~/home/news/microsoft-july-2026-patch-tuesday-2026-07-15

Microsoft July 2026 Patch Tuesday Breaks Records: 622 Fixes, 2 Active Zero-Days

Microsoft’s July 2026 Patch Tuesday delivered a historic 622 vulnerability fixes, far exceeding any prior month. Two zero-days - CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint) - were actively exploited, and a critical VM-escape (CVE-2026-57092) threatens hyper-visors.

Overview/Introduction

On July 14, 2026 Microsoft released its largest Patch Tuesday to date, publishing fixes for a staggering 622 CVEs in its Security Update Guide. The volume more than triples June’s previous high of ~200 and eclipses the 570-flaw count reported by BleepingComputer. Among the flood of patches, three zero-day vulnerabilities were addressed, two of which are confirmed to be under active exploitation in the wild.

The most urgent of these are:

  • CVE-2026-56155 - an elevation-of-privilege (EoP) flaw in Active Directory Federation Services (AD FS) that allows a locally-authenticated attacker to gain administrative rights.
  • CVE-2026-56164 - an unauthenticated network-based EoP vulnerability in on-premises SharePoint Server that lets an attacker jump to high-privilege accounts.

In addition, a critical VM-escape vulnerability (CVE-2026-57092, CVSS 9.9) in the Windows VMSwitch component can break out of a virtual machine and compromise the host hyper-visor.

Technical Details

The following sections provide detailed information about each of the critical vulnerabilities.

CVE-2026-56155 - AD FS Elevation of Privilege

AD FS is the token-issuing service that underpins federated authentication across Azure AD, Office 365, and on-premises applications. The flaw stems from insufficient granularity in access-control checks when processing MS-ADFSCredential objects. An attacker who can already authenticate to the AD FS server (e.g., via a compromised service account) can manipulate the request flow to obtain SeDebugPrivilege and, subsequently, local administrator rights.

Microsoft’s DART team credited the discovery to internal responders Jeremy Kingston and Scott Clark. Exploitation appears to be limited to “local” privilege escalation, but because AD FS is the trust anchor for SSO tokens, compromise can cascade to any relying party that trusts the federation server.

CVE-2026-56164 - SharePoint Server Remote Elevation of Privilege

The SharePoint Server bug is a classic “unauthenticated remote code execution” chain that begins with a malformed HTTP request to the /_vti_bin/owssvr.dll endpoint. The request triggers an out-of-bounds write in the server’s request-parsing routine, allowing the attacker to inject a security-principal object with FullControl permissions on the web application.

Both Mandiant’s incident response unit and Google’s FLARE team observed the exploit in active campaigns targeting government and financial sectors. The vulnerability is especially dangerous because it works without any credentials or user interaction, and it remains exploitable on all supported SharePoint Server versions (2016, 2019, and the now-EOL 2013). The bug’s CVSS base score is 9.1, but Microsoft rated it “moderate” due to the limited attack surface (SharePoint servers are often isolated).

CVE-2026-57092 - Windows VMSwitch VM-Escape

VMSwitch is the virtual switch component that connects virtual NICs to the host’s physical network adapters. The vulnerability resides in the handling of Hyper-V Extensible Switch (HvSwitch) flow-table updates. By crafting a malicious sequence of IOCTL_HV_VMSWITCH calls, an attacker inside a guest VM can corrupt the host’s kernel memory and achieve code execution at Ring-0 on the host system.

With a CVSS of 9.9, this is one of the highest-severity flaws ever released for Windows. The exploit requires the attacker to have code execution inside a guest VM - a scenario common in multi-tenant cloud providers or on-premises environments that use nested virtualization for development or testing.

Impact Analysis

The breadth of the July patch day means virtually every Windows-based environment is affected:

  • Windows client and server OSes - 416 individual CVEs, including 48 remote code execution (RCE) flaws.
  • Active Directory Federation Services - AD FS servers that issue SAML/WS-Fed tokens are at risk of privilege escalation.
  • SharePoint Server - On-premises deployments (including SharePoint 2016/2019) face unauthenticated remote EoP.
  • Azure and cloud workloads - VMSwitch is used by Azure Virtual Machines, Azure Stack, and on-prem Hyper-V clusters.
  • Microsoft Office suite & Edge - 164 Office-related CVEs and dozens of Edge/Chromium fixes.

Given the two zero-day exploits are already weaponized, organizations that have not yet applied the July updates are effectively running with known, active backdoors. The VM-escape scenario also threatens cloud service providers and any environment that offers VM-as-a-service (e.g., Azure, AWS Windows instances, on-prem Hyper-V).

