- 56Critical
- 510Important
- 3Moderate
- 0Low
Microsoft addresses 569 CVEs in the largest Patch Tuesday release yet. This month’s release includes three zero-days, two of which were exploited in the wild.
Microsoft patched 569 CVEs in its July 2026 Patch Tuesday release, with 56 rated critical, 510 rated as important, and 3 rated as moderate. This marks the largest Patch Tuesday release ever, crushing the previous record of 198 CVEs in June. Last week, Microsoft announced that its multi-model agentic scanning harness (MDASH) is being used to identify vulnerabilities faster and noted that “customers will see a higher volume of security updates included in each security release.”

This month’s update includes patches for:
- .NET
- .NET Core
- .NET Framework
- ASP.NET Core
- Active Directory Certificate Services (AD CS)
- Active Directory Domain Services
- Active Directory Federation Services (AD FS)
- Azure Active Directory
- Azure CycleCloud
- Azure Monitor Agent
- Azure Spring Apps
- Code Integrity DLL (ci.dll)
- Composite Image File System Driver
- Content Delivery Manager
- Desktop Window Manager
- Extensible Storage Engine (ESENT)
- GitHub Copilot and Visual Studio
- GitHub Copilot and Visual Studio Code
- Github Copilot
- HTTP/2
- Microsoft 365 Copilot for iOS
- Microsoft Bing App for IOS
- Microsoft Copilot
- Microsoft Defender
- Microsoft Defender for Endpoint
- Microsoft Dynamics NAV
- Microsoft Edge for Android
- Microsoft Exchange Server
- Microsoft Fabric Data Warehouse
- Microsoft Graphics Component
- Microsoft Input Method Editor (IME)
- Microsoft Install Service
- Microsoft NAT Helper Components (ipnathlp.dll)
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office OneNote
- Microsoft Office PowerPoint
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Printer Drivers
- Microsoft Surface
- Microsoft Windows
- Microsoft Windows App Store
- Microsoft Windows Codecs Library
- Microsoft Windows Media Foundation
- Microsoft Windows Search Component
- Microsoft Windows Speech
- Microsoft XML
- Microsoft XML Core Services
- Minecraft Bedrock Dedicated Server
- Outlook Copilot
- Power BI
- Quality Windows Audio/Video Experience (QWAVE) service
- RPC Runtime
- Reliable Multicast Transport Driver (RMCAST)
- Remote Desktop Client
- Role: DNS Server
- SQL Server
- SQL Server ODBC driver
- Universal Plug and Play (upnp.dll)
- Virtual Hard Disk (VHD) Miniport Driver
- Visual Studio
- Visual Studio Code
- Window PC Manager
- Windows Active Directory
- Windows Admin Center
- Windows Ancillary Function Driver for WinSock
- Windows App Installer
- Windows AppX Deployment Service
- Windows Application Model
- Windows Audio Compression Manager (ACM)
- Windows Audio Service
- Windows Backup Engine
- Windows BitLocker
- Windows Bluetooth Port Driver
- Windows Bluetooth Service
- Windows Boot Loader
- Windows Brokering File System
- Windows Client-Side Caching (CSC) Service
- Windows Clip Service
- Windows Clipboard Server
- Windows Clipboard User Service
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Connected User Experiences and Telemetry
- Windows Container Isolation FS Filter Driver (unionfs.sys)
- Windows CryptoAPI
- Windows Cryptographic Services
- Windows DHCP Client
- Windows DHCP Server
- Windows DNS
- Windows DWM
- Windows DWM Core Library
- Windows Data.dll
- Windows Devices Human Interface
- Windows DirectX
- Windows Domain Controller
- Windows Event Logging Service
- Windows FTP Service
- Windows File Explorer
- Windows File History Service
- Windows Filtering Platform (WFP)
- Windows GDI
- Windows GDI+
- Windows Graphics Kernel
- Windows Group Policy
- Windows HTTP.sys
- Windows Hyper-V
- Windows Image Acquisition
- Windows Installer
- Windows Internal System User Profile
- Windows Internal Task Bar
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kernel
- Windows Kernel Mode Driver
- Windows Kernel-Mode Drivers
- Windows Key Guard
- Windows LUAFV
- Windows Local Security Authority Subsystem Service (LSASS)
- Windows MIDI Service Module
- Windows Management Services
- Windows Media
- Windows Message Queuing
- Windows Message Queuing Queue Manager
- Windows NTFS
- Windows Narrator Braille
- Windows Netlogon
- Windows Network Address Translation (NAT)
- Windows Network File System
- Windows Network Policy Server SNMP
- Windows Notification
- Windows OLE
- Windows Operating Systems
- Windows Overlay Filter
- Windows PowerShell
- Windows Presentation Foundation (WPF)
- Windows Print Spooler Components
- Windows Projected File System
- Windows Push Notifications
- Windows Quality of Service (QoS) Packet Scheduler
- Windows RDP
- Windows RPC API
- Windows Redirected Drive Buffering
- Windows Remote Access Connection Manager
- Windows Remote Access Service Infrastructure
- Windows Remote Desktop Protocol
- Windows Remote Desktop Services
- Windows Remote Help Defense
- Windows Resilient File System (ReFS)
- Windows Routing and Remote Access Service (RRAS)
- Windows Runtime
- Windows SMB
- Windows SMB Server
- Windows SMB Server Network Transport Driver (srvnet.sys)
- Windows Schannel
- Windows Secure Boot
- Windows Secure Kernel Mode
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows Sensor Data Service
- Windows Server
- Windows Server Backup
- Windows Server Network driver
- Windows Server Update Service
- Windows Spaceport.sys
- Windows StateRepository API
- Windows Storage
- Windows Storage Spaces Direct
- Windows Subsystem for Linux
- Windows System
- Windows TCP/IP
- Windows Telephony Service
- Windows Terminal
- Windows Trusted Runtime Interface Driver
- Windows USB Audio Class driver (usbaudio.sys)
- Windows USB Driver
- Windows USB Hub Driver
- Windows USB Print Driver
- Windows USB Video Driver
- Windows Unified Consent System
- Windows Universal Disk Format File System Driver (UDFS)
- Windows User Interface Core
- Windows VMSwitch
- Windows Virtual Filtering Platform (VFP)
- Windows WalletService
- Windows Web Proxy Auto-Discovery Protocol (WPAD)
- Windows WebView
- Windows Win32K
- Windows Win32K - GRFX
- Windows Wireless Networking
- Windows Wireless Wide Area Network Service

Elevation of privilege (EoP) vulnerabilities accounted for 43.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.1%.
