Microsoft’s July 2026 Patch Tuesday delivers security updates for a broad range of products and services, including several vulnerabilities that pose significant risks to enterprise environments. As attackers continue to target unpatched systems, the timely deployment of these updates remains one of the most effective defenses against exploitation. This blog provides an overview of the month’s key security fixes, highlights the most critical vulnerabilities, and offers guidance for prioritizing patch deployment. 

Microsoft Patch Tuesday for July 2026

This month’s release addresses a whopping 570 vulnerabilities, including 57 critical and 510 important-severity vulnerabilities.

In this month’s updates, Microsoft has addressed three zero-day vulnerabilities, with two exploited in attacks and one publicly disclosed. 

There were also a massive 468 vulnerabilities in Microsoft Edge/Chromium this month. Of the 468 Edge CVEs, 360 were issued by the Chrome CNA (upstream Chromium fixes rolled into Edge), and the rest are Microsoft-issued CVEs for the Microsoft Edge (Chromium-based) and Microsoft Edge for Android products. 

Microsoft Patch Tuesday, July edition, includes updates for vulnerabilities in Windows Media, Windows HTTP.sys, Windows Hyper-V, Windows NTFS,  Windows BitLocker, Windows Bluetooth Port Driver, Windows Bluetooth Service, Microsoft Copilot, Microsoft Defender, Microsoft Exchange Server, and more. 

This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts. 

The July 2026 Microsoft vulnerabilities are classified as follows:   

Vulnerability Category  Quantity  Severities 
Spoofing Vulnerability  16  Critical: 1
Important: 15 
Denial of Service Vulnerability  35  Important: 35 
Elevation of Privilege Vulnerability  254  Critical: 7
Important: 247 
Information Disclosure Vulnerability  102  Important: 102 
Remote Code Execution Vulnerability  145  Critical: 48
Important: 97 
Security Feature Bypass Vulnerability  17  Critical: 1
Important: 16 

Adobe Patch for July 2026

Adobe has released 12 security advisories addressing 89 vulnerabilities across Adobe Animate, Adobe ColdFusion, Adobe Bridge, Content Credentials SDK, Adobe Illustrator, Adobe After Effects, Adobe Creative Cloud Desktop Application, Adobe Premiere Pro, Adobe Experience Manager, Adobe Commerce, Adobe Media Encoder, and Adobe Audition. 63 of these vulnerabilities are rated critical. Successful exploitation of these vulnerabilities may lead to privilege escalation, Security feature bypass, arbitrary file system read, application denial-of-service, and arbitrary code execution.

Zero-day Vulnerabilities Patched in July Patch Tuesday Edition 

CVE-2026-50661: Windows BitLocker Security Feature Bypass Vulnerability

A protection mechanism failure in Windows BitLocker may allow an unauthenticated attacker to bypass a security feature with a physical attack. A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device to gain access to encrypted data. 

CVE-2026-56155: Active Directory Federation Services Elevation of Privilege Vulnerability 

Insufficient granularity of access control in Active Directory Federation Services (AD FS) could allow an authenticated attacker to elevate privileges locally. Successful exploitation of the vulnerability may allow an attacker to gain administrator privileges.

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch it before July 28, 2026.

CVE-2026-56164: Microsoft SharePoint Server Elevation of Privilege Vulnerability 

Missing authentication for a critical function in Microsoft Office SharePoint could allow an unauthenticated attacker to elevate privileges over a network. 

Microsoft mentioned in the advisory that enabling the Antimalware Scan Interface (AMSI) on the server and setting the Request Body Scan mode to Full can help mitigate this flaw.

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch it before July 17, 2026.

Critical Severity Vulnerabilities Patched in July Patch Tuesday Edition

CVE-2026-48561: Microsoft Copilot for Android (Edge) Remote Code Execution Vulnerability 

A command injection flaw in Microsoft Copilot may allow an unauthenticated attacker to execute code over a network. 

CVE-2026-55944: Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability 

Deserialization of untrusted data in Microsoft Dynamics NAV may allow an unauthenticated attacker to execute code over a network. An attacker could exploit the vulnerability by sending a specially crafted login request to an affected Dynamics NAV or Business Central server. 

