core-jmp core-jmpdeath of core jump

The July 2026 Security Update Review

Dustin Childs reviews the July 2026 security patch cycle, covering 88 Adobe CVEs and a record-breaking 621 Microsoft vulnerabilities, including critical RCEs and elevation-of-privilege flaws. Key exploited threats and deployment priorities for security teams.

oxfemale July 16, 2026 6 min read 25 reads
Export PDF
The July 2026 Security Update Review
Original text: “The July 2026 Security Update Review”Dustin Childs, Zero Day Initiative (July 14, 2026). Tables and figures are reproduced verbatim with attribution captions.

Executive Summary

July 2026 delivered a landmark month for security patches: Adobe released 88 CVEs across twelve products via their bimonthly cycle, while Microsoft disclosed 621 vulnerabilities—a volume that dwarfs all prior twenty-year records. Of particular concern, multiple critical remote code execution flaws and elevation-of-privilege vulnerabilities are already under active exploitation, including those in SharePoint, RDP, and Active Directory Federation Services. These patches demand immediate deployment prioritization by security teams managing Windows, Microsoft 365, and Adobe infrastructure.

The scale of this release underscores a worrying trend: the vulnerability disclosure ecosystem is outpacing patch management timelines at many organizations. Additionally, Chromium and Microsoft Edge-derived products account for approximately 480 further disclosed vulnerabilities, adding to the overall complexity. This review distills the highest-severity and actively-exploited flaws, deployment order recommendations, and defensive hardening steps.

Adobe Patches for July 2026

Adobe has transitioned to a bimonthly release schedule, delivering security patches on the second and fourth Tuesdays of each month. The July release included twelve bulletins addressing 88 CVEs across eleven products: ColdFusion, Commerce, After Effects, Animate, Audition, Bridge, Creative Cloud Desktop Application, Experience Manager, Illustrator, Media Encoder, and Premiere Pro, plus the Content Credentials SDK.

The most critical advisories target ColdFusion and Commerce, both carrying CVSS 9.6–9.9 maximum scores with Critical severity ratings. No vulnerabilities are currently confirmed under active exploitation. Deployment should prioritize ColdFusion (APSB26-82, 13 CVEs) and Commerce (APSB26-73, 13 CVEs) first, followed by remaining products via standard change-management cadence.

Bulletin IDProductCVE CountHighest SeverityHighest CVSSExploitedDeployment Priority
APSB26-82Adobe ColdFusion13Critical9.9No1
APSB26-73Adobe Commerce13Critical9.6No2
APSB26-78Adobe After Effects3Critical7.8No3
APSB26-83Adobe Animate6Critical8.6No3
APSB26-71Adobe Audition6Critical7.8No3
APSB26-81Adobe Bridge6Critical7.8No3
APSB26-77Creative Cloud Desktop Application2Critical8.1No3
APSB26-74Adobe Experience Manager13Critical9.6No3
APSB26-79Adobe Illustrator5Critical9.3No3
APSB26-72Adobe Media Encoder5Critical7.8No3
APSB26-76Adobe Premiere Pro4Critical7.8No3
APSB26-80Content Credentials SDK12Critical8.2No3
Adobe July 2026 security bulletins. Total: 12 bulletins, 88 CVEs across critical product lines. Source: original article.

Microsoft Patches for July 2026

Microsoft’s July 2026 patch cycle broke all records: 621 CVEs disclosed for Windows, Office, Azure, SQL Server, and other enterprise products, plus an additional ~480 Chromium/Edge-derived vulnerabilities catalogued separately. This volume far exceeds any monthly total in the past twenty years. The release includes 63 Critical-severity flaws, 6 Moderate, 1 Low, and the remainder rated Important. Eight vulnerabilities were submitted through the Zero Day Initiative disclosure program.

Of the 621 CVEs, two are confirmed under active exploitation, and one is publicly known but not yet exploited. The actively-exploited flaws span multiple attack surfaces: unauthenticated network-accessible remote code execution in RDP and DHCP; authenticated elevation-of-privilege in Active Directory Federation Services and SharePoint; and use-after-free vulnerabilities in the Windows Hyper-V vmswitch component enabling cross-VM host compromise.

Chart showing CVE counts trending upward, demonstrating YTD 2026 exceeds all prior 20-year records
CVE volume trends: YTD 2026 (blue line) has already exceeded the total of all prior 20-year records. Source: original article.

Actively Exploited Vulnerabilities

CVE-2026-56155 (AD FS Elevation of Privilege)—CVSS 7.8, actively exploited. Requires local access with low privileges to elevate within an Active Directory Federation Services environment. Affects enterprise authentication infrastructure.

CVE-2026-56164 (SharePoint Server EoP)—CVSS 5.3, actively exploited. Network-reachable without authentication required. Enables privilege escalation in SharePoint Server deployments hosting sensitive collaboration workloads.

