Conceptual image illustrating Microsoft Patch Tuesday July 2026 vulnerabilities, Snort detection rules, and cybersecurity measures for data protection.

Microsoft's July 2026 Patch Tuesday is a large one: 622 vulnerabilities in total, with 57 rated critical. Two of the flaws disclosed this month have already been exploited in the wild, which is the first thing worth flagging when you plan your deployment window.

The two known-exploited issues are CVE-2026-56155, an elevation of privilege flaw in Active Directory Federation Services (AD FS) caused by insufficient access control granularity, and CVE-2026-56164, a missing-authentication spoofing flaw in Microsoft SharePoint Server. Neither is rated critical, but active exploitation moves them to the front of the queue regardless of their severity label. If you run AD FS or on-premises SharePoint, these two shape your patch order.

The critical entries span most of the Microsoft stack you likely operate. The affected products include Windows Media and Media Foundation, the DHCP client and DHCP Server service, Office (Word, Excel, PowerPoint), Windows GDI and GDI+, the DirectX Graphics Kernel, SharePoint, SQL Server, Windows TCP/IP, the Print Spooler, Active Directory Domain Services, Microsoft Defender, Microsoft Copilot, the Remote Desktop Client, Dynamics NAV and Dynamics 365 Business Central, and even the Minecraft Bedrock Dedicated Server.

By type, the 57 critical flaws break down as follows:

  • 48 remote code execution (RCE)
  • Seven elevation of privilege (EoP)
  • One spoofing
  • One security feature bypass

The heavy RCE count is the operational reason this release matters. Many of these flaws are triggered by opening a crafted document or reachable over a network, and several affect internet-facing or domain-critical services like DHCP, SharePoint, and AD DS. For most environments, the priority order is straightforward: patch the two exploited AD FS and SharePoint flaws, then work through the network-reachable critical RCEs on exposed servers before moving to workstation and Office fixes.

Business Impact: Deployment Urgency and Operational Risk

The headline number that matters for your planning: 622 vulnerabilities in a single release, with 57 rated critical and 48 of those allowing remote code execution. This is a large deployment cycle by any measure, and the breadth of affected components means almost no Windows-based enterprise escapes the testing burden.

Look at where these flaws live and you can map them directly onto your asset inventory. The critical RCE issues touch Windows DHCP client and server services, TCP/IP, the Server Network driver, Print Spooler, and SSTP — infrastructure that runs on effectively every domain-joined machine and network segment you operate. A DHCP server flaw like CVE-2026-50518, exploitable over a network by an unauthorized attacker, sits on systems that every endpoint depends on for addressing.

Then there is the desktop application layer. Microsoft flagged a large cluster of critical RCE bugs across Office, Word, Excel and PowerPoint, most triggered by opening a specially crafted document. That means the exposure is not confined to servers in a data center — it extends to every workstation where staff open email attachments, which in most organizations is all of them.

The compliance dimension is worth calling out for regulated environments. Flaws in Active Directory Certificate Services (CVE-2026-54121), Active Directory Domain Services (CVE-2026-49164), and SQL Server (CVE-2026-54117 and CVE-2026-54118) affect the systems that authenticate users and store regulated records. If you operate in healthcare, finance, or critical infrastructure, an unpatched RCE on a database or identity server is the kind of finding that surfaces in an audit and complicates your attestations.

Virtualization and management infrastructure carry their own weight here. The critical elevation-of-privilege set includes Windows Hyper-V (CVE-2026-50680 and CVE-2026-54127), VMSwitch (CVE-2026-57092), Secure Kernel Mode, and WSUS (CVE-2026-50444). A Hyper-V escape lets an attacker who controls one guest reach the host and, from there, other tenants — meaning a single compromised VM can put every workload on that host at risk.

Eleven of the 48 critical remote code execution flaws are rated "more likely" to be exploited, and two additional vulnerabilities disclosed this month are already being exploited in the wild.

