that already had public proof-of-concept code. If you have not applied that out-of-band update, do it now; it is not part of today's release.
What to do this week
- Patch the two exploited zero-days first, everywhere: AD FS (CVE-2026-56155) and SharePoint Server (CVE-2026-56164), both internet-facing identity and collaboration surfaces.
- Then the publicly disclosed BitLocker bypass (CVE-2026-50661) on at-risk devices, and the July 9 out-of-band RoguePlanet fix (CVE-2026-50656) if you have not.
- Test the Kerberos RC4 change in a ring before broad rollout, since it does not roll back.
- For the remaining hundreds of fixes, rank by CISA KEV, then EPSS, then Severity and exposure, rather than working down a list of 622. Our trackers do this automatically.
A note on the numbers
Microsoft's July 2026 release note lists 622 Microsoft CVEs, the official count and the headline number here. Independent trackers count the core release at about 570 (Tenable, BleepingComputer, Krebs on Security, Zero Day Initiative), excluding the republished Chromium Edge and Azure Linux entries in Microsoft's wider tally. Two of the three zero-days are already exploited; the BitLocker bypass is disclosed but not yet seen attacked, which is why some headlines say "two zero-days". Either way, the largest Patch Tuesday on record.
Our read: at this scale, the total is beside the point. Prioritize on risk, and we keep this post and our trackers updated as the data settles.
Senserva Trustworthy AI opinion
A record 622 CVEs is not a number to read; it is a queue to triage. Let exploitation drive the order: the two zero-days already under active attack, AD FS (CVE-2026-56155) and SharePoint Server (CVE-2026-56164), are exposed identity and collaboration surfaces and belong at the top of every list tonight, followed by the publicly disclosed BitLocker bypass and the earlier RoguePlanet out-of-band fix. Then rank the rest by CISA KEV and EPSS, not CVSS alone. When AI is helping find vulnerabilities faster than teams can read the release notes, the discipline that matters is prioritization, not enumeration.
Composed by Senserva Trustworthy AI from the cited facts in this post and reviewed before publishing. We show our sources and our reasoning, and never invent CVE facts.
When the count is noise, prioritize on signal
A record 622-CVE month is exactly when raw counts stop helping. "Is CVE tracking still practical?" is the real question of July 2026, and the answer is to rank on risk, not volume:
- Known exploitation first (CISA KEV). A vulnerability confirmed exploited in the wild outranks a hundred that are not.
- Exploit probability next (EPSS). It ranks the not-yet-exploited by how likely they are to be.
- Then Severity and exposure. CVSS, and whether the affected product is internet-facing or widely deployed across your estate.
That ordering is exactly how the Senserva trackers rank Microsoft patches and CVEs: KEV, then EPSS, then CVSS, then recency, using published signals only.
Track it live
- Microsoft Patch Tuesday hub, updated as the data settles
- Rank Microsoft patches by risk
- Search the Microsoft CVE reference
- What was exploited this week
Counts and zero-day status corroborated against Tenable, BleepingComputer, Krebs on Security, and the Zero Day Initiative; per-CVE facts from Microsoft MSRC; exploitation status from the CISA KEV catalog; exploit probability from FIRST.org EPSS. We update as the data settles.