
We knew this day would come. June 2026 Patch Tuesday broke the record, and July blew the record out of the water. July is the first time in Patch Tuesday’s history that over 500 CVEs were patched in a single month, with a staggering 569 CVEs patched, breaking last month’s record of 198 CVEs. Normally we have the wait for October or November to determine if we’ll break the previous year’s patch volume record, but July has locked it in that 2026 will be the largest annual Patch Tuesday ever, besting the previous record of 1,245 CVEs in 2020. It’s probable that we will not only exceed 2,000 CVEs in a calendar year, but potentially over 3,000 CVEs this year or more.
- The two flaws exploited in the wild are both elevation of privilege vulnerabilities. CVE-2026-56155, an Active Directory Federation Services (AD FS) flaw, and CVE-2026-56164, a Microsoft SharePoint Server vulnerability.
- CVE-2026-50661, a security feature bypass in Windows BitLocker, was noted as being publicly disclosed. We surmise that this could be related to a flurry of zero-day vulnerabilities disclosed by the researcher known as Nightmare-Eclipse or Chaotic-Eclipse, though no official confirmation was made. We also know that the researcher promised to drop something on Patch Tuesday.
While these were the noteworthy flaws this month, in addition to the 59 critical CVEs disclosed, the state of the Exploitability Index (how likely a vulnerability is to be exploited) must shift with the machine speed of discovery. For example, Microsoft originally tagged CVE-2026-45659, a SharePoint vulnerability, as exploitation less likely. However, the vulnerability was added to the CISA KEV on July 1. Anthropic’s Red Team’s own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated “Exploitation Less Likely” or “Exploitation Unlikely.” What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it. – Satnam Narang, Senior Staff Research Engineer at Tenable