Microsoft’s July 2026 security release fixes hundreds of vulnerabilities across Windows, Office, SharePoint, Azure, SQL Server, Exchange, Dynamics and other products, including two flaws already exploited in attacks. Released on July 14, the unusually large Patch Tuesday also delivers Windows 11 cumulative updates KB5101650 and KB5099414.
The Microsoft Security Response Center identifies CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server as exploited. A third zero-day, CVE-2026-50661 in BitLocker, was publicly disclosed before Microsoft issued its fix but is not listed as exploited.
Administrators should prioritize internet-facing SharePoint servers and AD FS infrastructure rather than working through the release solely by CVSS score. As detailed by Microsoft and added to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, the two exploited bugs affect identity and collaboration systems that can provide valuable access for attackers already inside—or probing the edge of—a network.
CVE-2026-56164 is a SharePoint Server elevation-of-privilege vulnerability caused by missing authentication for a critical function. Microsoft says an unauthorized attacker can exploit it over a network without user interaction, and the company has detected exploitation in the wild.
Microsoft assigns the vulnerability a CVSS score of 5.3 and a Moderate severity rating. That number could place it behind dozens of Critical and Important vulnerabilities in automated patch queues, but the exploitation evidence makes it one of July’s most urgent fixes.
The affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. Microsoft recommends enabling the Antimalware Scan Interface integration and setting SharePoint’s Request Body Scan mode to Full as a mitigation, but installing the relevant SharePoint security update remains the primary response.
CVE-2026-56164 arrives alongside three other serious on-premises SharePoint vulnerabilities. CVE-2026-58644 and CVE-2026-50522 are remote-code-execution bugs carrying CVSS scores of 9.8, while CVE-2026-55040 is a security-feature bypass scored at 9.1.
That combination makes SharePoint a particularly important testing target this month. Organizations should not assume that installing the Windows cumulative update also patches their SharePoint farms; SharePoint Server updates must be identified, deployed and validated through the product’s own servicing process.
CISA has placed CVE-2026-56164 in its Known Exploited Vulnerabilities catalog, reinforcing the need to identify exposed farms quickly. Administrators should also review SharePoint and web-server logs for unexplained requests, newly created accounts, configuration changes and other activity predating installation of the July update.
If the container’s access control list is too permissive, an attacker with access to the DKM material may be able to decrypt those private keys. Compromise of token-signing infrastructure can have consequences beyond a single server because it sits inside the organization’s identity and authentication chain.
Microsoft is introducing the fix as a staged hardening change under KB5121391. After administrators install the July 14 security update, AD FS enters an initial Audit mode rather than silently rewriting permissions.
The AD FS service checks the DKM container’s ACL at startup and then every 24 hours. Event ID 1132 in the AD FS Admin event log indicates that the permissions require attention, but the first phase does not automatically modify them.
For Windows Server 2016 and later, administrators can opt into remediation by setting the
That timetable gives enterprises a testing window, not a reason to defer action. AD FS operators should install the July update, look for Event ID 1132, document service-account dependencies and test the remediation setting before Microsoft moves to enforcement.
Windows Server networking services also account for several Critical entries. CVE-2026-56188 affects a Windows Server network driver, while CVE-2026-50518 and CVE-2026-56159 affect DHCP Server components; each carries a 9.8 score and a remote-code-execution impact.
Other server-side priorities include CVE-2026-49164 in Active Directory Domain Services and CVE-2026-54121 in Active Directory Certificate Services. The release additionally fixes remote-code-execution vulnerabilities in WSUS, Message Queuing, SQL Server, the Print Spooler and Windows TCP/IP-related components.
Administrators should map those CVEs to installed roles before setting deployment order. A domain controller running AD CS, a DHCP server and an internet-accessible SharePoint farm represent different exposure paths, even when scanner dashboards give their vulnerabilities similar numerical scores.
Workstations are not exempt. July includes multiple remote-code-execution vulnerabilities in GDI+, Windows Media Foundation, DirectX Graphics Kernel, Microsoft Word, PowerPoint and the broader Office suite. Many client-side bugs require a user to open or process malicious content, but Office and media-handling flaws remain useful routes for phishing and initial access.
Microsoft Defender also receives fixes for CVE-2026-55011 and CVE-2026-55012, both remote-code-execution vulnerabilities scored at 7.8. Security teams should verify Defender platform and intelligence updates separately from the operating-system deployment rather than assuming one update channel covers every component.