Your operational risk splits into two competing costs. Deploying 622 fixes across a heterogeneous estate — different Windows versions, on-premises and cloud, Dynamics NAV and Dynamics 365 Business Central, even Minecraft Bedrock Dedicated Server instances (CVE-2026-55010) — demands compatibility testing before you push to production. Kernel and Win32k updates, which appear repeatedly in this release, have a history of interacting with third-party drivers, so rushing them can break line-of-business applications.

On the other side, the "more likely" ratings on flaws like the SharePoint security feature bypass (CVE-2026-55040) and the Exchange Server cross-site scripting spoofing issue (CVE-2026-55008) tell you which items attackers are expected to reach first. Where your testing window collides with your patching window, prioritize the network-reachable, unauthenticated RCE and the two already-exploited flaws for internet-facing and identity systems, and stage the kernel and desktop-application updates behind a shorter validation pass.

For cloud-hosted components — the Copilot, Azure Synapse, Azure OpenAI, Exchange Online and Entra items — Microsoft assigned no exploitation-likelihood rating and handles the service-side updates itself, so those do not consume your deployment budget the way the on-premises fixes do.

Vulnerability Breakdown: Severity, Attack Surface, and Exploitability

Two vulnerabilities in this release are confirmed exploited in the wild, but neither carries a "critical" rating — a reminder that Microsoft's severity tier and real-world attack activity don't always line up. Both are elevation-of-privilege or spoofing issues that require some existing position on the network, which is exactly why they get overlooked in favor of higher-CVSS entries. When you're triaging 622 CVEs, the exploited-in-the-wild flag matters more than the label attached to it.

The critical tier is dominated by remote code execution — 48 of the 57 critical entries. That concentration tells you where the attack surface lives this month: memory-corruption bugs in components that process untrusted input over a network or from a crafted file.

Group the critical RCE flaws by root cause and the pattern becomes clear:

  • Heap-based buffer overflows in the Windows DHCP Server service (CVE-2026-50370, CVE-2026-50518), Windows Media and Media Foundation (CVE-2026-50327, CVE-2026-50655), the MSMQ Queue Manager (CVE-2026-54992), and the Minecraft Bedrock Dedicated Server (CVE-2026-55010).
  • Use-after-free in the Windows DHCP client (CVE-2026-54128), which executes code locally rather than over the wire.
  • Deserialization in SharePoint (CVE-2026-50522, CVE-2026-58644) and Dynamics NAV / Dynamics 365 Business Central on-premises (CVE-2026-55944), all exploitable by an unauthenticated attacker over a network.
  • A race condition in the Windows Server Network driver (CVE-2026-56188).

These eleven are the RCE flaws Microsoft rates "more likely" to be exploited. The distinction that matters for your risk ranking is authentication and adjacency: CVE-2026-50518, the SharePoint deserialization pair, and the Dynamics flaw need no credentials and reach across a network, so an attacker only needs a route to the listening service.

The Office family — nine RCE flaws in Office itself, three in Word, and three in PowerPoint — sits in the "less likely" or unrated buckets, but the attack vector is what you know from every prior document-based campaign: a user opens a crafted file and code runs in their context. These don't self-propagate, but they pair naturally with phishing, which is how most of them get delivered.

The seven critical elevation-of-privilege flaws are the ones that turn a foothold into full control. CVE-2026-42982 and CVE-2026-50392 in Windows Secure Kernel Mode, CVE-2026-50680 and CVE-2026-54127 in Hyper-V, and CVE-2026-57092 in VMSwitch reach into virtualization and kernel boundaries — the exact layer where a guest escape or a kernel EoP undermines the isolation your infrastructure depends on. CVE-2026-50444 in WSUS and CVE-2026-54121 in Active Directory Certificate Services sit on services that, once controlled, let an attacker push code or mint certificates across the domain.

Two more critical entries round out the tier, both rated "more likely": CVE-2026-55008, a cross-site scripting spoofing flaw in Exchange Server, and CVE-2026-55040, a weak-authentication security feature bypass in SharePoint Server.

