On July 14, 2026, Microsoft shipped the largest security update in the history of Patch Tuesday: fixes for 570 vulnerabilities, including three zero-days — two of which attackers were already exploiting before a patch existed. (A "zero-day" is a flaw that is being attacked, or is publicly known, before the vendor has a fix ready.) Counts vary by how you tally them: Microsoft's own headline is 570 flaws, security firm Tenable logged 569 CVEs, and broader roundups that fold in re-published third-party bugs put the total closer to 620. However you count, it roughly tripled June's total — which was itself a record.

The number matters less than the trend behind it. Microsoft attributes the surge, in part, to a new AI-powered system that scans its own Windows codebase for flaws faster than any human team could. This is not a one-month spike. It is the shape of the next several years of software security, and it lands directly on the patching processes most small and mid-sized businesses have quietly deferred.

This post covers three things: how a "big" Patch Tuesday went from 100-odd fixes to 570 in eighteen months, what that means for your business and for Microsoft, and what actually needs to change — at Microsoft, across other vendors, and inside your own IT operation.

What Was in the July 2026 Patch Tuesday?

Microsoft's July 2026 update fixed a record 570 vulnerabilities, of which 59 were rated Critical. Three were zero-days, and two of those three were being actively exploited in real-world attacks at the time the patch shipped. The Critical bucket was dominated by remote code execution — the most dangerous class, where an attacker runs their own software on your machine.

The severity breakdown reported across vendor advisories:

  • 570 total vulnerabilities (Microsoft's count; Tenable logged 569 CVEs; wider roundups reach ~620 once re-published third-party CVEs are included).
  • 59 rated Critical — of which 48 were remote code execution, 9 elevation of privilege, 1 security feature bypass, and 1 spoofing.
  • Three zero-days, two under active exploitation, one publicly disclosed but not yet seen in attacks.
  • This shipped alongside the start of Microsoft's Kerberos enforcement phase — a separate hardening change that can break authentication in some environments if it is not tested first.

The three zero-days that need attention first

Volume is the story, but a 570-item patch list still has to be triaged. These three are where a business should start:

  • CVE-2026-56155 — Active Directory Federation Services (AD FS) elevation of privilege. Actively exploited. AD FS is the component many organizations use to sign employees into Microsoft 365 and other cloud apps. A successful exploit lets an already-authenticated attacker escalate to administrator, which in an identity system is close to game over.
  • CVE-2026-56164 — Microsoft SharePoint Server elevation of privilege. Actively exploited. A missing authentication check lets an unauthenticated attacker elevate privileges over the network. SharePoint has been a repeat target through 2025 and 2026; on-premises SharePoint servers should be patched immediately.
  • CVE-2026-50661 — Windows BitLocker security feature bypass. Publicly disclosed, not yet known to be exploited. It requires physical access to the device to reach encrypted data — the same broad category as the YellowKey BitLocker bypass we covered in May, and another reminder that "the disk is encrypted" is not the end of a lost-laptop conversation.

The two AD FS and SharePoint bugs are both identity and access flaws in server software an SMB is likely to run on-premises or through a managed provider. They are the ones to raise with your IT lead or MSP this week.

How Did We Get to a 570-Flaw Patch Tuesday?

For most of Patch Tuesday's 20-year history, a "big" month was 100 to 150 fixes, and the single-month record stood at 175 as recently as October 2025. Through 2026 that ceiling shattered: June set a new record at 206, Microsoft passed 500 patched vulnerabilities in the first five months of the year, and the company is now on track to break the all-time annual record of 1,245 CVEs set in 2020. The single biggest driver is that AI can now read source code and find real, exploitable bugs at a scale and speed no human security team can match.

