Security News Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,857
6
83,412
8,389
55
The Netherlands
Today is Microsoft's July 2026 Patch Tuesday, and with it comes security updates for a record-breaking 570 flaws, including two zero-day vulnerabilities exploited in attacks and one publicly disclosed.

Patch Tuesday addresses 59 "Critical" vulnerabilities, 48 of which are remote code execution, 9 are elevation of privilege, 1 is a security bypass, and 1 is a spoofing.

The approximate number of bugs in each vulnerability category is listed below:
  • 254 Elevation of Privilege Vulnerabilities
  • 17 Security Feature Bypass Vulnerabilities
  • 145 Remote Code Execution Vulnerabilities
  • 102 Information Disclosure Vulnerabilities
  • 35 Denial of Service Vulnerabilities
  • 16 Spoofing Vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today.

Therefore, the number of flaws does not include flaws in Mariner, Azure OpenAI, Azure Synapse, M365 Copilot, Microsoft Exchange Online, Microsoft Edge for Android, and Microsoft Entra Provisioning Service that were fixed by Microsoft earlier this month.

There were also a massive 468 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup. As part of last month's June Patch Tuesday, Google fixed 360 flaws that were later ported to Microsoft Edge.
 
ZDI: The July 2026 Security Update Review
Well folks. Here we are. The bug apocalypse has fully descended upon us. I’ll do my best to sort this out in some way meaningful, but this month’s release shows us the nay-sayers were right, and I’ve got to hand it to the nay-sayers here. Excellent call. Take an extended break from your regularly scheduled activities as we let’s take a look at the latest security patches from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for July 2026

Adobe has now moved to a bimonthly release schedule, which means they will be releasing patches on the second and fourth Tuesdays of the month. I’ll continue to cover the second Tuesday release here and update this blog should the fourth Tuesday release contain anything significant. I think this is a smart way to break up a monster release into something a bit more manageable. Apple has said they are taking a similar approach. We’ll see if other vendors follow their lead.

For the first part of the July release, Adobe released 12 bulletins addressing 88 unique CVEs in Adobe ColdFusion, Commerce, After Effects, Animate, Audition, Bridge, Creative Cloud Desktop Application, Experience Manager, Illustrator, Media Encoder, Premiere Pro, and the Content Credentials SDK.
Microsoft Patches for July 2026

Here it is. The Mother of All Releases. To call this record-breaking is an understatement. How to count this mess is anyone’s guess, but I see new Microsoft 621 CVEs for the month of July. Some of these are in online services where no user action is required. They also list about 480 bugs in Chromium and Microsoft Edge (Chromium-based) that I won’t cover here. Here’s how I put this in context. I looked at the last 20 years of Microsoft releases. The CVE count year-to-date exceeds all other years’ totals.

The products covered this month are also astonishing. There are patches for Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, .NET and Visual Studio, Github Copilot, Defender, Exchange Server, Hyper-V, Ages of Empire II, and Minecraft Server (really!). That phrase “Windows components” does some pretty heavy lifting here, too, as just about everything you’ve ever heard of is getting patched. All told, there are 63 rated Critical, six rated Moderate, one rated Low, with the rest rated Important in severity. Eight of these bugs were submitted through the ZDI program (more on that later). Two CVEs are listed as under active exploit while one other is listed as publicly known.
Looking Ahead

The next Patch Tuesday will be on August 11, just after Hacker Summer Camp in sunny Las Vegas. Should I survive the heat, I’ll be back then to give you my full thoughts on the release – no matter how large it may be. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 
easy beezy

1784056216903.png
 

You may also like...