Although experts had already warned of an impending “tsunami of vulnerabilities” back in April, immediately following the announcement of the Mythos AI model, concrete evidence began to emerge over the summer. June’s Patch Tuesday was massive and, at the time, a record-breaker (around 200 CVEs), and right before that, hundreds of fixes were released for Chromium-based browsers, including Chrome and Microsoft Edge. But July revealed this new trend in all its glory. Yesterday’s Patch Tuesday addressed 570 vulnerabilities in Microsoft products, and if we are including the “platform-level” patches that Microsoft applies to its own servers, the total rises to 620. And that’s not even counting the 470 vulnerabilities in Chromium. In just six months, Redmond has already fixed more defects than in any previous year over the past 20 years of observation.
Depending on which products are included in the final figures, the number of CVEs may vary slightly; various experts cite figures of 569, 570, 621, 622 — but anyway this figure is three times higher than the previous update package and five to 10 times higher than last year’s typical figures for monthly update.
The fixed vulnerabilities are broken down by category as follows: 254 — elevation of privilege (EoP), 145 — remote code execution (RCE), 102 — information disclosure, 35 — denial of service (DoS), 17 — security feature bypass, and 16 — information spoofing. EoP vulnerabilities accounted for nearly 44% of the release, while RCE vulnerabilities accounted for a quarter. Rapid7 experts separately note 416 bugs in Windows itself (also a record), and the fact that the release notes no longer list CVEs individually. Instead, there is a summary table organized by product families and a new section titled “Notable CVEs”. Incidentally, in that section, Microsoft managed to list CVE-2026-56155 twice instead of another zero-day vulnerability.
This brevity is partly due to the fact that the update package affects a very broad range of products. Even very old, rarely used components — such as MIDI drivers — have been updated, as well as games, including Age of Empires II (CVE-2026-50663) and Minecraft Bedrock Dedicated Server, where the high-impact CVE-2026-55010 (CVSS 9.8) was found — a heap overflow leading to RCE without authentication.
Of the entire set, only three vulnerabilities are classified as zero-day, and 59 have been rated critical. Among the critical vulnerabilities, 48 can lead to RCE, nine to privilege escalation, one to security feature bypass, and one allows spoofing.
Vulnerabilities exploited in real-world attacks or known prior to the patch
CVE-2026-56155 (CVSS 7.8) — privilege escalation in Active Directory Federation Services. Due to access control flaws, a user with low local privileges can elevate them to administrator level. No details are provided about attacks exploiting this vulnerability, but the description acknowledges the effort of Microsoft DART staff — the incident response team. The vulnerability has already been added to the CISA KEV catalog.
CVE-2026-56164 (CVSS 5.3) — privilege escalation via Microsoft SharePoint Server: a lack of authentication for a critical function. The attack complexity for exploiting this vulnerability is low; no authentication or user interaction is required, and Microsoft explicitly states that an attacker doesn’t need in-depth knowledge of the system. Affected versions include SharePoint Enterprise Server 2016, Server 2019, and the Subscription Edition. Credit for the discovery goes to experts at Mandiant Incident Response, Google Cloud, FLARE OTF, and an anonymous contributor — the acknowledgments list once again reads like a breakdown of an active incident, and not just a single one. Until the patch is installed, enabling AMSI with Request Body Scan set to Full can help, but this is a temporary measure, not a substitute for the update. CVE-2026-56164 has also already been added to CISA’s KEV.
The third zero-day vulnerability has “merely” been disclosed prior to remediation; there are no reports of it being exploited in attacks. However, this is due to the nature of the vulnerability — we’re dealing with yet another BitLocker bypass — CVE-2026-50661 (CVSS 6.1) — therefore exploitation requires physical access to the machine. Microsoft considers exploitation unlikely, and authorship is attributed to an “anonymous” individual. Presumably, the patch addresses GreatXML — a BitLocker bypass that a researcher going by the nickname Chaotic Eclipse (Nightmare Eclipse) published on June 10, the day after June’s Patch Tuesday. Laptops and any devices that leave the corporate perimeter should be patched as a priority.
