This is Senserva's live July 2026 Patch Tuesday page: the release, the numbers, the exploited items, and the trusted analyses, gathered in one place and updated as each source updates. Start here, then rank every fix on our Microsoft patch tracker by what attackers actually exploit (CISA KEV and EPSS), or read the full July analysis on our blog.
The numbers
Microsoft's July 2026 release note lists 622 Microsoft CVEs, the official count and the headline number here. Independent trackers count the core release at about 570 (Tenable, BleepingComputer, Krebs on Security, Zero Day Initiative), excluding the republished Chromium Edge and Azure Linux entries in Microsoft's wider tally. Two of the three zero-days are already exploited; the BitLocker bypass is disclosed but not yet seen attacked, which is why some headlines say "two zero-days". Either way, the largest Patch Tuesday on record.
Our read: at this scale, the total is beside the point. Prioritize on risk, and we keep this page and our trackers updated as Microsoft finalizes the per-update data.
The July updates (KBs), from Microsoft's release data
Every update Microsoft shipped in the July 2026 cycle, straight from the MSRC release document. The updates fixing the exploited zero-days sort to the top. The same zero-day appears on several rows because every Windows and SharePoint version gets its own update carrying the same fix; the release has three distinct zero-day CVEs. Per-update CVE lists are intentionally omitted until Microsoft finalizes the data (preliminary cumulative updates expand their full history); each update's Senserva detail page arrives with that data and this table upgrades automatically.
Senserva Trustworthy AI opinion
A record 622 CVEs is not a number to read; it is a queue to triage. Let exploitation drive the order: the two zero-days already under active attack, AD FS (CVE-2026-56155) and SharePoint Server (CVE-2026-56164), are exposed identity and collaboration surfaces and belong at the top of every list tonight, followed by the publicly disclosed BitLocker bypass and the earlier RoguePlanet out-of-band fix. Then rank the rest by CISA KEV and EPSS, not CVSS alone. When AI is helping find vulnerabilities faster than teams can read the release notes, the discipline that matters is prioritization, not enumeration.
Composed by Senserva Trustworthy AI from the cited facts on this page and refreshed as the data updates. We show our sources and our reasoning, and never invent CVE facts.
What actually matters in July
- A record release: 622 CVEs, including 56 Critical. The largest Patch Tuesday Microsoft has ever shipped. The count is not the story; what is exploited is.
- Three zero-days, two under active attack. Patch these first: CVE-2026-56155 in Active Directory Federation Services (AD FS) and CVE-2026-56164 in SharePoint Server are both being exploited in the wild; CVE-2026-50661, a BitLocker security-feature bypass, is publicly disclosed.
- A Kerberos RC4 breaking change, with no rollback. This is the item most likely to bite you. If your environment still relies on RC4 for Kerberos, test before you deploy broadly, because there is no clean toggle to undo it. Microsoft's guidance explains the change (CVE-2026-20833) and how to prepare.
- Do not forget the July 9 out-of-band fix. Earlier this month Microsoft shipped an emergency patch for a race-condition elevation-of-privilege issue (nicknamed RoguePlanet, CVE-2026-50656) that already had public proof-of-concept code. If you have not applied that out-of-band update, do it now; it is not part of today's release.
When the count is noise, prioritize on signal
A record 622-CVE month is exactly when raw counts stop helping. "Is CVE tracking still practical?" is the real question of July 2026, and the answer is to rank on risk, not volume:
- Known exploitation first (CISA KEV). A vulnerability confirmed exploited in the wild outranks a hundred that are not.
- Exploit probability next (EPSS). It ranks the not-yet-exploited by how likely they are to be.
- Then Severity and exposure. CVSS, and whether the affected product is internet-facing or widely deployed across your estate.
That ordering is exactly how the Senserva trackers rank Microsoft patches and CVEs: KEV, then EPSS, then CVSS, then recency, using published signals only.
What to do this week
- Patch the two exploited zero-days first, everywhere: AD FS (CVE-2026-56155) and SharePoint Server (CVE-2026-56164), both internet-facing identity and collaboration surfaces.
- Then the publicly disclosed BitLocker bypass (CVE-2026-50661) on at-risk devices, and the July 9 out-of-band RoguePlanet fix (CVE-2026-50656) if you have not.
- Test the Kerberos RC4 change in a ring before broad rollout, since it does not roll back.
- For the remaining hundreds of fixes, rank by CISA KEV, then EPSS, then Severity and exposure, rather than working down a list of 570. Our trackers do this automatically.
Sources we track
We gather the trusted Patch Tuesday sources here and keep this page current as they publish. The authorities we cross-check every release:
- Microsoft MSRC Security Update Guide: the vendor record, the authoritative list of what shipped and how it is revised in the days after release.
- Zero Day Initiative: the analyst standard, a monthly Security Update Review that breaks the release down by vulnerability type and flags what matters.
- BleepingComputer: fast, reliable Patch Tuesday reporting and known-issue tracking.
- Dark Reading: security-industry analysis and the wider context around each release.
- SANS Internet Storm Center: practitioner risk ratings and a dashboard view of each month's CVEs.
- CISA Known Exploited Vulnerabilities (KEV): the authority on what is actually being exploited in the wild, which drives our ranking.
- Krebs on Security: independent investigative journalism, with a monthly Patch Tuesday roundup that adds real-world exploitation and industry context.
- Cisco Talos: threat-intelligence research that highlights the most severe and actively targeted issues in each release.
- Tenable: vulnerability-management research with monthly prioritization guidance and notable CVE call-outs.
- Rapid7: emergent-threat write-ups and exploitation timelines for the highest-risk vulnerabilities.
- NVD (NIST National Vulnerability Database): the authoritative CVE record and CVSS base scores behind our severity ranking.
- FIRST EPSS: the Exploit Prediction Scoring System, the probability signal we use to rank vulnerabilities not yet on the KEV list.
Track it live
- Microsoft Patch Tuesday hub, updated as the data settles
- Rank Microsoft patches by risk
- Search the Microsoft CVE reference
- What was exploited this week
Counts and zero-day status corroborated against Tenable, BleepingComputer, Krebs on Security, and the Zero Day Initiative; per-CVE facts from Microsoft MSRC; exploitation status from the CISA KEV catalog; exploit probability from FIRST.org EPSS. We update as the data settles.