56Critical510Important3Moderate0LowMicrosoft addresses 569 CVEs in the largest Patch Tuesday release yet. This month’s release includes three zero-days, two of which were exploited in the wild.Microsoft patched 569 CVEs in its July 2026 Patch Tuesday release, with 56 rated critical, 510 rated as important, and 3 rated as moderate. This marks the largest Patch Tuesday release ever, crushing the previous record of 198 CVEs in June. Last week, Microsoft announced that its multi-model agentic scanning harness (MDASH) is being used to identify vulnerabilities faster and noted that “customers will see a higher volume of security updates included in each security release.”This month’s update includes patches for:.NET.NET Core.NET FrameworkASP.NET CoreActive Directory Certificate Services (AD CS)Active Directory Domain ServicesActive Directory Federation Services (AD FS)Azure Active DirectoryAzure CycleCloudAzure Monitor AgentAzure Spring AppsCode Integrity DLL (ci.dll)Composite Image File System DriverContent Delivery ManagerDesktop Window ManagerExtensible Storage Engine (ESENT)GitHub Copilot and Visual StudioGitHub Copilot and Visual Studio CodeGithub CopilotHTTP/2Microsoft 365 Copilot for iOSMicrosoft Bing App for IOSMicrosoft CopilotMicrosoft DefenderMicrosoft Defender for EndpointMicrosoft Dynamics NAVMicrosoft Edge for AndroidMicrosoft Exchange ServerMicrosoft Fabric Data WarehouseMicrosoft Graphics ComponentMicrosoft Input Method Editor (IME)Microsoft Install ServiceMicrosoft NAT Helper Components (ipnathlp.dll)Microsoft OfficeMicrosoft Office ExcelMicrosoft Office OneNoteMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office WordMicrosoft Printer DriversMicrosoft SurfaceMicrosoft WindowsMicrosoft Windows App StoreMicrosoft Windows Codecs LibraryMicrosoft Windows Media FoundationMicrosoft Windows Search ComponentMicrosoft Windows SpeechMicrosoft XMLMicrosoft XML Core ServicesMinecraft Bedrock Dedicated ServerOutlook CopilotPower BIQuality Windows Audio/Video Experience (QWAVE) serviceRPC RuntimeReliable Multicast Transport Driver (RMCAST)Remote Desktop ClientRole: DNS ServerSQL ServerSQL Server ODBC driverUniversal Plug and Play (upnp.dll)Virtual Hard Disk (VHD) Miniport DriverVisual StudioVisual Studio CodeWindow PC ManagerWindows Active DirectoryWindows Admin CenterWindows Ancillary Function Driver for WinSockWindows App InstallerWindows AppX Deployment ServiceWindows Application ModelWindows Audio Compression Manager (ACM)Windows Audio ServiceWindows Backup EngineWindows BitLockerWindows Bluetooth Port DriverWindows Bluetooth ServiceWindows Boot LoaderWindows Brokering File SystemWindows Client-Side Caching (CSC) ServiceWindows Clip ServiceWindows Clipboard ServerWindows Clipboard User ServiceWindows Cloud Files Mini Filter DriverWindows Common Log File System DriverWindows Connected User Experiences and TelemetryWindows Container Isolation FS Filter Driver (unionfs.sys)Windows CryptoAPIWindows Cryptographic ServicesWindows DHCP ClientWindows DHCP ServerWindows DNSWindows DWMWindows DWM Core LibraryWindows Data.dllWindows Devices Human InterfaceWindows DirectXWindows Domain ControllerWindows Event Logging ServiceWindows FTP ServiceWindows File ExplorerWindows File History ServiceWindows Filtering Platform (WFP)Windows GDIWindows GDI+Windows Graphics KernelWindows Group PolicyWindows HTTP.sysWindows Hyper-VWindows Image AcquisitionWindows InstallerWindows Internal System User ProfileWindows Internal Task BarWindows Internet Key Exchange (IKE) ProtocolWindows KernelWindows Kernel Mode DriverWindows Kernel-Mode DriversWindows Key GuardWindows LUAFVWindows Local Security Authority Subsystem Service (LSASS)Windows MIDI Service ModuleWindows Management ServicesWindows MediaWindows Message QueuingWindows Message Queuing Queue ManagerWindows