The cumulative updates include the July security fixes and previously released quality improvements. Microsoft also addresses an issue affecting third-party applications that use OLE Automation to interact with Microsoft Office, along with a File Explorer problem that could break the OneDrive shortcut when Explorer was run with administrative privileges.
A compatibility hold reportedly prevents KB5101650 from being offered to a limited number of Dell systems with Intel processors. The cited incompatibility can cause unexpected shutdowns, degraded performance, excessive heat and battery drain, so administrators should check Microsoft’s release-health information and Dell guidance before forcing deployment onto affected hardware.
Published totals for this release vary because security firms count Microsoft CVEs, third-party CVEs and previously documented vulnerabilities differently. BleepingComputer counted 570 Microsoft flaws and 59 Critical vulnerabilities, while other trackers reported totals above 600. The practical response is unchanged: use Microsoft’s Security Update Guide and product-specific KB applicability data as the deployment baseline rather than treating a headline total as an inventory.
For enterprise IT, the first wave should cover exposed SharePoint servers, AD FS systems and critical Windows Server roles, followed by broad Windows and Office deployment after compatibility testing. The October 13 AD FS enforcement milestone also belongs on change calendars now, because July’s audit events are intended to surface permission problems before Microsoft begins correcting them automatically.
The Microsoft Security Response Center identifies CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server as exploited. A third zero-day, CVE-2026-50661 in BitLocker, was publicly disclosed before Microsoft issued its fix but is not listed as exploited.
Administrators should prioritize internet-facing SharePoint servers and AD FS infrastructure rather than working through the release solely by CVSS score. As detailed by Microsoft and added to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, the two exploited bugs affect identity and collaboration systems that can provide valuable access for attackers already inside—or probing the edge of—a network.
SharePoint’s Moderate Rating Hides the Immediate Risk
CVE-2026-56164 is a SharePoint Server elevation-of-privilege vulnerability caused by missing authentication for a critical function. Microsoft says an unauthorized attacker can exploit it over a network without user interaction, and the company has detected exploitation in the wild.Microsoft assigns the vulnerability a CVSS score of 5.3 and a Moderate severity rating. That number could place it behind dozens of Critical and Important vulnerabilities in automated patch queues, but the exploitation evidence makes it one of July’s most urgent fixes.
The affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. Microsoft recommends enabling the Antimalware Scan Interface integration and setting SharePoint’s Request Body Scan mode to Full as a mitigation, but installing the relevant SharePoint security update remains the primary response.
CVE-2026-56164 arrives alongside three other serious on-premises SharePoint vulnerabilities. CVE-2026-58644 and CVE-2026-50522 are remote-code-execution bugs carrying CVSS scores of 9.8, while CVE-2026-55040 is a security-feature bypass scored at 9.1.
That combination makes SharePoint a particularly important testing target this month. Organizations should not assume that installing the Windows cumulative update also patches their SharePoint farms; SharePoint Server updates must be identified, deployed and validated through the product’s own servicing process.
CISA has placed CVE-2026-56164 in its Known Exploited Vulnerabilities catalog, reinforcing the need to identify exposed farms quickly. Administrators should also review SharePoint and web-server logs for unexplained requests, newly created accounts, configuration changes and other activity predating installation of the July update.
AD FS Hardening Starts in Audit Mode
The second exploited vulnerability, CVE-2026-56155, affects the Distributed Key Manager container used by Active Directory Federation Services. AD FS stores key material in that container to protect token-signing and token-encryption certificate private keys.If the container’s access control list is too permissive, an attacker with access to the DKM material may be able to decrypt those private keys. Compromise of token-signing infrastructure can have consequences beyond a single server because it sits inside the organization’s identity and authentication chain.
Microsoft is introducing the fix as a staged hardening change under KB5121391. After administrators install the July 14 security update, AD FS enters an initial Audit mode rather than silently rewriting permissions.
The AD FS service checks the DKM container’s ACL at startup and then every 24 hours. Event ID 1132 in the AD FS Admin event log indicates that the permissions require attention, but the first phase does not automatically modify them.
For Windows Server 2016 and later, administrators can opt into remediation by setting the
RemediateDkmAcl registry value to 1. Microsoft plans to begin automatic remediation on October 13, 2026, unless the setting is configured to opt out.That timetable gives enterprises a testing window, not a reason to defer action. AD FS operators should install the July update, look for Event ID 1132, document service-account dependencies and test the remediation setting before Microsoft moves to enforcement.