The kernel and Win32k elevation-of-privilege flaws in the "important" tier deserve attention despite the lower label. Microsoft rates a long run of them — including multiple Windows Kernel and Win32k entries (CVE-2026-49795, CVE-2026-49798, CVE-2026-50332, CVE-2026-50390, and others) plus the Common Log File System driver flaw CVE-2026-50667 — as "more likely" to be exploited. Kernel EoP bugs are the standard second stage after a phishing payload or browser exploit: they carry no network reach on their own, but they hand an attacker SYSTEM privileges, which is why they show up so consistently in real intrusion chains.

Detection and Monitoring with Snort Rules

Start by updating your Snort ruleset before you touch anything else. Talos has published dedicated coverage for this release, and Cisco Secure Firewall customers should update their SRU to pull the current rule pack. Open-source Snort Subscriber Ruleset users can download the latest pack from Snort.org. Without the refresh, your sensors have no signatures for the exploitation attempts described this month.

The specific coverage for July's disclosures maps to defined SID ranges. Load these and confirm they are active on the sensors watching your perimeter and internal segments:

  • Snort 2: SIDs 1:66733–1:66743, 1:66745–1:66785, 1:66791–1:66793, and 1:66800–1:66807
  • Snort 3: SIDs 1:301555–1:301579 and 1:301581–1:301583

Talos notes these rules are subject to change as more information arrives, and additional rules may follow. Check for updates over the coming days rather than treating this pack as final.

Detect

Prioritize the network-reachable flaws when you decide which rules to enable first. The DHCP Server heap overflows and the SharePoint deserialization issues are reachable over the network by an unauthorized attacker, so the signatures covering those exchanges belong in blocking mode on your outward-facing and inter-VLAN sensors immediately. Watch your IDS/IPS alert stream for hits against these SIDs, then correlate them against the DHCP server, SharePoint, and SQL hosts in your inventory.

Endpoint telemetry fills the gap network rules cannot see. The use-after-free in the DHCP client and the many kernel and Win32k elevation-of-privilege flaws rated "more likely" run locally, so signature-based network detection alone will miss them. In environments Capstone manages, SentinelOne flags the abnormal process behavior and privilege changes that follow local code execution, catching post-exploitation activity that never crosses a network sensor.

Layer in application logs for the services most likely to be probed. For SharePoint, review IIS and SharePoint ULS logs for unexpected deserialization errors or unauthenticated requests to spoofing-related endpoints. For Exchange, monitor for the cross-site scripting patterns tied to the spoofing flaw. For SQL Server, watch authentication and query logs on any instance exposed beyond the application tier.

Tuning and Validation

Validate the new rules in a test environment before you push them to production inline. On high-traffic networks, the deserialization and buffer-overflow signatures can generate noise against legitimate document uploads and RPC traffic, so run them in alert-only mode first and baseline the hit rate against known-good flows. Once you confirm the alerts correspond to genuine attack patterns and not routine application behavior, promote the high-confidence rules to drop.

Sequence your rollout by exposure. Enable blocking for the internet-facing SharePoint, DHCP, and Exchange signatures on day one, since those are the flaws an unauthenticated attacker can reach without a foothold. Phase in the rules covering internal services — Message Queuing, the Server Network driver, and the Reliable Multicast Transport Driver — over the following days as you confirm they do not disrupt legitimate east-west traffic.

Keep the exploited-in-the-wild AD FS and SharePoint issues under active watch even where a specific Snort signature is not the primary control. Both require an existing position on the network, so pair the rule coverage with authentication monitoring on your federation and collaboration servers to catch the follow-on privilege escalation and spoofing activity. Recheck the Talos ruleset for revisions as the picture develops.