CVE-2026-56155 | Active Directory Federation Services Elevation of Privilege Vulnerability
CVE-2026-56155 is an EoP vulnerability affecting Active Directory Federation Services. It received a CVSSv3 score of 7.8 and is rated important. Microsoft notes that this flaw was exploited in the wild as a zero-day and is credited to researchers with the Microsoft Detection and Response Team (DART). Successful exploitation would allow an attacker to gain administrator privileges.
CVE-2026-56164 | Microsoft SharePoint Server Elevation of Privilege Vulnerability
is an EoP vulnerability in Microsoft SharePoint Server. It received a CVSSv3 score of 5.3 and is rated moderate. According to Microsoft, it was exploited in the wild as a zero-day. This vulnerability affects Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition, as well as SharePoint Server 2016 and SharePoint Enterprise Server 2016.
Microsoft notes that its
Antimalware Scan Interface (AMSI) integrationcan provide mitigation for this vulnerability by scanning for and detecting malicious POST requests.
CVE-2026-50661 | Windows BitLocker Security Feature Bypass Vulnerability
CVE-2026-50661 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.1 and is rated as important. It was publicly disclosed prior to a patch being available and assessed as “Exploitation Less Likely” according to Microsoft's Exploitability Index. While an exploit is public, the advisory notes that exploitation requires physical access to the target device.
Microsoft did not provide any attribution other than to “Anonymous” though based on the advisory description, it’s possible this patch addresses GreatXML, a zero-day BitLocker bypass flaw disclosed by the researcher known as Chaotic Eclipse (Nightmare Eclipse). GreatXML was disclosed on June 10th, a day after the June Patch Tuesday release.
CVE-2026-55944 | Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability
CVE-2026-55944 is a RCE vulnerability in Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central. It received a CVSSv3 score of 9.8, is rated critical and assessed as “Exploitation More Likely.” Successful exploitation can be achieved by sending a crafted login request to an affected Dynamics NAV or Business Central server in order to trigger a deserialization of untrusted data vulnerability. Microsoft’s advisory cautions that no user-interaction is required, nor is authentication a requirement in order to successfully exploit this vulnerability.
Multiple CVEs | Windows DHCP Server and Client Remote Code Execution, Elevation of Privilege and Denial of Service Vulnerabilities
This month’s updates included patches to address multiple CVEs affecting DHCP Server and Windows DHCP Client. Of the nine CVEs, five were rated as critical and three were assessed as “Exploitation More Likely.” A breakdown of the CVEs can be found in the table below:
| CVE | Description | CVSSv3 | Severity | Exploitability Index |
|---|---|---|---|---|
| CVE-2026-50518 | Windows DHCP Server Remote Code Execution Vulnerability | 9.8 | Critical | Exploitation More Likely |
| CVE-2026-50370 | DHCP Server Service Remote Code Execution Vulnerability | 8.8 | Critical | Exploitation More Likely |
| CVE-2026-54128 | Windows DHCP Client Remote Code Execution Vulnerability | 8.4 | Critical | Exploitation More Likely |
| CVE-2026-48564 | DHCP Server Service Remote Code Execution Vulnerability | 8.8 | Critical | Exploitation Less Likely |
| CVE-2026-49181 | Windows DHCP Client Elevation of Privilege Vulnerability | 7.5 | Important | Exploitation Less Likely |
| CVE-2026-56159 | DHCP Server Service Remote Code Execution Vulnerability | 9.8 | Critical | Exploitation Unlikely |
| CVE-2026-50683 | Windows DHCP Client Elevation of Privilege Vulnerability | 8.0 | Important | Exploitation Unlikely |
| CVE-2026-50685 | Windows DHCP Server Remote Code Execution Vulnerability | 7.5 | Important | Exploitation Unlikely |
| CVE-2026-58627 | Windows DHCP Server Denial of Service Vulnerability | 7.5 | Important | Exploitation Unlikely |
Multiple CVEs | Windows Kernel Elevation of Privilege Vulnerability
Updates this month include 20 CVEs addressing EoP vulnerabilities in the Windows Kernel. CVSSv3 scores range from 4.7 to 9.3 and six of the 20 were assessed as “Exploitation More Likely.” Additionally, Windows Kernel saw several additional security fixes this month with six CVEs for Information Disclosure flaws and two security feature bypasses. A breakdown of the EoP CVEs can be found in the tables below:
Windows Kernel Elevation of Privilege Vulnerabilities
Tenable Solutions
A list of all the plugins released for Microsoft’s July 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.
Get more information
- Microsoft's July 2026 Security Updates
- Tenable plugins for Microsoft July 2026 Patch Tuesday Security Updates
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Exposure Management
- Vulnerability Management