CVE-2026-55045: Microsoft Office Remote Code Execution Vulnerability 

An out-of-bounds read flaw in Microsoft Office allows an unauthenticated attacker to execute code locally. 

CVE-2026-42982: Windows Secure Kernel Mode Elevation of Privilege Vulnerability 

Improper validation of input consistency in Windows Secure Kernel Mode may allow an authenticated attacker to elevate privileges locally. 

CVE-2026-56188: Windows Server Network driver Remote Code Execution Vulnerability 

A race condition flaw in the Windows Server Network driver may allow an unauthenticated attacker to execute code over a network. 

CVE-2026-49164: Windows Active Directory Domain Services Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Active Directory Domain Services may allow an unauthenticated attacker to execute code over a network. 

CVE-2026-54992: Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Windows Message Queuing Queue Manager may allow an unauthenticated attacker to execute code locally. 

CVE-2026-54982: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability 

An integer underflow flaw in the Reliable Multicast Transport Driver (RMCAST) may allow an unauthenticated attacker to execute code over an adjacent network. 

CVE-2026-54999: Windows TCP/IP Remote Code Execution Vulnerability 

 A race condition flaw in Windows TCP/IP may allow an unauthenticated attacker to execute code over an adjacent network. 

CVE-2026-54995: Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability 

 A use-after-free in the Reliable Multicast Transport Driver (RMCAST) may allow an unauthenticated attacker to execute code over a network. 

CVE-2026-55008: Microsoft Exchange Server Spoofing Vulnerability 

A cross-site scripting flaw in Microsoft Exchange Server may allow an unauthenticated attacker to perform network spoofing. 

CVE-2026-55011: Microsoft Defender Remote Code Execution Vulnerability 

An integer underflow flaw in Microsoft Defender may allow an unauthenticated attacker to execute code locally. 

CVE-2026-55012: Microsoft Defender Remote Code Execution Vulnerability 

An integer overflow flaw in Microsoft Defender may allow an unauthenticated attacker to execute code locally. 

CVE-2026-54117 & CVE-2026-54118: Microsoft SQL Server Remote Code Execution Vulnerability 

A deserialization of untrusted data flaw in SQL Server may allow an authenticated attacker to execute code over a network. 

CVE-2026-50694: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability 

A use-after-free flaw in Windows Secure Socket Tunneling Protocol may allow an unauthenticated attacker to execute code over a network. 

CVE-2026-54127: Windows Hyper-V Elevation of Privilege Vulnerability 

A use-after-free flaw in Windows Hyper-V may allow an unauthenticated attacker to elevate privileges locally. 

CVE-2026-58644 & CVE-2026-50522: Microsoft SharePoint Remote Code Execution Vulnerability 

A deserialization-of-untrusted-data flaw in Microsoft Office SharePoint may allow an unauthenticated attacker to execute code over a network. 

CVE-2026-58608: Windows Print Spooler Remote Code Execution Vulnerability 

A race condition flaw in Windows Print Spooler Components may allow an authenticated attacker to execute code over a network. 

CVE-2026-56159CVE-2026-50370CVE-2026-48564, & CVE-2026-50518: DHCP Server Service Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Windows DHCP Server may allow an authenticated attacker to execute code over a network. 

CVE-2026-49796 & CVE-2026-50380: Windows GDI+ Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Windows GDI+ may allow an unauthenticated attacker to execute code locally. 

CVE-2026-50392: Windows Secure Kernel Mode Elevation of Privilege Vulnerability 

A use-after-free flaw in Windows Secure Kernel Mode may allow an authenticated attacker to elevate privileges locally.  

CVE-2026-50382: DirectX Graphics Kernel Remote Code Execution Vulnerability 

An untrusted pointer dereference flaw in Windows DirectX may allow an authenticated attacker to execute code locally. 

CVE-2026-50474: Windows Remote Desktop Client Elevation of Privilege Vulnerability 

A use-after-free flaw in the Remote Desktop Client may allow an unauthenticated attacker to elevate privileges over a network. 