NTFSWindows Narrator BrailleWindows NetlogonWindows Network Address Translation (NAT)Windows Network File SystemWindows Network Policy Server SNMPWindows NotificationWindows OLEWindows Operating SystemsWindows Overlay FilterWindows PowerShellWindows Presentation Foundation (WPF)Windows Print Spooler ComponentsWindows Projected File SystemWindows Push NotificationsWindows Quality of Service (QoS) Packet SchedulerWindows RDPWindows RPC APIWindows Redirected Drive BufferingWindows Remote Access Connection ManagerWindows Remote Access Service InfrastructureWindows Remote Desktop ProtocolWindows Remote Desktop ServicesWindows Remote Help DefenseWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows RuntimeWindows SMBWindows SMB ServerWindows SMB Server Network Transport Driver (srvnet.sys)Windows SchannelWindows Secure BootWindows Secure Kernel ModeWindows Secure Socket Tunneling Protocol (SSTP)Windows Sensor Data ServiceWindows ServerWindows Server BackupWindows Server Network driverWindows Server Update ServiceWindows Spaceport.sysWindows StateRepository APIWindows StorageWindows Storage Spaces DirectWindows Subsystem for LinuxWindows SystemWindows TCP/IPWindows Telephony ServiceWindows TerminalWindows Trusted Runtime Interface DriverWindows USB Audio Class driver (usbaudio.sys)Windows USB DriverWindows USB Hub DriverWindows USB Print DriverWindows USB Video DriverWindows Unified Consent SystemWindows Universal Disk Format File System Driver (UDFS)Windows User Interface CoreWindows VMSwitchWindows Virtual Filtering Platform (VFP)Windows WalletServiceWindows Web Proxy Auto-Discovery Protocol (WPAD)Windows WebViewWindows Win32KWindows Win32K - GRFXWindows Wireless NetworkingWindows Wireless Wide Area Network ServiceElevation of privilege (EoP) vulnerabilities accounted for 43.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.1%.ImportantCVE-2026-56155 | Active Directory Federation Services Elevation of Privilege VulnerabilityCVE-2026-56155 is an EoP vulnerability affecting Active Directory Federation Services. It received a CVSSv3 score of 7.8 and is rated important. Microsoft notes that this flaw was exploited in the wild as a zero-day and is credited to researchers with the Microsoft Detection and Response Team (DART). Successful exploitation would allow an attacker to gain administrator privileges.ModerateCVE-2026-56164 | Microsoft SharePoint Server Elevation of Privilege VulnerabilityCVE-2026-56164 is an EoP vulnerability in Microsoft SharePoint Server. It received a CVSSv3 score of 5.3 and is rated moderate. According to Microsoft, it was exploited in the wild as a zero-day. This vulnerability affects Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition, as well as SharePoint Server 2016 and SharePoint Enterprise Server 2016.Microsoft notes that its Antimalware Scan Interface (AMSI) integration can provide mitigation for this vulnerability by scanning for and detecting malicious POST requests.ImportantCVE-2026-50661 | Windows BitLocker Security Feature Bypass VulnerabilityCVE-2026-50661 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.1 and is rated as important. It was publicly disclosed prior to a patch being available and assessed as “Exploitation Less Likely” according to Microsoft's Exploitability Index. While an exploit is public, the advisory notes that exploitation requires physical access to the target device.Microsoft did not provide any attribution other than to “Anonymous” though based on the advisory description, it’s possible this patch addresses GreatXML, a zero-day BitLocker bypass flaw disclosed by the researcher known as Chaotic Eclipse (Nightmare Eclipse). GreatXML was disclosed on June 10th, a day after the June Patch Tuesday release.CriticalCVE-2026-55944 | Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution