Microsoft's biggest Patch Tuesday ever: 570 flaws fixed, three zero-days, and an AI bug-hunter behind the surge
India's Supreme Court imposed Rs 3 lakh costs on Samay Raina, Ranveer Allahbadia and Ashish Chanchlani after finding non-compliance with directions in a disability-related case.
Commentary & Analysis ·

Verified key facts
- Microsoft's July 2026 Patch Tuesday, released on 14 July, is its largest ever, with roughly 570 vulnerabilities fixed.
- Tenable counted 569 CVEs: 56 rated critical, 510 important and 3 moderate.
- Two zero-days were already being exploited: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server.
- A third zero-day, CVE-2026-50661, is a publicly disclosed BitLocker bypass requiring physical access.
- Microsoft attributed part of the record volume to an AI-powered vulnerability-discovery system scanning its Windows codebase.
The largest security update Microsoft has ever shipped
Microsoft released its July 2026 Patch Tuesday updates on 14 July, and the scale broke every previous record. BleepingComputer reported fixes for a massive 570 flaws, including three zero-days. Krebs on Security put the same headline number at a record 570 patched vulnerabilities.
Counts vary slightly by methodology. Tenable's analysis listed 569 CVEs, with 56 rated critical, 510 important and 3 moderate. Security Affairs, which also tracks third-party advisories bundled into the cycle, counted 621 CVEs across the month. Either way, this is the heaviest single patching event in Windows history.
For perspective, Microsoft's monthly updates have typically ranged between 100 and 200 fixes in recent years. July nearly triples the usual load in one cycle. Qualys' review notes the release spans Windows, Office, Azure, SQL Server and developer tools, with Adobe shipping parallel updates the same day. Administrators face a quarter's workload in a week.
Three zero-days, two already under attack
The most urgent items are two vulnerabilities that attackers were exploiting before fixes existed. CVE-2026-56155 affects Active Directory Federation Services. According to Tenable, it lets an authorised attacker escalate to administrative privileges because of insufficiently granular access control.
The second, CVE-2026-56164, is an elevation-of-privilege flaw in SharePoint Server, BleepingComputer reported. SharePoint remains a favourite target for state-linked groups after the mass exploitation waves of recent years. Identity infrastructure and document servers sit at the centre of most corporate networks, which is exactly why attackers keep returning to them.
The third zero-day, CVE-2026-50661, was publicly disclosed but not confirmed as exploited. It allows an attacker with physical access to bypass BitLocker device encryption and read data from the drive. Stolen and resold laptops are the realistic risk scenario here.
Why so many bugs at once? Microsoft's AI is finding them
The record volume is not only bad news. Microsoft attributed the surge partly to an AI-powered vulnerability-discovery system it recently deployed to scan the Windows codebase, according to reporting on the release by cybersecurity outlets. The company is effectively racing criminals to its own flaws.
That cuts both ways. Defenders get fixes for bugs that might have lurked for years. But every Patch Tuesday disclosure also hands attackers a map. Exploit developers routinely reverse-engineer patches within days, so unpatched systems become more exposed after the release, not less.
Security researchers see a structural shift underway. If one vendor's AI can surface hundreds of latent flaws in a month, every large codebase on earth holds similar backlogs. Rival software makers will face pressure to run equivalent discovery programmes. The disclosure pipeline, from CVE assignment to patch validation, was never designed for this volume.
The India angle: a stretched week for IT teams
Indian enterprises run some of the world's largest Windows estates across IT services, banking and government. CERT-In has been issuing warnings through 2026 about AI-accelerated cyber threats and Microsoft product vulnerabilities, Dataquest India reported. A 570-flaw cycle lands directly on that warning.
The two exploited zero-days deserve first attention in India. AD FS is still widely deployed in banks and public-sector organisations that have not fully moved to cloud identity. On-premises SharePoint remains common in government departments. Patch-management teams should treat both as emergency changes rather than routine monthly work.
There is a business dimension too. Indian IT services and managed-security providers patch Windows fleets for thousands of global clients under strict service-level agreements. A 570-flaw month means triage at industrial scale. Firms that automated patch testing early will absorb this cycle smoothly; manual operations will be choosing which risks to accept.
What users and administrators should do now
For home users, the action is simple: let Windows Update run and restart the machine. Businesses have a harder sequencing problem. Qualys' review of the July cycle recommends prioritising the exploited zero-days and the critical remote-code-execution flaws before the long tail of important-rated fixes.
Small Indian businesses face particular exposure. Unlicensed or end-of-life Windows installations, still common in smaller firms, receive none of these fixes. With exploit code likely to circulate within weeks, machines outside the update pipeline become soft targets for ransomware crews that specifically hunt unpatched systems.
- Patch AD FS servers and SharePoint Server first; both zero-days are under active exploitation.
- Enable BitLocker pre-boot authentication where laptops carry sensitive data.
- Test and roll out the critical RCE fixes for Windows components within days, not weeks.
- Watch CERT-In advisories for India-specific exploitation reports.
What happens next
Expect proof-of-concept exploits for the headline CVEs to appear within one to two weeks, based on the pattern of previous cycles. Security researchers will also test whether AI-assisted bug discovery keeps monthly volumes at this level. If it does, 500-plus CVE months could become normal.
That would change patching economics everywhere, and especially in India's services industry, which manages Windows fleets for global clients. Automated patch validation and AI-assisted triage are about to shift from optional tooling to survival equipment. July 2026 may be remembered as the month that made this obvious.
Sources
- BleepingComputer - Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days (14 July 2026)
- Tenable - Microsoft's July 2026 Patch Tuesday addresses 569 CVEs including CVE-2026-56155 and CVE-2026-56164 (14 July 2026)
- Krebs on Security - Microsoft patches a record 570 security flaws (July 2026)
- Qualys - Microsoft and Adobe Patch Tuesday, July 2026 security update review (14 July 2026)
You may also like to read

Gemini 3.5 Pro Launch: Google Targets July 17 After Full Rebuild
Reports say Google will launch Gemini 3.5 Pro on 17 July after rebuilding its base model, with a rumoured 2-million-token context. Google has confirmed nothing yet.

Samsung Unpacked July 22: Galaxy Z Fold 8 Ultra, Flip 8 Expected
Samsung has set Galaxy Unpacked for 22 July in London, with the Z Fold 8, a new Fold 8 Ultra and Flip 8 expected. Leaks point to a 200MP camera and $2,099 pricing.

Microsoft unveils seven in-house MAI models at Build 2026, loosening its grip on OpenAI
With a reasoning model, a coding flash variant and image generators trained on its own licensed data, Microsoft is signalling it wants to build at the frontier rather than rent it.

NASA names its Artemis III crew, with a record-holding astronaut among the four
Commander Randy Bresnik will lead a four-person crew on a two-week orbital flight to test the technology that will eventually put astronauts back on the Moon.