CVE-2026-50444: Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability 

Missing authentication for a critical function in Windows Server Update Service may allow an authenticated attacker to elevate privileges over a network. 

CVE-2026-50327CVE-2026-50655 & CVE-2026-58542: Windows Media Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Windows Media may allow an unauthenticated attacker to execute code locally. 

CVE-2026-50680: Windows Hyper-V Elevation of Privilege Vulnerability 

A heap-based buffer overflow flaw in Windows Hyper-V may allow an authenticated attacker to elevate privileges locally. 

CVE-2026-54121: Active Directory Certificate Services Elevation of Privilege Vulnerability 

An improper authorization flaw in Active Directory Certificate Services (AD CS) may allow an authenticated attacker to gain administrative privileges. 

CVE-2026-54128: Windows DHCP Client Remote Code Execution Vulnerability 

A use-after-free flaw in Windows DHCP Client may allow an unauthenticated attacker to execute code locally. 

CVE-2026-55010: Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Minecraft Bedrock Dedicated Server may allow an unauthenticated attacker to execute code over a network. 

CVE-2026-50314CVE-2026-50467, & CVE-2026-55018: Microsoft Office Remote Code Execution Vulnerability 

A use-after-free flaw in Microsoft Office may allow an unauthenticated attacker to execute code locally. 

CVE-2026-55022: Microsoft Office Remote Code Execution Vulnerability 

A type confusion flaw in Microsoft Office may allow an unauthenticated attacker to execute code locally. 

CVE-2026-55049CVE-2026-55129CVE-2026-55140, & CVE-2026-55056: Microsoft Office Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Microsoft Office may allow an unauthenticated attacker to execute code locally. 

CVE-2026-55033: Microsoft Word Remote Code Execution Vulnerability 

An integer overflow or wraparound flaw in Microsoft Office Word may allow an unauthenticated attacker to execute code locally. 

CVE-2026-55127: Microsoft Word Remote Code Execution Vulnerability 

A heap-based buffer overflow in Microsoft Office Word may allow an unauthenticated attacker to execute code locally. 

CVE-2026-55132: Microsoft Word Remote Code Execution Vulnerability 

A double-free flaw in Microsoft Office Word may allow an unauthenticated attacker to execute code locally. 

CVE-2026-55040: Microsoft SharePoint Server Security Feature Bypass Vulnerability 

A weak authentication in Microsoft Office SharePoint may allow an unauthenticated attacker to bypass a security feature over a network. 

CVE-2026-55043CVE-2026-55123, & CVE-2026-55120: Microsoft PowerPoint Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Microsoft Office PowerPoint may allow an unauthenticated attacker to execute code locally. 

CVE-2026-56189CVE-2026-57090CVE-2026-57094, & CVE-2026-57087: Microsoft Windows Media Foundation Remote Code Execution Vulnerability 

A heap-based buffer overflow flaw in Microsoft Windows Media Foundation may allow an unauthenticated attacker to execute code locally. 

CVE-2026-57092: Microsoft Windows VMSwitch Elevation of Privilege Vulnerability 

A use-after-free in Windows VMSwitch may allow an authenticated attacker to elevate privileges over a network.

