Microsoft's July Patch Tuesday is the largest security update the company has ever shipped, patching 570 vulnerabilities across Windows and related products.
The previous record was set just last month, when June's update covered roughly 200 flaws — July's release triples that figure. Of the 570 bugs, 59 are rated critical, spanning remote-code-execution, elevation-of-privilege, security-bypass, and spoofing categories. Three zero-days are included. Two have been actively exploited in the wild: CVE-2026-56155, an elevation-of-privilege flaw in Active Directory Federation Services discovered by Microsoft's own DART team, and CVE-2026-56164, a missing-authentication bug in SharePoint Server that lets an unauthenticated attacker gain elevated privileges over a network — credited to researchers at Mandiant Incident Response and Google Cloud FLARE, among others. The third, CVE-2026-50661, is a different class of problem: a security feature bypass in BitLocker that could expose encrypted data to someone with physical machine access. It was publicly disclosed before the patch but has no known active exploits.
The sheer volume matters less than the mix. Two actively exploited privilege-escalation flaws in enterprise staples — Active Directory and SharePoint — mean corporate IT teams are the ones with the most to lose if patching lags. The BitLocker bypass is worth watching separately: physical-access requirements limit its blast radius, but it is precisely the kind of flaw that surfaces in targeted attacks against high-value individuals.
For context, the previous single-month record stood for about four weeks. Whether Microsoft is shipping more bugs or just finding them faster is the question its security team probably doesn't want asked out loud.