Microsoft’s July 14, 2026 security release covers 622 Microsoft CVEs, but the number that should drive this week’s deployment plan is three: the actively exploited flaws now listed in CISA’s Known Exploited Vulnerabilities catalog. For Windows administrators, the immediate work is to patch exposed SharePoint and AD FS systems first, while keeping a Microsoft delivery hold in place for some Dell Windows 11 devices affected by KB5101650.
The Microsoft Security Response Center’s July release notes put the Microsoft total at 622 CVEs, including 416 affecting Windows, 82 affecting Office, 46 affecting Edge, 27 affecting developer tools, and 17 affecting SharePoint Server. As XenoSpectrum’s analysis noted, that monthly figure is not interchangeable with a count of issues first disclosed on Patch Tuesday, and it should not be combined with the separately listed Chromium vulnerabilities.
That distinction matters because raw CVE volume is a poor patching queue. A 622-item release can contain everything from physical-access BitLocker scenarios to internet-facing SharePoint weaknesses under active attack. The deployment order should reflect exposure, exploit status, available mitigations, and the business role of the affected system—not simply severity labels or CVSS scores.

Cybersecurity analyst monitors critical vulnerabilities, attack surfaces, and patch deployment across multiple screens.Three exploited flaws set the first deployment ring​

CISA has added three Microsoft vulnerabilities from this cycle to the KEV catalog, meaning there is evidence they are being exploited in the wild. Federal civilian agencies face remediation dates beginning July 17; private-sector organizations are not bound by those dates, but the deadlines offer a clear signal about urgency.
CVE-2026-56164 affects SharePoint Server and is rated Moderate with a CVSS score of 5.3. That score is the kind of figure likely to disappear beneath the 62 Critical-rated vulnerabilities in Microsoft’s monthly tally, yet the flaw is an unauthenticated, network-based elevation-of-privilege issue that Microsoft marks as exploited. For any externally reachable SharePoint deployment, its operational priority is plainly higher than its numerical score suggests.
Microsoft’s mitigation guidance for CVE-2026-56164 includes enabling Antimalware Scan Interface, or AMSI, protections for SharePoint and IIS worker processes and setting Request Body Scan to Full. Those measures are not a substitute for the security update, but they should be treated as an immediate compensating control where patch deployment requires a maintenance window.
CVE-2026-58644 is the more confusing SharePoint case. Microsoft says a patch was already available but the CVE was inadvertently omitted from the June 2026 Patch Tuesday list; the company subsequently corrected its exploitability assessment, exploited flag, and CVSS vector on July 15. CISA added it to KEV on July 16, with a July 19 remediation deadline for federal agencies.
The chronology means this is not a newly fixed July zero-day in the conventional sense. It is a previously released fix that has now been tied explicitly to active exploitation. Administrators should verify that the earlier update is installed across SharePoint infrastructure rather than assuming a July cumulative update alone closes the gap.
Microsoft’s documentation for CVE-2026-58644 has also created ambiguity around attacker prerequisites. Its CVSS vector indicates no privileges are required, while an FAQ scenario refers to an attacker authenticated as a SharePoint Site Owner. That inconsistency is worth tracking, especially for threat modeling and incident response, but it should not postpone remediation. The confirmed exploitation status, exposure of the server, and CISA’s short deadline are the facts that matter this week.
The third KEV entry, CVE-2026-56155, affects Active Directory Federation Services. Microsoft rates the local elevation-of-privilege flaw Important, with a CVSS score of 7.8, and CISA’s federal remediation date is July 28. It is less likely to be an initial-access issue than the SharePoint vulnerabilities, but an AD FS server is an identity-system asset where a path from existing low-privilege access to administrator control deserves rapid attention.

The 622-CVE count is real, but it is not a risk score​

Microsoft’s July totals show a broad release: 256 elevation-of-privilege vulnerabilities, 166 remote-code-execution vulnerabilities, and 109 information-disclosure issues. Those categories overlap, so they should not be added together, just as product-family tallies can overlap where a CVE appears in more than one listing.
The “569” figure circulating in early Patch Tuesday coverage describes CVEs whose initial disclosure date was July 14, according to the CVRF data examined by XenoSpectrum. The remaining disclosures were published on other dates in the surrounding period. Neither 569 nor 622 includes the 428 non-Microsoft Chromium CVEs that MSRC separately republishes, and treating those as Microsoft fixes would produce a misleading total.
For IT teams, this accounting discussion has a practical purpose. Security dashboards and executive summaries need accurate counts, but endpoint and server teams should not be asked to deploy in strict CVE-number order. A vulnerability affecting a disconnected workstation or requiring physical possession is not equivalent to one being exploited against a public-facing collaboration server.
CVE-2026-50661 illustrates the difference. The BitLocker Device Encryption bypass requires physical access and is rated Important with a 6.1 CVSS score. It warrants remediation for devices exposed to theft, travel, untrusted hands-on access, or high-value local data. It does not outrank an actively exploited SharePoint vulnerability on an internet-facing server merely because both appear in the same monthly release.
Microsoft’s own exploitability guidance is designed for this sorting process. Confirmed exploitation, public exploit availability, attacker requirements, attack surface, and business role should all be entered into the same change-control decision—not treated as afterthoughts to a CVSS filter.