Other Microsoft Vulnerability Highlights

  • CVE-2026-49170 is an elevation of privilege vulnerability in the Windows StateRepository API Server file. Upon successful exploitation, this vulnerability could allow an attacker to gain SYSTEM privileges. 
  • CVE-2026-54986 is an elevation of privilege vulnerability in the Windows Win32k. An attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-54114 is an elevation of privilege vulnerability in the Windows Win32k. A use-after-free vulnerability could allow an authenticated attacker to elevate privileges locally. 
  • CVE-2026-58631 is a remote code execution vulnerability in Windows Admin Center (WAC). An improper authorization flaw may allow an authenticated attacker to execute code locally. 
  • CVE-2026-49795, CVE-2026-50436, and CVE-2026-50688 are elevation of privilege vulnerabilities in the Windows Kernel. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-49798 is an elevation of privilege vulnerability in the Windows Kernel. An unauthenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-49805 is an elevation of privilege vulnerability in Win32k. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50351 is an elevation of privilege vulnerability in the Windows Audio Compression Manager (ACM). An improper access control flaw may allow an authenticated attacker to elevate privileges locally. 
  • CVE-2026-50297 & CVE-2026-50325 are elevation of privilege vulnerabilities in win32k. An improper access control could allow an authenticated attacker to elevate privileges locally. 
  • CVE-2026-50332 is an elevation of privilege vulnerability in the Windows Kernel. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges.
  • CVE-2026-50329 is an elevation of privilege vulnerability in the Microsoft DWM Core Library. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50343 is an elevation of privilege vulnerability in the Microsoft Install Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50390 is an elevation of privilege vulnerability in the Windows Kernel. A type confusion flaw may allow an authenticated attacker to elevate privileges locally. 
  • CVE-2026-50375 is an elevation of privilege vulnerability in the DirectX Graphics Kernel. A heap-based buffer overflow flaw may allow an authenticated attacker to elevate privileges locally. 
  • CVE-2026-50433 is an elevation of privilege vulnerability in Windows Media. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50423 is an elevation of privilege vulnerability in the Windows Kernel. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50387 is an elevation of privilege vulnerability in the Windows GDI. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50454 is an elevation of privilege vulnerability in the Windows User Interface Core. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50475 is an information disclosure vulnerability in the Windows Kernel. A buffer over-read flaw may allow an authenticated attacker to disclose information locally. 
  • CVE-2026-50476 is an elevation of privilege vulnerability in the Windows Network Connections Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50489 is an elevation of privilege vulnerability in the Win32k. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50509 is an elevation of privilege vulnerability in the Wireless Wide Area Network Service (WwanSvc). An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-50667 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-57091 is an elevation of privilege vulnerability in the Windows File History Service. An authenticated attacker may exploit the vulnerability to gain SYSTEM privileges. 
  • CVE-2026-58531 is an elevation of privilege vulnerability in the Windows SMB. A race condition flaw in Windows SMB could allow an authenticated attacker to elevate privileges locally. 
  • CVE-2026-58536 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. A use-after-free flaw may allow an authenticated attacker to elevate privileges locally. 
  • CVE-2026-58596 is an elevation of privilege vulnerability in Microsoft Edge (Chromium-based). Successful exploitation of the vulnerability may allow an unauthenticated attacker to elevate privileges locally. 