Critical vulnerabilities in July’s Patch Tuesday
There are many critical vulnerabilities, so we’ll highlight only the most urgent ones. In our list, the CVSS score never drops below 9.6.
CVE-2026-57092 (CVSS 9.9) — EoP in VMSwitch, allows escape from an isolated environment with full host compromise. A use-after-free vulnerability that allows a low-privileged attacker to cross the virtual machine boundary and gain access to the host. ZDI notes that a similar exploit was demonstrated at Pwn2Own Berlin on ESXi. Hyper-V users need to update VMSwitch today.
CVE-2026-56190 (CVSS 9.8) — RCE in RDP, unauthenticated, network-based, no user interaction required. Those with RDP servers accessible via the internet are at critical risk; such configurations are practically unsustainable in 2026.
CVE-2026-50518 (CVSS 9.8) — RCE in the DHCP server: heap overflow, unauthenticated, network-based. And this isn’t the only problem with the DHCP server. In this release, it also contains CVE-2026-50370, -56159, and -48564, while the DHCP client contains CVE-2026-54128.
CVE-2026-50522 and CVE-2026-58644 (both CVSS 9.8) — a pair of RCE vulnerabilities in SharePoint servers: deserialization of untrusted data, unauthenticated, and without user interaction. Although Microsoft describes the exploit’s reliability as “unproven”, this is, to put it mildly, untrue. For CVE-2026-50522, a working exploit was demonstrated at Pwn2Own Berlin. In the same group is CVE-2026-55040 (CVSS 9.1), an authentication bypass discovered by Rapid7 experts. Exploiting this vulnerability is the first link in the attack chain; the second is currently under embargo and will be disclosed (and patched) in August Patch Tuesday. Together, they enable RCE without authentication. Meanwhile, the July Patch Tuesday marks the end of support for SharePoint Server 2016 and 2019.
CVE-2026-56188 (CVSS 9.8) — RCE in the Windows Server network driver. The exploitation is highly complex (TOCTOU), but if successful, this vulnerability allows privileged code to be executed over the network without user interaction — in other words, it enables the creation of network worms.
CVE-2026-55008 (CVSS 9.6) — spoofing in Exchange Server (it’s unclear why this is called spoofing, as the description explicitly states “XSS”). An attacker sends a specially crafted email; the victim simply opens it in OWA — and arbitrary JavaScript is executed in their session.
The reason behind the “tsunami” and how to deal with it
If such patch releases become the norm, without a radical overhaul and automation of vulnerability management processes, security and IT teams will have nothing to do but apply updates. There are indications that this is the new normal, and the tsunami could last for many months — possibly years. At Microsoft, the reason is called MDASH — multi-model agentic scanning harness. A few days before the release, Microsoft officially acknowledged that its AI-powered vulnerability scanning system is actively analyzing critical Windows components, and warned customers that the volume of updates in each release will only increase. That said, Redmond is not alone; Adobe and Cisco, for example, have recently announced an increase in the frequency of their updates.
So how can an organization adapt its processes and technologies to this pace and volume of updates?
- Automate in-depth host scanning, maintain a list of priority patches, install applicable updates, and verify that vulnerabilities are actually patched. With 500+ defects per month, manually transferring tickets from the scanner to a task tracker or launching update tasks simply isn’t possible.
- Prioritize efforts effectively. It’s nearly impossible to address a release of this magnitude in its entirety all at once, so a process that takes into account the severity of vulnerabilities, the likelihood of them being exploited in the company’s infrastructure, and the business impact becomes absolutely essential.
- Set up organizational processes. Technically, a patch can often be applied in minutes, but the approval process can take weeks as it makes its way through various departments, as can the process of initiating and managing that approval. Vulnerability management must be tied to an approval process that is as short, simple, and automatically documented as possible. If a decision regarding a specific vulnerability requires setting aside a maintenance window and obtaining approval from an entire committee, the process must be given high priority by that committee. Otherwise, by the time the patch is installed, Microsoft will have released the next 600 vulnerabilities.
vulnerabilities
Tips