Patch Tuesday: July 2026 (Expel’s version)

By Matt Jastram

July 14, 2026  •  2 minute read



Placeholder image for Patch Tuesday: July 2026 (Expel’s version)

TL;DR

  • Today’s Microsoft Patch Tuesday release includes 570 CVEs (record breaking), with two zero-days and one publicly disclosed additional zero-day vulnerability
  • There were 143 Remote Code Execution CVEs, and 34% of those have ‘Critical’ impact 
  • We recommend prioritizing patching for the three identified zero-days immediately 

 

It’s mid-summer—the time of year that the heat waves are here and the ice cream consumption is at an all-time high. It’s also prime time for World Cup soccer, which may be a time of joy or anguish depending on who you root for (don’t worry, both can be treated with ice cream). While many IT professionals are burning their vacation hours, Microsoft decided to turn up heat with their CVE volume. Welcome to Patch Tuesday.

CVE ID Affects Affected versions CVSS Description

CVE-2026-56155

Active Directory Federation Services (AD FS)  15 total

Windows 10 (4 versions)

Windows Servers (11 versions)

7.8 Can be exploited for administrator privileges 

CVE-2026-50661

Windows BitLocker 23 total 

Windows 10 (10 versions)

Windows 11 (6 versions)

Windows Servers (7 versions)

6.1 Can bypass security features with physical attack 

CVE-2026-56164

Microsoft SharePoint 3 total 

Windows Servers (2 versions)

Subscription (1 version)

5.3 Missing authentication allows unauthorized privilege elevation 

CVE-2026-55008

Microsoft Exchange Server 4 total

Windows Servers (3 versions)

Subscription (1 version)

9.6 Cross-site scripting allows network spoofing

 

Patch Tuesday: July 14, 2026

Today’s release includes 570 CVEs, including fixes for three zero-day vulnerabilities. Here are the CVEs we think are deserving of your attention first: 

 

That’s it for this month. Questions? Reach out to your Expel representative or contact us here