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, .NET, .NET Core, .NET Framework, Active Directory Certificate Services (AD CS), Active Directory Domain Services, Active Directory Federation Services (AD FS), Age of Empires II: Definitive Edition Game, ASP.NET Core, Azure Active Directory, Azure CycleCloud, Azure Monitor Agent, Azure Spring Apps, Code Integrity DLL (ci.dll), Composite Image File System Driver, Content Delivery Manager, Desktop Window Manager, Extensible Storage Engine (ESENT), Github Copilot, GitHub Copilot and Visual Studio, GitHub Copilot and Visual Studio Code, HTTP/2, Microsoft 365 Copilot for iOS, Microsoft Bing App for IOS, Microsoft Copilot, Microsoft Defender, Microsoft Defender for Endpoint, Microsoft Dynamics NAV, Microsoft Exchange Server, Microsoft Fabric Data Warehouse, Microsoft Graphics Component, Microsoft Input Method Editor (IME), Microsoft Install Service, Microsoft NAT Helper Components (ipnathlp.dll), Microsoft Office, Microsoft Office Excel, Microsoft Office OneNote, Microsoft Office PowerPoint, Microsoft Office SharePoint, Microsoft Office Word, Microsoft Printer Drivers, Microsoft Surface, Microsoft Windows, Microsoft Windows App Store, Microsoft Windows Codecs Library, Microsoft Windows Media Foundation, Microsoft Windows Search Component, Microsoft Windows Speech, Microsoft XML, Microsoft XML Core Services, Minecraft Bedrock Dedicated Server, Outlook Copilot, Power BI, Quality Windows Audio/Video Experience (QWAVE) service, Reliable Multicast Transport Driver (RMCAST), Remote Desktop Client, Role: DNS Server, RPC Runtime, SQL Server, SQL Server ODBC driver, Universal Plug and Play (upnp.dll), Virtual Hard Disk (VHD) Miniport Driver, Visual Studio, Visual Studio Code, Window PC Manager, Windows Active Directory, Windows Admin Center, Windows Ancillary Function Driver for WinSock, Windows App Installer, Windows Application Model, Windows AppX Deployment Service, Windows Audio Compression Manager (ACM), Windows Audio Service, Windows Backup Engine, Windows BitLocker, Windows Bluetooth Port Driver, Windows Bluetooth Service, Windows Boot Loader, Windows Brokering File System, Windows Client-Side Caching (CSC) Service, Windows Clip Service, Windows Clipboard Server, Windows Clipboard User Service, Windows Cloud Files Mini Filter Driver, Windows Common Log File System Driver, Windows Connected User Experiences and Telemetry, Windows Container Isolation FS Filter Driver (unionfs.sys), Windows CryptoAPI, Windows Cryptographic Services, Windows Data.dll, Windows Devices Human Interface, Windows DHCP Client, Windows DHCP Server, Windows DirectX, Windows DNS, Windows Domain Controller, Windows DWM, Windows DWM Core Library, Windows Event Logging Service, Windows File Explorer, Windows File History Service, Windows Filtering Platform (WFP), Windows FTP Service, Windows GDI, Windows GDI+, Windows Graphics Kernel, Windows Group Policy, Windows HTTP.sys, Windows Hyper-V, Windows Image Acquisition, Windows Installer, Windows Internal System User Profile, Windows Internal Task Bar, Windows Internet Key Exchange (IKE) Protocol, Windows Kernel, Windows Kernel Mode Driver, Windows Kernel-Mode Drivers, Windows Key Guard, Windows Local Security Authority Subsystem Service (LSASS), Windows LUAFV, Windows Management Services, Windows Media, Windows Message Queuing, Windows Message Queuing Queue Manager, Windows MIDI Service Module, Windows Narrator Braille, Windows Netlogon, Windows Network Address Translation (NAT), Windows Network File System, Windows Network Policy Server SNMP, Windows Notification, Windows NTFS, Windows OLE, Windows Operating Systems, Windows Overlay Filter, Windows PowerShell, Windows Print Spooler Components, Windows Projected File System, Windows Push Notifications, Windows Quality of Service (QoS) Packet Scheduler, Windows RDP, Windows Redirected Drive Buffering, Windows Remote Access Connection Manager, Windows Remote Access Service Infrastructure, Windows Remote Desktop Protocol, Windows Remote Desktop Services, Windows Remote Help Defense, Windows Resilient File System (ReFS), Windows Routing and Remote Access Service (RRAS), Windows RPC API, Windows Runtime, Windows Schannel, Windows Secure Boot, Windows Secure Kernel Mode, Windows Secure Socket Tunneling Protocol (SSTP), Windows Sensor Data Service, Windows Server, Windows Server Backup, Windows Server Network driver, Windows Server Update Service, Windows SMB, Windows SMB Server, Windows SMB Server Network Transport Driver (srvnet.sys), Windows Spaceport.sys, Windows StateRepository API, Windows Storage, Windows Storage Spaces Direct, Windows Subsystem for Linux, Windows System, Windows TCP/IP, Windows Telephony Service, Windows Terminal, Windows Trusted Runtime Interface Driver, Windows Unified Consent System, Windows Universal Disk Format File System Driver (UDFS), Windows USB Audio Class driver (usbaudio.sys), Windows USB Driver, Windows USB Hub Driver, Windows USB Print Driver, Windows USB Video Driver, Windows User Interface Core, Windows Virtual Filtering Platform (VFP), Windows VMSwitch, Windows WalletService, Windows Web Proxy Auto-Discovery Protocol (WPAD), Windows WebView, Windows Win32K, Windows Win32K – GRFX, Windows Wireless Networking, and Windows Wireless Wide Area Network Service. 

The next Patch Tuesday is scheduled for August 11, and we will provide details and patch analysis then. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.’ 

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management, Detection & Response (VMDR), and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those highlighted in this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.


Join the webinar

This Month in Vulnerabilities & Patches



Source link