Yesterday was July’s Patch Tuesday and Microsoft released security updates to address 570 new security vulnerabilities. If you add up all the patches Microsoft released since the start of the month, the total comes to more than 620.
To call this a new record would be a massive understatement—the previous record stood at 206 in June. The total number of vulnerabilities patched so far this year (1,380) has already surpassed that of 2020’s record-breaking year (1,250).
The next scheduled Patch Tuesday is on August 11th, 2026.
Windows security updates
A large number of the fixed vulnerabilities—this time over 400—are spread across the various Windows versions for which Microsoft still provides security updates (10, 11, Server). Microsoft recently extended the Windows 10 ESU program until October 12th, 2027.
Attacks on Active Directory
The only Windows vulnerability this month that’s already being exploited in the wild is the high-risk Elevation of Privilege (EoP) vulnerability CVE-2026-56155 in Active Directory Federation Services (ADFS). The access controls aren’t granular enough, allowing an attacker to gain administrator rights. Windows Server versions 2012 to 2025 as well as older versions of Windows 10 (1607 and 1809) are vulnerable.
Critical Windows vulnerabilities
Among the 413 Windows vulnerabilities addressed by Microsoft this month are 24 critical Remote Code Execution (RCE) vulnerabilities and seven critical EoP vulnerabilities. The Use-After-Free (UAF) vulnerability CVE-2026-57092 in Hyper-V’s VMSwitch stands out from the rest, where a successful attacker with low privileges can gain elevated privileges on the host system from within the guest system.
In Remote Desktop Protocol (RDP), the RCE vulnerability CVE-2026-56190 can be exploited by determined attackers. By using specially crafted RDP packets, they can interact with memory that has not been properly initialized. This gives them the ability to manipulate memory in such a way that injected code can be executed.
The RCE vulnerability CVE-2026-50518 in the DHCP server is one of nine DHCP vulnerabilities addressed this month, and there’s also RCE vulnerability CVE-2026-56188 present in the Windows Server network driver. Here, an attacker can use specially crafted data packets to execute injected code on vulnerable systems. All supported Windows editions, from Windows 10 to Server 2025, are vulnerable.
Microsoft Office security updates
Microsoft has fixed 97 vulnerabilities in its Office products, almost twice as many as in June. These include 17 critical RCE vulnerabilities. In most cases, the preview pane is the attack vector—a user doesn’t need to actually open a file to enable a successful attack. The remaining 48 RCE vulnerabilities can be exploited if a user opens a malicious Office file in a vulnerable Office product (open-and-own).
Even medium-risk vulnerabilities deserve attention: the EoP vulnerability CVE-2026-56164 in SharePoint Server, where an attacker can gain access via the network without user authentication, is already being exploited in the wild. Anyone exploiting the Security Feature Bypass (SFB) vulnerability CVE-2026-55040 in SharePoint Server can access files without user authentication. SharePoint vulnerabilities CVE-2026-50522 and CVE-2026-58644 are classified as critical RCE vulnerabilities, with a working demo exploit for CVE-2026-50522 demonstrated at the Pwn2Own hacking competition.
Exchange Server security updates
In Exchange Server, Microsoft has fixed four vulnerabilities this month, and a fifth in Exchange Online. Spoofing vulnerability CVE-2026-55008, which is based on a cross-site scripting (XSS) vulnerability, allows arbitrary JavaScript code to be executed in the browser if a malicious email is opened in Outlook Web Access (OWA).
Microsoft Edge security updates
The latest security update to Edge 150.0.4078.65 is dated July 9th and based on Chromium 150.0.7871.115. It addresses 27 Chromium vulnerabilities, which aren’t included in the total number of vulnerabilities fixed above, nor are the nearly 400 Chromium vulnerabilities from the first week of July, otherwise the total would exceed 1,000.
Security updates for gamers
Microsoft has already patched RCE vulnerability CVE-2026-55010 in dedicated Minecraft Bedrock servers. As a Minecraft server operator, you don’t need to take any further action, says Microsoft.
With Age of Empires II: Definitive Edition, however, you’ll need to take action. An attacker can exploit RCE vulnerability CVE-2026-50663 by creating a malicious game scenario file and tricking others into opening it. This allows a file containing malicious code to be placed in an unexpected location and potentially executed.
Tip: Whether you keep your Windows up to date, you need proper antivirus protections if you want your PC to remain secure and private. Check out our picks for the best antivirus software for Windows as well as best VPN services to stay ahead of security problems.



