- Microsoft’s July 2026 Patch Tuesday fixed a record 622 vulnerabilities, including 58 critical ones, two exploited in the wild and one publicly disclosed, in addition to 428 Chromium bugs.
- Actively abused flaws include CVE-2026-56155 (AD FS Privilege Escalation) and CVE-2026-56164 (SharePoint Privilege Escalation), along with notable issues in BitLocker and Copilot.
- The increase in fixes is related to Microsoft’s use of Anthropic’s Mythos AI, with patch volume increasing significantly since its adoption.
Microsoft released its July 2026 Patch Tuesday download, marking another record-breaking update and fixing hundreds of bugs across the ecosystem.
The release, which is currently rolling out to Microsoft users, fixes a staggering 622 vulnerabilities, including 58 of critical severity, two of which were observed to be abused in the wild and one that has already been publicly disclosed.
On top of that, Microsoft also shipped fixes for 428 other Chromium bugs.
A jump in numbers
There are simply too many vulnerabilities to list them all, however, two that are being exploited in the wild are CVE-2026-56155 and CVE-2026-56164. The first is described as an “Insufficient granularity of access control in Active Directory Federation Services (AD FS)” error, which allows an authorized attacker to elevate privileges locally. It has a severity score of 7.8/10 (high).
The latter is a “Missing authentication for critical functions in Microsoft Office SharePoint” error that allows an unauthorized attacker to elevate privileges on a network. Microsoft gave it a medium severity score (5.3/10), but the National Vulnerability Database gave it a score of 9.8/10 (critical).
Other notable mentions include CVE-2026-50661, a flaw in the protection mechanism in Windows BitLocker that allows unauthorized attackers to bypass a security feature with a physical attack, and CVE-2026-48561, an improper neutralization of special elements used in a command in Microsoft Copilot, which allows an unauthorized attacker to execute code over a network.
If you think fixing 622 vulnerabilities in one month is a lot, you’re absolutely right. It’s well above what Microsoft is used to doing, and this is probably because the company now uses the legendary Mythos, Anthropic’s cybersecurity-oriented AI.
In June 2026, about a month and a half after Mythos was released, Microsoft fixed 206 bugs, which raised eyebrows because it was significantly above the company’s usual number of bugs fixed.
In May it solved 120 bugs, in April 167 and in March 79.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