AI may increase findings, not eliminate validation​

Microsoft’s Pavan Davuluri said on July 9 that AI will increase the volume of updates in future security releases. Microsoft Security is using automation including its multi-model agentic scanning harness, MDASH, to inspect critical Windows binaries, with findings reviewed, reproduced, and filtered through a Windows-specific verification process before they reach engineering teams.
That is an important distinction. July’s 622 CVEs are not evidence that AI independently “found” every issue in the release. MSRC has described the rise in reported vulnerabilities as the outcome of years of expanding research, maturing automation, and wider participation by external security researchers.
The likely consequence is not that patch management becomes obsolete or fully automated. It is that organizations should expect more valid findings, more frequent prioritization decisions, and greater pressure on asset inventory quality. Automation can accelerate discovery; it does not decide whether a particular SharePoint farm is internet-facing, whether a federation server is business-critical, or whether a delayed endpoint update will break a line-of-business workflow.

Dell hold complicates the Windows 11 rollout​

Microsoft has paused delivery of Windows 11 KB5101650 for a limited set of Dell devices with Intel processors. The July 14 cumulative update applies to Windows 11 24H2 and 25H2, bringing those releases to OS Builds 26100.8875 and 26200.8870 respectively.
According to Microsoft’s update documentation, Dell reported an incompatibility that can cause unexpected shutdowns, poor performance, higher heat, and battery drain. The issue involves affected systems using the Intel Innovation Platform Framework Processor Participant driver and a conflict associated with the Windows USB-C Connection Manager introduced through the June 23 preview update.
Microsoft says affected devices will not be offered KB5101650 through normal Windows Update channels while it works with Dell on a resolution. The company said on July 15 that it planned to release a fix within days, but it has not published a date for resuming normal delivery.
That safeguard should remain intact. Administrators should not force-install KB5101650 on affected Dell models to make compliance reports look cleaner, particularly when the observed failure modes include shutdowns and power-management instability. Windows Server is not affected by this client-side hold, allowing server remediation to proceed independently.

Kerberos and Secure Boot work belongs in the same change window​

The July release also reaches the final enforcement phase for Microsoft’s Kerberos hardening tied to CVE-2026-20833. After an audit period beginning in January and an April move to AES as the default, Microsoft is removing the temporary RC4DefaultDisablementPhase rollback value.
The immediate risk is not patch installation failure but authentication failure after enforcement. Service accounts without AES keys and non-Windows systems that still depend on RC4 may be denied service tickets. Domain-controller monitoring should therefore include KDCSVC event IDs 201 through 209, while application owners test legacy appliances, service identities, and cross-platform dependencies before treating the July update as routine.
Secure Boot certificate rotation is progressing in parallel. Microsoft’s 2011-era Microsoft Corporation KEK CA expired on June 24, 2026, followed by the Microsoft UEFI CA on June 27. Systems missing the replacement certificates can still boot and receive ordinary Windows Updates, but they will not receive the newer pre-boot security protections associated with current boot-manager, database, and revocation-list updates.
Microsoft says KB5101650 expands high-confidence targeting for automatic delivery of the newer 2023-generation certificates. That makes certificate status a worthwhile compliance check during the broader July deployment, rather than a separate task deferred until a boot-integrity incident makes it urgent.
The practical July plan is therefore a three-tier one: move the exploited SharePoint and AD FS flaws into emergency remediation; validate Dell compatibility and Kerberos dependencies in a controlled ring; then deploy the remaining Windows, Office, Edge, developer-tool, and Secure Boot updates through normal phased rollout. The next operational milestone is Microsoft and Dell’s fix for the KB5101650 hold—while the immediate deadline is ensuring that exposed SharePoint systems are no longer the easiest target in the release.

References​

  1. Primary source: XenoSpectrum
    Published: 2026-07-16T21:50:29.257000+00:00