Critical Remote Code Execution Flaws

CVE-2026-56190 (RDP RCE)—CVSS 9.8, unauthenticated, no user interaction required. Exploitation via uninitialized resource consumption affects Remote Desktop Protocol services exposed to networks. This vulnerability poses extreme risk to organizations with internet-accessible RDP listeners.

CVE-2026-50522 / CVE-2026-58644 (SharePoint RCE)—Pair of CVSS 9.8 flaws caused by deserialization logic errors. These vulnerabilities were demonstrated at Pwn2Own Berlin 2026, proving reliable exploitation in the wild.

CVE-2026-50518 (DHCP Server RCE)—CVSS 9.8, heap-based buffer overflow in the DHCP server service. Unauthenticated, network-accessible to any attacker with layer-2 or layer-3 network access to DHCP infrastructure.

CVE-2026-56188 (Network Driver RCE)—CVSS 9.8, race condition in a Windows network driver. Allows privileged code execution with system-level privileges, exploitable via network-accessible attack surface.

CVE-2026-55010 (Minecraft Bedrock RCE)—CVSS 9.8, heap-based buffer overflow in Minecraft Bedrock Edition. Unauthenticated remote code execution for users connecting to malicious or compromised game servers.

Other High-Severity Flaws

CVE-2026-57092 (Windows VMSwitch EoP)—CVSS 9.9, use-after-free in Hyper-V virtual machine switching component. Enables a guest virtual machine to escape isolation and compromise the host. Critical for organizations running Hyper-V or Azure Stack infrastructure.

CVE-2026-55008 (Exchange Server Stored XSS)—CVSS 9.6, stored cross-site scripting in Outlook Web Access. Allows attackers to inject malicious JavaScript that executes in the context of targeted user sessions and browsers, enabling session hijacking or credential theft.

Key Takeaways

  • Record CVE volume: 621 Microsoft CVEs in a single month exceeds two decades of historical records; patches demand immediate large-scale deployment.
  • Active exploitation confirmed: At least two CVEs (AD FS, SharePoint) are actively exploited in the wild; treat these as highest priority.
  • Unauthenticated RCEs dominate: Multiple critical remote code executions (RDP, DHCP, network drivers) require no authentication, making them exploitable from network-adjacent or internet-accessible positions.
  • Hyper-V hypervisor escape: CVE-2026-57092 allows guest-to-host compromise; critical for cloud and virtualized infrastructure operators.
  • SharePoint deserialization chain: Two CVSS 9.8 flaws (CVE-2026-50522/58644) exploited at Pwn2Own; prioritize SharePoint patching.
  • Adobe bimonthly cadence easing pressure: 88 CVEs (vs. Microsoft’s 621) are distributed across twelve products; deployment priority order is clear and manageable.
  • Patch availability immediate: Patches are available today; stagger deployment across test → staging → production to absorb regression risk.

Defensive Recommendations

  • Immediate (24–48 hours): Patch RDP, DHCP, and AD FS services on systems exposed to untrusted networks. Disable RDP entirely if not in active use; if required, restrict access via VPN or bastion hosts.
  • High priority (1 week): Deploy SharePoint patches (CVE-2026-50522/58644) across all farms. Disable deserialization features in application configuration if safe for your workload.
  • Hyper-V hosts (1 week): Apply CVE-2026-57092 fix to all Hyper-V hosts, particularly those running untrusted or customer-controlled guest VMs.
  • Inventory and assess: Catalog Exchange Server, SQL Server, and Azure deployments. Verify patching timelines and dependency chains before applying critical updates in sequence.
  • Monitor and hunt: Search event logs (Windows Event Log, PowerShell transcript logs, network IDS/IPS) for exploitation attempts against CVE-2026-56155 (AD FS auth anomalies) and CVE-2026-56164 (SharePoint access anomalies).
  • Network segmentation: Enforce network access controls: RDP and DHCP services must be inaccessible from untrusted segments. Use host-based firewall rules to restrict lateral movement.
  • Testing cadence: Allocate dedicated test infrastructure to validate patch compatibility before production rollout, especially for Hyper-V, Exchange, and SharePoint.
  • Supplier communication: Coordinate with SaaS and cloud providers (Microsoft 365, Azure, Dynamics) to confirm patching timelines and redundancy during maintenance windows.

Conclusion

July 2026 marks an inflection point: vulnerability disclosure volume has shifted to unprecedented scales, outpacing traditional patch management cycles. While Adobe’s 88 CVEs remain high, Microsoft’s 621 disclosures—and the presence of actively-exploited critical flaws—demand a strategic shift in enterprise patch operations: risk-ranked deployment (exploited and unauthenticated RCEs first), automated patch testing and staging infrastructure, and real-time threat monitoring during rollout windows. Organizations that establish rapid patch deployment and maintain segment-based network access controls will weather this cycle; those relying on legacy, serial patch processes face prolonged exposure to exploitation.

Original text: “The July 2026 Security Update Review” by Dustin Childs at Zero Day Initiative.

oxfemale Vulnerability research, reverse engineering, and exploit development.