Patching Strategy and Deployment Priorities

Start with your internet-facing and identity infrastructure. The two confirmed exploited flaws sit in AD FS and SharePoint Server, and the critical-tier network stack — DHCP server, TCP/IP, SSTP, Print Spooler, and Active Directory Domain Services — runs on the systems that gate access to everything else. Patch these on internet-exposed hosts and domain controllers within 48 to 72 hours, ahead of your standard change window.

Following the NIST Cybersecurity Framework order, treat the roadmap in three phases mapped to asset exposure.

Immediate (48–72 hours) — internet-facing and domain controllers:

  • Domain controllers and AD Certificate Services hosts: apply fixes for CVE-2026-49164 (AD Domain Services RCE) and CVE-2026-54121 (AD CS elevation of privilege).
  • Exchange and SharePoint servers: CVE-2026-55008 (Exchange spoofing) and CVE-2026-55040 (SharePoint security feature bypass), both rated "more likely" to be exploited.
  • DHCP servers reachable across network segments: CVE-2026-50370 and CVE-2026-50518, the heap-based buffer overflows.

Short-term (within two weeks) — internal servers and workstations: roll out all remaining critical and high-severity fixes to internal systems. This covers the kernel and Win32k elevation-of-privilege flaws rated "more likely" (CVE-2026-49795, CVE-2026-50390, CVE-2026-50667 in the Common Log File System Driver, and the SMB flaw CVE-2026-58531), plus Hyper-V and VMSwitch fixes (CVE-2026-50680, CVE-2026-57092) that matter on virtualization hosts. An attacker who already has a foothold uses these to move from a limited account to full system control.

Long-term — standard monthly cycle: the "less likely" and "unlikely" RCE entries, including the Office, Word, and PowerPoint document-parsing flaws and the Minecraft Bedrock Dedicated Server fix, can follow your normal deployment rhythm once the higher-risk work is complete.

Test before you push. Validate the Office family patches (CVE-2026-50314 through CVE-2026-55140 across Office, Word, and PowerPoint) against a sandbox that opens documents with active macros, since these are triggered by a specially crafted file. Apply kernel and Win32k updates to representative hardware first — driver-level changes surface on specific chipsets and graphics stacks. Push the Edge (Chromium) fix CVE-2026-58596 to a limited user group before broad rollout to catch extension or rendering breakage.

Watch dependency order. Confirm the required .NET runtime updates are in place before deploying Office application patches, or the installers may fail or roll back mid-cycle. The Boot Loader security feature bypass (CVE-2026-58638) and Secure Kernel Mode fixes (CVE-2026-42982, CVE-2026-50392) require a full system reboot; service-scoped fixes such as the Print Spooler and DHCP server updates can often complete with a service restart, but verify each on a pilot host rather than assuming.

Keep a rollback path ready. Snapshot virtual servers before applying Hyper-V and VMSwitch patches, and record the pre-patch build so you can uninstall a specific update if an application regresses. For identity infrastructure, Adlumin monitors authentication patterns across managed environments, flagging the login anomalies that would indicate someone testing the AD FS elevation-of-privilege flaw while your patch window is still open.

Give business units a short written notice for each phase: which systems reboot, the expected outage window, and a named contact for issues. That turns a large multi-day deployment into scheduled maintenance rather than a surprise for the people who depend on those systems.

Compliance and Regulatory Considerations

Two flaws in this release land squarely on authentication and identity infrastructure, which is where most compliance frameworks concentrate their patch-timeliness requirements. CVE-2026-56155 in Active Directory Federation Services and CVE-2026-54121 in Active Directory Certificate Services both touch the systems that issue and validate credentials across your environment. If you process cardholder data, PCI-DSS requirement 6.3.3 obligates you to apply vendor security patches to critical systems within one month of release — and identity infrastructure that gates access to a cardholder data environment sits inside that scope.

For HIPAA-covered entities and their business associates, the relevant CVEs are the ones affecting systems that store or transmit protected health information. CVE-2026-55008, the Exchange Server cross-site scripting spoofing flaw rated "more likely" to be exploited, matters here because email routinely carries PHI. A spoofing condition on a mail server that handles patient communications is the kind of unremediated vulnerability that surfaces in an Office for Civil Rights investigation after a breach.

