Welcome back for another Patch Tuesday recap where I dish you the deets of the latest Microsoft drop.
Today I was going to keep it light by talking about how it's National Mac & Cheese Day, but Microsoft decided it was officially time to open the floodgates and drop the mother of all releases (so far) on us.
That's right, today, July 14th, in the Year of Our Lord 2026, Microsoft released 570 CVEs. That number goes even higher depending on the products and services you're tracking. To put that into perspective, we've already surpassed the total number of CVEs released last year, and it's only July. In fact, there were more CVEs released today than in any given year up until 2017.
Let’s break down some of the madness.
Severity
Total exploits patched: 570
Critical patches: 57
Important: 510
Moderate: 3
Low: 0
Vulnerability impact
Remote code execution: 144
Elevation of privilege: 249
Information disclosure: 101
Spoofing: 16
Tampering: 8
Denial of service: 35
Feature bypass: 17
Availability
Publicly disclosed: 1
Actively exploited: 2
Some highlights (or lowlights)
CVE-2026-57092: The month's highest-rated CVE at 9.9 targets VMSwitch, the virtual network switch inside Hyper-V. It's a use-after-free that lets a low-privileged attacker escalate to full host compromise across a VM boundary. If that sounds bad, it’s only because it is. If you’re a Hyper-V shop, definitely look into this one.
CVE-2026-58644: SharePoint takes a big hit this month with 17 CVEs. The headliners are two Critical 9.8 RCEs that require no authentication or user interaction — one of which was demonstrated live at Pwn2Own Berlin, yet Microsoft still lists exploit maturity as "Unknown." There's also an actively exploited EoP (CVE-2026-56164) that, despite a 5.3 CVSS score, is reachable over the network with no authentication required, so don’t let the scores lull you into a false sense of security.
CVE-2026-50518 & CVE-2026-56159: Nine DHCP CVEs this month, but these two server-side RCEs are the ones to prioritize. Both are unauthenticated heap-based buffer overflows rated 9.8, reachable over the network with no user interaction. Keep in mind that DHCP servers frequently run on domain controllers, and an unauthenticated RCE on a domain controller is a very bad day.
Wrapping up
Now it’s time to speculate whether patchegedon is the new normal in our AI-powered world or if this was a one-time release to fix a bunch of dormant exploits. Hopefully, this type of release just means more secure systems and safer environments.
If you can postpone your patch deployments a couple of days, my recommendation would be to keep an eye on tech news sources and Reddit to see if any of these patches come bundled with some unintended “features.” This many fixes are bound to introduce a bug or two.
That wraps up this Patch Tuesday recap. Time to go cry myself to sleep while eating a serving-sized bowl of mac and cheese.




