Microsoft July 2026 Patch Tuesday: 622 CVEs, Exploited AD FS and SharePoint Bugs, and Every Major Update to Check

Glowing Windows update logo surrounded by security shields, patch icons, and update symbols for Microsoft Patch Tuesday.

Microsoft’s July 2026 Patch Tuesday is not a small one. Microsoft’s Security Update Guide says the July 14, 2026 release covers 622 Microsoft CVEs, and Microsoft is also republishing 428 non-Microsoft Chromium CVEs through its Edge/Chromium channel. For home users, the short version is simple: install the July Windows update when it is offered. For businesses, this month deserves a more careful check because the release includes exploited server-side vulnerabilities, a publicly known BitLocker issue, Windows and .NET updates across supported versions, SharePoint fixes, SQL Server fixes, Exchange updates, Office updates, Edge/Chromium coverage, Azure/service-side fixes, Defender updates, and Configuration Manager hotfixes.

This post is built from Microsoft’s July 2026 Security Update Guide CVRF data and Microsoft support/download pages. The most important links are included throughout, and the full Microsoft Security Update Guide remains the best place to confirm exact applicability for your environment.

In this article

Quick Summary

  • Release date: July 14, 2026.
  • Microsoft CVEs in the release notes: 622.
  • Republished non-Microsoft Chromium CVEs: 428.
  • Severity mix in the Microsoft CVRF feed: 66 Critical, 594 Important, 55 Moderate, and 7 Low Microsoft CVE entries, plus 428 Chromium republished entries that do not carry the same Microsoft severity fields in the feed.
  • Actively exploited items to check first: Active Directory Federation Services elevation of privilege and SharePoint Server elevation of privilege.
  • Publicly known item: a Windows BitLocker security feature bypass.
  • Most local business impact: Windows desktops/laptops, Windows Server, domain services, Remote Desktop, SharePoint, SQL Server, Exchange, Microsoft 365/Office, Edge, .NET, Defender, and Configuration Manager.

Microsoft’s Windows updates are cumulative, so supported Windows 10 and Windows 11 machines normally only need the correct July cumulative update for their version. Servers and business applications are where the work gets more sensitive: SharePoint, SQL Server, Exchange, AD FS, Hyper-V, Remote Desktop, and line-of-business apps should be patched with a maintenance plan, backup verification, and a rollback window.

The Urgent CVEs

Three items deserve priority review before this becomes “just another Patch Tuesday.” Microsoft’s release notes flag one BitLocker issue as publicly known and two server-side items as exploited. If your business uses AD FS or SharePoint, do not let those sit.

CVEMicrosoft titleWhy it mattersMicrosoft link
CVE-2026-56155Active Directory Federation Services Elevation of Privilege VulnerabilityMicrosoft marks exploitation as detected. AD FS sits in the identity path for sign-ins and federation, so this is a server-side business priority.MSRC CVE page
CVE-2026-56164Microsoft SharePoint Server Elevation of Privilege VulnerabilityThe CVRF feed marks exploitation as detected for SharePoint Server. SharePoint is commonly exposed to many users and often stores sensitive business documents.MSRC CVE page
CVE-2026-50661Windows BitLocker Security Feature Bypass VulnerabilityMicrosoft’s release notes mark this as publicly known. BitLocker issues matter most on laptops, remote-worker devices, and any system where lost-device protection is part of the security plan.MSRC CVE page

A few high-score items also stand out even where Microsoft does not mark exploitation as detected. Examples include Azure OpenAI elevation of privilege, Microsoft Entra Provisioning Service elevation of privilege, Windows VMSwitch elevation of privilege, Windows FTP Service remote code execution, Remote Desktop Client remote code execution, and SharePoint remote code execution. The exact urgency depends on whether you run the affected product, whether it is exposed to untrusted users, and whether compensating controls are already in place.

Release Size And Product Families

Microsoft’s own release table breaks the 622 Microsoft CVEs down by product family. The biggest practical takeaway is that Windows dominates the month, Office is also broad, and server products need attention because the exploited items land in identity and collaboration workloads.

Product familyDistinct updatesVulnerabilities addressedUpdate type
Azure1311Individual
Defender25Cumulative
Developer Tools3627Cumulative
Exchange Server45Cumulative
Microsoft Edge146Cumulative
Office1082Cumulative except Office 2016
Office 20161882Individual
Other45Individual
SharePoint Server317Cumulative
SQL Server88Cumulative
Windows35416Cumulative
Source: Microsoft July 2026 Security Update Guide release notes.