VulnerabilityCVE-2026-55944 is a RCE vulnerability in Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central. It received a CVSSv3 score of 9.8, is rated critical and assessed as “Exploitation More Likely.” Successful exploitation can be achieved by sending a crafted login request to an affected Dynamics NAV or Business Central server in order to trigger a deserialization of untrusted data vulnerability. Microsoft’s advisory cautions that no user-interaction is required, nor is authentication a requirement in order to successfully exploit this vulnerability.CriticalMultiple CVEs | Windows DHCP Server and Client Remote Code Execution, Elevation of Privilege and Denial of Service VulnerabilitiesThis month’s updates included patches to address multiple CVEs affecting DHCP Server and Windows DHCP Client. Of the nine CVEs, five were rated as critical and three were assessed as “Exploitation More Likely.” A breakdown of the CVEs can be found in the table below:CVEDescriptionCVSSv3SeverityExploitability IndexCVE-2026-50518Windows DHCP Server Remote Code Execution Vulnerability9.8CriticalExploitation More LikelyCVE-2026-50370DHCP Server Service Remote Code Execution Vulnerability8.8CriticalExploitation More LikelyCVE-2026-54128Windows DHCP Client Remote Code Execution Vulnerability8.4CriticalExploitation More LikelyCVE-2026-48564DHCP Server Service Remote Code Execution Vulnerability8.8CriticalExploitation Less LikelyCVE-2026-49181Windows DHCP Client Elevation of Privilege Vulnerability7.5ImportantExploitation Less LikelyCVE-2026-56159DHCP Server Service Remote Code Execution Vulnerability9.8CriticalExploitation UnlikelyCVE-2026-50683Windows DHCP Client Elevation of Privilege Vulnerability8.0ImportantExploitation UnlikelyCVE-2026-50685Windows DHCP Server Remote Code Execution Vulnerability7.5ImportantExploitation UnlikelyCVE-2026-58627Windows DHCP Server Denial of Service Vulnerability7.5ImportantExploitation UnlikelyImportantMultiple CVEs | Windows Kernel Elevation of Privilege VulnerabilityUpdates this month include 20 CVEs addressing EoP vulnerabilities in the Windows Kernel. CVSSv3 scores range from 4.7 to 9.3 and six of the 20 were assessed as “Exploitation More Likely.” Additionally, Windows Kernel saw several additional security fixes this month with six CVEs for Information Disclosure flaws and two security feature bypasses. A breakdown of the EoP CVEs can be found in the tables below:Windows Kernel Elevation of Privilege VulnerabilitiesCVECVSSv3SeverityExploitability IndexCVE-2026-497989.3ImportantExploitation More LikelyCVE-2026-497958.8ImportantExploitation More LikelyCVE-2026-503327.8ImportantExploitation More LikelyCVE-2026-504237.8ImportantExploitation More LikelyCVE-2026-504367.8ImportantExploitation More LikelyCVE-2026-503907.0ImportantExploitation More LikelyCVE-2026-504778.8ImportantExploitation Less LikelyCVE-2026-491737.8ImportantExploitation Less LikelyCVE-2026-498087.8ImportantExploitation Less LikelyCVE-2026-503997.8ImportantExploitation Less LikelyCVE-2026-504787.8ImportantExploitation Less LikelyCVE-2026-504847.8ImportantExploitation Less LikelyCVE-2026-506737.8ImportantExploitation Less LikelyCVE-2026-585327.8ImportantExploitation Less LikelyCVE-2026-503547.1ImportantExploitation Less LikelyCVE-2026-503977.0ImportantExploitation Less LikelyCVE-2026-504597.0ImportantExploitation Less LikelyCVE-2026-541326.8ImportantExploitation Less LikelyCVE-2026-503775.5ImportantExploitation Less LikelyCVE-2026-491674.7ImportantExploitation Less LikelyTenable SolutionsA list of all the plugins released for Microsoft’s July 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's July 2026 Security UpdatesTenable plugins for Microsoft July 2026 Patch Tuesday Security UpdatesJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.