Skip to content

Patch Tuesday July 2026

Brock
Brock Bingham|July 14, 2026
Patch Tuesday
Patch Tuesday

Welcome back for another Patch Tuesday recap where I dish you the deets of the latest Microsoft drop. 

Today I was going to keep it light by talking about how it's National Mac & Cheese Day, but Microsoft decided it was officially time to open the floodgates and drop the mother of all releases (so far) on us. 

That's right, today, July 14th, in the Year of Our Lord 2026, Microsoft released 570 CVEs. That number goes even higher depending on the products and services you're tracking. To put that into perspective, we've already surpassed the total number of CVEs released last year, and it's only July. In fact, there were more CVEs released today than in any given year up until 2017. 

Let’s break down some of the madness. 

Severity 

  • Total exploits patched: 570 

  • Critical patches: 57 

  • Important: 510 

  • Moderate: 3 

  • Low: 0 

Vulnerability impact 

  • Remote code execution: 144 

  • Elevation of privilege: 249 

  • Information disclosure: 101 

  • Spoofing: 16 

  • Tampering: 8 

  • Denial of service: 35 

  • Feature bypass: 17 

Availability 

  • Publicly disclosed: 1 

  • Actively exploited: 2 

Some highlights (or lowlights) 

  • CVE-2026-57092: The month's highest-rated CVE at 9.9 targets VMSwitch, the virtual network switch inside Hyper-V. It's a use-after-free that lets a low-privileged attacker escalate to full host compromise across a VM boundary. If that sounds bad, it’s only because it is. If you’re a Hyper-V shop, definitely look into this one. 

  • CVE-2026-58644: SharePoint takes a big hit this month with 17 CVEs. The headliners are two Critical 9.8 RCEs that require no authentication or user interaction — one of which was demonstrated live at Pwn2Own Berlin, yet Microsoft still lists exploit maturity as "Unknown." There's also an actively exploited EoP (CVE-2026-56164) that, despite a 5.3 CVSS score, is reachable over the network with no authentication required, so don’t let the scores lull you into a false sense of security. 

  • CVE-2026-50518 & CVE-2026-56159: Nine DHCP CVEs this month, but these two server-side RCEs are the ones to prioritize. Both are unauthenticated heap-based buffer overflows rated 9.8, reachable over the network with no user interaction. Keep in mind that DHCP servers frequently run on domain controllers, and an unauthenticated RCE on a domain controller is a very bad day. 

Wrapping up

Now it’s time to speculate whether patchegedon is the new normal in our AI-powered world or if this was a one-time release to fix a bunch of dormant exploits. Hopefully, this type of release just means more secure systems and safer environments. 

If you can postpone your patch deployments a couple of days, my recommendation would be to keep an eye on tech news sources and Reddit to see if any of these patches come bundled with some unintended “features.” This many fixes are bound to introduce a bug or two. 

That wraps up this Patch Tuesday recap. Time to go cry myself to sleep while eating a serving-sized bowl of mac and cheese. 

Brock
Brock Bingham

Brock Bingham is a systems administrator with 15 years of experience managing endpoints and servers, with a strong focus on automation, patching, security, and maintaining stable environments at scale. After years of hands-on IT work, he now creates content and teaches, helping other admins learn through practical, real-world guidance.

Related articles