Windows, .NET, And ConfigMgr Patch Table

The table below lists the Windows, .NET Framework, and Configuration Manager patch IDs surfaced by Microsoft’s July 2026 CVRF data. The “CVE references” column counts how many CVE/product remediation references in the feed point at that update, not how many unique vulnerabilities only that one KB fixes. Cumulative updates share coverage across many components and product versions.

PatchApplies toCVE references in feed
KB37864969Microsoft Configuration Manager 25091
KB38232642Microsoft Configuration Manager 2603; Microsoft Configuration Manager 25032
KB5087048.NET Framework 3.5 on Windows Server 20125
KB5087049.NET Framework 3.5 on Windows Server 2012 R25
KB5087053.NET Framework 3.5 and 4.8.1 on Windows 10 Version 21H25
KB5087057.NET Framework 3.5 and 4.8.1 on Windows Server 2025 Server Core5
KB5087058.NET Framework 3.5 and 4.8.1 on Windows 11 Version 23H25
KB5087059.NET Framework 3.5 and 4.8.1 on Windows Server 20225
KB5087061.NET Framework 3.5 and 4.7.2 on Windows 10 Version 18095
KB5087062.NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 20125
KB5087063.NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R25
KB5087064.NET Framework 3.5 and 4.8 on Windows 10 21H2/22H25
KB5087065.NET Framework 4.8 on Windows 10 Version 1607 and Windows Server 20165
KB5087066.NET Framework 3.5 and 4.8 on Windows 10 Version 18095
KB5087067.NET Framework 4.8 on Windows Server 20125
KB5087068.NET Framework 3.5 and 4.8 on Windows Server 20225
KB5087069.NET Framework 4.8 on Windows Server 2012 R25
KB5087077.NET Framework 3.5 and 4.8.1 on Windows 11 Version 26H15
KB5087537.NET Framework 3.5 and 4.7.2 on Windows 10 Version 1607 and Windows Server 20165
KB5089548Windows 11 Version 26H1 ARM641
KB5092427.NET Framework 3.5 and 4.8.1 on Windows 11 Version 25H25
KB5092430.NET Framework 3.5 and 4.8.1 on Windows 11 Version 24H2 ARM645
KB5092431.NET Framework 3.5 and 4.8.1 on Windows 11 Version 26H15
KB5094006Windows Server 20121
KB5094041Windows Server 2012 R22
KB5094042Windows Server 20122
KB5095051Windows 11 Version 26H1 x64/ARM64247
KB5099414Windows 11 Version 23H2 ARM64; OS Build 22631.737616
KB5099444Windows Server 2012 R2 monthly rollup184
KB5099445Windows Server 2012 monthly rollup173
KB5099535Windows 10 Version 1607 and Windows Server 2016; OS Build 14393.9339249
KB5099536Windows Server 2025; OS Build 26100.33158388
KB5099538Windows 10 Version 1809; OS Build 17763.9020311
KB5099539Windows 10 21H2/22H2; OS Builds 19044.7548 and 19045.7548624
KB5099540Windows Server 2022; OS Build 20348.5386325
KB5101649Windows 11 Version 26H1; OS Build 28000.2525508
KB5101650Windows 11 Version 24H2/25H2; OS Builds 26100.8875 and 26200.8870685

Several Windows support pages also list servicing stack updates that matter for deployment reliability, including KB5104023 for Windows 11 23H2, KB5104021 for Windows 10, KB5120210 for Windows Server 2022, and KB5101372 for Windows Server 2025. Servicing stack updates are not glamorous, but they help Windows install later updates correctly.

Server, Office, Edge, Azure, And App Updates

SharePoint Server

SharePoint is a priority this month because Microsoft’s CVRF data marks a SharePoint elevation-of-privilege issue as exploitation detected, and separate SharePoint remote code execution issues score high. Microsoft lists updates for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, including KB5002891, KB5002883, KB5002882, KB5002880, KB5002874, KB5002873, KB5002892, and KB5002885 through Microsoft Download Center pages.