Critical Bugs Reach Deep Into Windows Server
The highest-scored Windows vulnerability in the release is CVE-2026-57092, an elevation-of-privilege flaw in Windows VMSwitch with a CVSS score of 9.9. The vulnerability is especially relevant to organizations running Hyper-V because a compromised guest could potentially use weaknesses in the virtual switch boundary to gain elevated access.Windows Server networking services also account for several Critical entries. CVE-2026-56188 affects a Windows Server network driver, while CVE-2026-50518 and CVE-2026-56159 affect DHCP Server components; each carries a 9.8 score and a remote-code-execution impact.
Other server-side priorities include CVE-2026-49164 in Active Directory Domain Services and CVE-2026-54121 in Active Directory Certificate Services. The release additionally fixes remote-code-execution vulnerabilities in WSUS, Message Queuing, SQL Server, the Print Spooler and Windows TCP/IP-related components.
Administrators should map those CVEs to installed roles before setting deployment order. A domain controller running AD CS, a DHCP server and an internet-accessible SharePoint farm represent different exposure paths, even when scanner dashboards give their vulnerabilities similar numerical scores.
Workstations are not exempt. July includes multiple remote-code-execution vulnerabilities in GDI+, Windows Media Foundation, DirectX Graphics Kernel, Microsoft Word, PowerPoint and the broader Office suite. Many client-side bugs require a user to open or process malicious content, but Office and media-handling flaws remain useful routes for phishing and initial access.
Microsoft Defender also receives fixes for CVE-2026-55011 and CVE-2026-55012, both remote-code-execution vulnerabilities scored at 7.8. Security teams should verify Defender platform and intelligence updates separately from the operating-system deployment rather than assuming one update channel covers every component.
Windows 11 Moves to New July Builds
For Windows 11 version 25H2, KB5101650 advances the operating system to build 26200.8875. The same package moves Windows 11 version 24H2 to build 26100.8875, while KB5099414 updates Windows 11 version 23H2 to build 22631.7376.The cumulative updates include the July security fixes and previously released quality improvements. Microsoft also addresses an issue affecting third-party applications that use OLE Automation to interact with Microsoft Office, along with a File Explorer problem that could break the OneDrive shortcut when Explorer was run with administrative privileges.
A compatibility hold reportedly prevents KB5101650 from being offered to a limited number of Dell systems with Intel processors. The cited incompatibility can cause unexpected shutdowns, degraded performance, excessive heat and battery drain, so administrators should check Microsoft’s release-health information and Dell guidance before forcing deployment onto affected hardware.
Published totals for this release vary because security firms count Microsoft CVEs, third-party CVEs and previously documented vulnerabilities differently. BleepingComputer counted 570 Microsoft flaws and 59 Critical vulnerabilities, while other trackers reported totals above 600. The practical response is unchanged: use Microsoft’s Security Update Guide and product-specific KB applicability data as the deployment baseline rather than treating a headline total as an inventory.
For enterprise IT, the first wave should cover exposed SharePoint servers, AD FS systems and critical Windows Server roles, followed by broad Windows and Office deployment after compatibility testing. The October 13 AD FS enforcement milestone also belongs on change calendars now, because July’s audit events are intended to surface permission problems before Microsoft begins correcting them automatically.
References
- Primary source: Cyber Security Agency of Singapore
Published: 2026-07-15T07:05:08.951910
July 2026 Monthly Patch | Cyber Security Agency of Singapore
Microsoft has released security patches to address multiple vulnerabilities in their software and products.www.csa.gov.sg - Related coverage: bleepingcomputer.com
- Related coverage: automox.com
Patch Tuesday July 2026: CVE Analysis | Automox
July 2026 Patch Tuesday is the largest release on record, led by two actively exploited zero-days in ADFS and SharePoint, plus a cluster of pre-auth network flaws in core Windows.www.automox.com - Related coverage: applicationreadiness.com
Assurance Security Dashboard: July 2026 Patch Tuesday
Microsoft's July 2026 Patch Tuesday addresses 610 CVEs with 51 rated Critical and 3 zero-days. Severity breakdown by product family, with recommended actions.www.applicationreadiness.com - Related coverage: expel.com
Patch Tuesday: July 2026 (Expel’s version) | Expel
July's Patch Tuesday release includes a record-breaking 570 CVEs. These are the four we think need your attention now.expel.com - Related coverage: lansweeper.com
Microsoft Patch Tuesday – July 2026 - Lansweeper
Which vulnerabilities, issues, and other things did Microsoft update? Discover what's new using Lansweeper's Patch Tuesday July 2026 summary.www.lansweeper.com