Microsoft has been explicit that AI-assisted discovery is behind the surge. Its internal system — a multi-model "agentic scanning harness" called MDASH, expanded across Windows, Azure, and identity platforms in 2026 — pairs AI models that hunt for flaws with a validation step where multiple models debate each candidate, so that, in Microsoft's words, only the highest-confidence findings reach the engineering team. MDASH scored 96.5% on CyberGym, a public benchmark for AI vulnerability discovery, and Microsoft says it has surfaced real flaws across core Windows components including Hyper-V, the kernel, the DNS and DHCP clients, HTTP.sys, and Active Directory. Turned loose on a live codebase, automated fuzzing, static analysis, and "variant hunting" (finding every cousin of a bug once one is found) now surface flaws faster than engineering teams can write and ship the fixes.

This is the same dynamic we have been tracking all year from the other direction. When Mozilla shipped 423 Firefox fixes in a single month — 271 of them found by an AI model, and when a frontier model found 500+ unknown vulnerabilities in open-source software, the lesson was the same: the cost of finding a serious bug has collapsed. Microsoft's 570 is that collapse arriving at the world's most widely deployed software.

There is a genuinely positive read here. Most of these 570 flaws were found by Microsoft, for Microsoft, and fixed before anyone weaponized them. AI defenders got there first on the large majority of the list. The catch is the other side of the same coin: the capability that let Microsoft find 570 bugs will, sooner or later, be in the hands of people who want to use them — and the bottleneck shifts from finding bugs to installing the fixes.

What Does This Mean for Businesses?

For most SMBs in Canada and the US, a 570-flaw Patch Tuesday does not change what you should do — it changes the speed at which you have to do it. The frameworks you may already work against — the CCCS Baseline Cyber Security Controls, NIST SP 800-171, CIS Controls, the FTC Safeguards Rule — all require timely patching and vulnerability management. They were written for a world of 100-fix months. The policy is fine; the execution cadence is what breaks.

Three practical pressures land on business owners:

  • Triage is now a real job. No SMB can meaningfully review 570 items. The skill that matters is separating the handful that are exploited or internet-facing (this month: AD FS and SharePoint) from the long tail that can wait for the normal cycle. If nobody in your organization does that separation, you are either patching blindly or not at all.
  • The patch window is shrinking to days. As we noted when we looked at how the gap between disclosure and exploitation collapsed to hours, "we patch monthly" is no longer a defensible posture for actively exploited server flaws. A 30-day patch SLA quietly became a liability.
  • Change management can bite you. Bigger updates carry more risk of breaking something — and this month's Kerberos enforcement change is a concrete example. The answer is not to skip patching; it is to have a tested rollout process so you are not choosing between "unpatched" and "broke the domain."

Questions worth putting to your IT lead or managed-services provider this week:

  • Do we run AD FS or on-premises SharePoint? If yes, are CVE-2026-56155 and CVE-2026-56164 already patched? These are the actively exploited ones.
  • What is our patch SLA for actively exploited flaws — in days? If the answer is "monthly" or "the MSP handles it," ask to see the measured reality, not the policy.
  • Who triages Patch Tuesday for us? Someone has to decide what is urgent when the list is 570 long.
  • Did the Kerberos enforcement change get tested before it rolled out? This is the kind of update that breaks logins if it is applied blind.

What Does This Mean for Microsoft — and for Other Vendors?

For Microsoft, the record patch is a reputational double-edged sword: it is simultaneously evidence that its own AI is working as a defensive tool and a signal that its products contain far more latent flaws than anyone previously measured. Microsoft has told customers to expect larger monthly updates and more frequent out-of-band (off-schedule, urgent) patches going forward. In other words, 570 is the new normal, not a bad month.

The rest of the industry is already restructuring around the same reality, which is the clearest sign this is a permanent shift rather than a Microsoft story:

  • Adobe moved from monthly to twice-monthly security bulletins (the 2nd and 4th Tuesday of each month), citing AI-accelerated discovery compressing the window between a bug becoming known and being exploited.
  • Cisco shifted to a risk-based, twice-monthly disclosure model, consolidating related bugs into "umbrella" advisories and deprioritizing individual low-risk write-ups so defenders can focus on what matters.
  • Google stayed on a roughly weekly cadence but is resolving record CVE counts — on the order of 900+ across its releases in a single recent month.
  • Mozilla has been shipping at a near-weekly pace since April 2026, after its AI-assisted Firefox discovery pipeline came online.