Authentication and encryption components draw heightened scrutiny under every framework. Note these entries specifically:

  • CVE-2026-58638 — Windows Boot Loader Security Feature Bypass, which affects Secure Boot integrity that many auditors treat as a foundational control.
  • CVE-2026-50694 — the SSTP critical RCE, sitting on the VPN tunneling layer your remote-access attestations depend on.
  • CVE-2026-54121 — AD Certificate Services EoP, directly touching the certificate authority that underpins your PKI.
  • CVE-2026-57091 — Windows File History Service EoP, relevant if you rely on it as part of a documented recovery capability.

Because two vulnerabilities are confirmed exploited in the wild, your audit posture changes. SOC 2 and ISO 27001 assessors will ask when you learned of the active exploitation and what your response timeline was. "We waited for the next quarterly window" is a hard answer to defend when the vendor flagged in-the-wild activity on disclosure day.

If you operate under a 30/60/90-day patch SLA, your evidence burden is documentary. You need to retain, per CVE, the date you became aware of the vulnerability, the risk classification you assigned, the deployment date across affected asset classes, and the change-approval record. For the 622 CVEs in this release, that means your change-management system should show the two exploited flaws and the "more likely" critical entries — including CVE-2026-55040 in SharePoint Server and the DHCP Server RCEs — moving on an accelerated track distinct from your routine 90-day items.

For organizations in scope for NIS2, essential and important entities carry incident-reporting and vulnerability-handling obligations that regulators can inspect. If any of the critical RCE flaws affecting SQL Server (CVE-2026-54117, CVE-2026-54118) reach production database servers holding regulated data, keep the risk-assessment record showing why you prioritized or deferred them.

Retain patch-verification output, not just deployment tickets. An auditor distinguishes between "the update was pushed" and "the update installed and the affected build is no longer present." Where you accept risk on a system you cannot patch immediately — a legacy Dynamics NAV install exposed to CVE-2026-55944, for example — document the compensating controls and the sign-off, because an undocumented deferral reads as a control failure during assessment.

Immediate Actions: Next 48 Hours

Your first 48 hours are about preparation and scoping, not blind deployment. With 622 vulnerabilities in this release and two already exploited in the wild, the teams that move cleanly are the ones that map exposure before touching production.

Work through this sequence before end of business day two:

  • Build the affected-systems inventory. Use WSUS or Microsoft Configuration Manager (ConfigMgr) to pull a report of every host running affected Windows Server, Windows client, Office, SharePoint, SQL Server, and Exchange Server builds. Third-party patch managers like N-able or PDQ can fill gaps for unmanaged endpoints. Your patch owner signs off on the final list.
  • Flag the confirmed-exploited and "more likely" CVEs against that inventory. Tag every asset carrying the AD FS and SharePoint flaws under active exploitation, plus the eleven "more likely" critical RCE entries and the Exchange spoofing item CVE-2026-55008. These become your day-one deployment targets.
  • Schedule maintenance windows for internet-facing systems first. SharePoint front ends, Exchange servers, and any externally reachable host with a flagged CVE need a window booked now — not queued behind your monthly cadence.
  • Notify stakeholders of the schedule and expected downtime. Send application owners and the service desk the window times, affected services, and reboot expectations for SQL Server and Hyper-V hosts, which carry restart-sensitive fixes.
  • Stage rollback procedures. Confirm snapshots for virtualized servers and validate that your patch tool can uninstall the July cumulative update if a business application breaks.
  • Assign a verification owner per system class. Name who confirms each patch installed and the service came back healthy — domain controllers, database, collaboration, and endpoints each need a named person.

The single most useful action in this window is reconciling the flagged CVE list against your live asset inventory, because everything else depends on knowing exactly which of your systems are in scope.

TPL_TABLE_CONTENT

Top hits