SQL Server

SQL Server fixes cover supported GDR and cumulative update channels. Microsoft lists KB5101347 for SQL Server 2022 CU25, KB5101346 for SQL Server 2025 CU6, KB5102338 for SQL Server 2017 GDR, KB5102336 for SQL Server 2019 GDR, KB5102340 for SQL Server 2016 SP3 GDR, KB5102339 for the SQL Server 2016 SP3 Azure Connect Feature Pack, KB5102337 for SQL Server 2017 CU31, KB5102334 for SQL Server 2022 GDR, KB5102333 for SQL Server 2025 GDR, and KB5102335 for SQL Server 2019 CU32. Businesses should patch SQL in a maintenance window and verify application compatibility, backups, and replication/job health afterward.

Exchange Server

Exchange Server receives cumulative/security update coverage for Exchange Server 2016 CU23, Exchange Server 2019 CU14/CU15, and Exchange Server Subscription Edition RTM. Microsoft’s CVRF data includes KB5103215, KB5103212, KB5103213, and KB5103214. Exchange updates should be staged carefully: confirm server health before patching, install from an elevated prompt where required, and check mail flow, services, queues, and event logs after reboot.

Office And Microsoft 365 Apps

Office coverage is broad. Microsoft’s release notes show 82 Office-related vulnerabilities, with cumulative updates for most Office channels and individual updates for Office 2016. The CVRF feed lists Click-to-Run coverage for Microsoft 365 Apps and Office 2019, Office for Mac update paths, Office Online Server KB5002884, Office 2016 updates including KB5002887, KB5002273, KB5002748, KB5002830, Excel 2016 KB5002886, Word 2016 KB5002890, and PowerPoint 2016 KB5002867. For businesses, the main operational point is to confirm Microsoft 365 Apps update rings are actually moving and that older perpetual Office installs are not being missed.

Microsoft Edge And Chromium

Microsoft Edge is listed as one cumulative update with 46 vulnerabilities addressed, and Microsoft also republishes 428 non-Microsoft Chromium CVEs this month. Edge normally updates automatically, but managed environments should verify Edge update policies, browser restart behavior, and whether any kiosk/shared computers are stuck behind old browser builds.

Azure, Defender, Developer Tools, And Other Apps

Microsoft’s July release also includes Azure, Defender, developer tooling, and app fixes. The CVRF data points to updates or release paths for Visual Studio 2022, Visual Studio 2026, Visual Studio Code, Azure CycleCloud, Azure Arc Connected Machine Agent, Microsoft IdentityModel extensions for .NET, Power BI Report Server, Windows Terminal, Windows Subsystem for Linux, Windows Admin Center, Microsoft PC Manager, Microsoft Office for Android, Microsoft 365 Copilot mobile apps, Microsoft Edge mobile apps, Defender for Endpoint on macOS, and other service/product-specific packages. Cloud and service-side issues do not always require a local installer, but admins should still read the MSRC entries when the affected service is in use.

What Businesses Should Do Next

  1. Patch exploited server products first. Prioritize AD FS and SharePoint if they exist in your environment.
  2. Confirm Windows endpoint coverage. Check Windows 11, Windows 10, and Windows Server update compliance by build number, not just by “last checked.”
  3. Do not forget older servers. Windows Server 2012/2012 R2 updates are ESU-only. If those machines still exist, they need a migration plan, not just another month of patching.
  4. Patch .NET with the OS. Many business apps depend on .NET. Apply the correct .NET update and test key apps afterward.
  5. Handle SQL and Exchange carefully. Verify backups, snapshots where appropriate, maintenance windows, and post-patch service checks.
  6. Check Office update channels. Microsoft 365 Apps should be updating through Click-to-Run, but older Office 2016 installs may need individual attention.
  7. Verify Edge actually updated. Browser vulnerabilities are high-frequency attack paths, and shared machines often lag.
  8. Watch for install failures. If Windows throws errors such as 0x800f0922, check free space, VPN/proxy/update connectivity, Windows Update cache, DISM/SFC health, and the EFI/System Reserved partition where applicable.

For small businesses in Port Saint Lucie, Jensen Beach, Fort Pierce, and Vero Beach, this is a good month to treat patching like a managed process instead of a one-click chore. The right order is inventory, backup, patch, reboot, verify, then document. The risk is not just “unpatched Windows.” It is the server or application that everyone forgot was still running.

Microsoft Source Links

Need Help Checking Your Patch Status?

The IT Guys can help local homes and businesses review Windows Update status, troubleshoot failed updates, check server patch levels, plan maintenance windows, and confirm that critical systems actually rebooted cleanly after patching. If you manage business computers, servers, Microsoft 365, SharePoint, SQL, or Exchange and want a second set of eyes, schedule a check before the next patch cycle stacks on top of this one.