The through-line: the whole industry is being forced from a predictable monthly rhythm toward continuous, risk-prioritized patching. For a business, that means the "patch once a month on the weekend" model is being retired by your vendors whether or not your internal process is ready for it.

What Needs to Be Done to Fix This?

There is no single fix, because the problem is structural: AI has permanently lowered the cost of finding bugs, so both the discovery of flaws and the frequency of patches will keep rising. The realistic goal is not fewer vulnerabilities — it is closing the gap between when a fix ships and when it is installed. That work splits across vendors, the industry, and your own operation.

What vendors and the industry need to do

  • Prioritize ruthlessly and say so. A 570-item list is unusable without clear "exploited / critical / routine" labels. Cisco's umbrella-advisory model and Microsoft's exploitability ratings are steps in the right direction; every vendor needs them.
  • Build AI discovery into development, not just release. Catching flaws before code ships — rather than patching after — is the only way the fix rate keeps pace with the discovery rate over the long run.
  • Rethink disclosure timelines. The traditional 90-day responsible-disclosure window may not survive AI-scale discovery. Expect shorter windows and more fixes shipped before technical details are published.
  • Make patches safer to apply. Faster patching only works if updates rarely break things. Staged rollouts, clear rollback paths, and honest testing guidance (as the Kerberos enforcement change demands) are now part of the security job, not separate from it.

What your business needs to do

  1. Patch the exploited flaws now. If you run AD FS or on-premises SharePoint, apply CVE-2026-56155 and CVE-2026-56164 on a days-not-weeks timeline. Treat any actively exploited zero-day the way you would treat a browser or OS zero-day.
  2. Set a risk-based patch SLA — in writing. For example: actively exploited flaws within 72 hours, other Critical items within 7 days, everything else on the normal cycle. Then measure against it. Our patch-management explainer and our note on managing software updates cover the shape of that discipline.
  3. Turn on automatic updates everywhere it is safe. For endpoints and browsers, the fastest patch is the one that installs itself. Reserve manual change control for servers and identity systems where a bad update can cause an outage.
  4. Build a lightweight triage step. Someone — internal or your MSP — should scan each Patch Tuesday for "does this touch something we run, and is it being exploited?" That is the entire job most months.
  5. Test the disruptive changes first. The Kerberos enforcement phase is this month's example. Pilot changes like this on a small group before a fleet-wide rollout.
  6. Invest in detection, not just patching. When you cannot patch instantly, endpoint detection and response (EDR) and managed detection narrow the window between a flaw going public and your environment being safe. Pair this with an incident response plan built before something happens.
  7. Get a baseline read on where you stand. If you are not sure whether your patching, MFA, and backup posture can keep pace with this cadence, our free quick security assessment — 20 questions, about five minutes — is a practical place to start.

The Durable Lesson

The 570 number will be broken, probably within a few months. Fixating on the headline misses the point. The durable shift is that AI has made finding software flaws cheap and fast — for defenders first, for attackers eventually — and that has moved the entire industry from occasional, predictable patching to a continuous, risk-prioritized grind. Microsoft finding and fixing 570 flaws in a month is, on balance, good news; the danger is the business that is still patching on last decade's calendar when the exploited zero-day lands.

The organizations that come through this era calmly will be the ones that treat patching, identity, and detection as one connected system that runs in days — not three separate chores that happen monthly if there's time. The record patch is not the emergency. Being unable to keep up with the next one is.


This article is intended for general informational purposes only and does not constitute professional security, legal, or compliance advice. Details about Microsoft's July 2026 Patch Tuesday, the CVEs referenced, and other vendors' disclosure schedules are based on public reporting and vendor disclosures as of the date of publication and may evolve as investigations continue. Organizations should consult qualified cybersecurity professionals before acting on any specific indicator of compromise or making operational changes based on this article.