Timeline of Events

  • June 2026 - Microsoft announces an AI-driven vulnerability discovery platform, hinting at a surge in forthcoming patches.
  • Early July 2026 - Threat intel feeds (Mandiant, Google FLARE) report active exploitation of AD FS and SharePoint zero-days.
  • July 14, 2026 - 02:01 PM EDT - Microsoft releases cumulative updates for Windows 10, Windows 11, Server 2019/2022, and extended updates for legacy OSes.
  • July 14, 2026 - 03:30 PM EDT - Security blogs (BleepingComputer, The Hacker News, SecurityWeek) publish analyses confirming the zero-day status and providing exploitation details.
  • July 15, 2026 - Enterprises begin rolling out the patches; several major CSPs announce temporary mitigation steps for VMSwitch.

Mitigation/Recommendations

Given the scale and severity, a phased approach is advisable:

  1. Prioritize the three critical zero-days:
    • Deploy the AD FS update (KB5099415) immediately on all federation servers. Restart the service and enforce MFA for any administrative accounts.
    • Apply the SharePoint Server patches (KB5101652 for 2016, KB5101653 for 2019). Where possible, enable AMSI Full Mode on the SharePoint servers to mitigate script-based payloads.
    • Patch Windows hosts with the VMSwitch fix (KB5101670) and reboot the hyper-visor. For cloud tenants, request the provider to apply the update at the host layer.
  2. Apply the full cumulative roll-up: Even non-critical CVEs can be chained. Use WSUS, SCCM, or Intune to push the latest cumulative updates to Windows 10/11, Server, and Office.
  3. Validate patch compliance: Run Get-WindowsUpdateLog and Get-HotFix to confirm the KB IDs are installed. For hyper-visors, verify the VMSwitch version via Get-VMNetworkAdapter -ManagementOS.
  4. Network segmentation: Isolate AD FS and SharePoint servers from the broader corporate LAN where possible. Apply strict NSG rules in Azure to limit inbound traffic to required endpoints only.
  5. Monitoring & detection:
    • Enable Windows Defender Advanced Threat Protection (ATP) and set alerts for suspicious token-issuance events (Event ID 4624 with Logon Type 3 from AD FS).
    • Deploy Sysmon and monitor for abnormal IOCTL_HV_VMSWITCH calls, which may indicate an attempted VM-escape.
  6. Backup & rollback plan: Ensure you have recent system state backups before applying the updates, especially on legacy SharePoint 2016/2019 which are approaching end-of-support.

Real-World Impact

Enterprises that rely heavily on on-prem identity infrastructure (e.g., banks, government agencies) are most at risk. A successful AD FS compromise can issue forged SAML tokens, granting attackers access to SaaS applications, Azure resources, and any downstream service that trusts the federation token.

SharePoint’s remote EoP opens a direct path to exfiltrate sensitive documents, plant web-shells, and pivot to domain controllers via the SharePoint service account. The timing is particularly nasty: the same day the patches landed, SharePoint Server 2016/2019 entered the end of extended support window, leaving organizations without a paid ESU option.

The VM-escape bug threatens the shared-responsibility model of public clouds. If a malicious tenant can escape a VM, they could potentially access other tenants’ workloads, the host OS, and even the hyper-visor management plane. Cloud providers have issued advisories to patch the host layer immediately, but customers running private Hyper-V clusters must act fast to avoid a “break-out” scenario akin to the infamous VENOM bug of 2015.

Expert Opinion

From a strategic perspective, Microsoft’s record-breaking patch volume is both a triumph of its new AI-driven discovery engine and a warning sign that the attack surface of modern Windows ecosystems is expanding faster than many organizations can keep up with. The fact that two zero-days were already weaponized underscores a shift: attackers are now targeting the “identity glue” (AD FS) and collaboration back-ends (SharePoint) rather than chasing flashy remote code execution bugs.

For the industry, three takeaways emerge:

  1. Zero-day preparedness must become continuous: Relying on quarterly patch cycles is no longer sufficient. Organizations should adopt a “patch-as-you-go” posture, leveraging automated testing pipelines and rapid rollback capabilities.
  2. Identity infrastructure is the new perimeter: Compromise of AD FS or Azure AD Connect can render traditional network segmentation moot. Zero-trust architectures need to incorporate strict token validation, short-lived credentials, and continuous monitoring of federation services.
  3. Hyper-visor security is a shared responsibility: Cloud providers have the advantage of rapid host-level patching, but customers running on-prem Hyper-V must integrate hyper-visor patch management into their broader vulnerability-management program, not treat it as a “once-a-year” task.

In short, the July 2026 Patch Tuesday is a wake-up call. The sheer volume of fixes, combined with active exploitation of high-value zero-days, tells us that the threat landscape is moving from “find the bug” to “weaponize the trust chain.” Enterprises that invest in automated patch deployment, rigorous identity governance, and hyper-visor hardening will be best positioned to survive the next wave of attacks.