The monthly security update Microsoft published on July 14, 2026 covers 622 Microsoft CVEs according to the current Security Update Guide. Of this monthly total, 569 CVEs were first disclosed on Patch Tuesday itself. But neither of these figures is the number administrators should look at first. Unless the three actively exploited vulnerabilities, the CISA remediation deadlines—including July 17—and the delivery pause affecting some Dell devices are treated separately, the sheer volume of CVEs can obscure what actually needs prioritizing.
Why 622 and 569 Don't Match
The Microsoft Security Response Center's (MSRC) July release notes, in the current version updated on July 16, explicitly state "622 Microsoft CVEs." This includes 416 for Windows, 82 for Office, 46 for Microsoft Edge, 27 for developer tools, and 17 for SharePoint Server, among others. Because the same CVE can appear under both Office and Office 2016, the per-product-family figures cannot simply be added together.
Meanwhile, when CVRF data is sorted by initial disclosure date, 569 Microsoft CVEs were published on July 14. The remaining 53 were disclosed on other dates between July 2 and July 15. The figure "570" circulated as a rough count for Patch Tuesday itself, but it doesn't match either MSRC's current monthly total or the July 14 CVRF figure.
| Scope | Count | Interpretation |
|---|---|---|
| July 2026 Security Updates | 622 | Microsoft CVEs MSRC lists for July |
| First disclosed on July 14 | 569 | CVEs whose CVRF initial disclosure date is Patch Tuesday itself |
| Non-Microsoft Chromium CVEs | 428 | CVEs MSRC re-lists separately |
The 428 Chromium CVEs are not additional fixes Microsoft made on top of its own 622. They are a separate set of non-Microsoft CVEs that MSRC re-lists. So the claim that "Microsoft fixed a combined total of 1,050" is also incorrect.
In the current CVRF, 62 of the 622 CVEs are classified as Critical. By impact category, 256 involve elevation of privilege, 166 involve remote code execution, and 109 involve information disclosure. Here too, a single CVE can have multiple impact types. The overall totals indicate scale, but they aren't a metric for determining deployment order.
Before CVSS Scores: Three Actively Exploited Vulnerabilities
As of July 17, MSRC data lists three Microsoft CVEs as "Exploited: Yes." The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added all three to its Known Exploited Vulnerabilities (KEV) catalog. Deadlines for U.S. federal agencies are July 17 for SharePoint's CVE-2026-56164, July 19 for CVE-2026-58644, and July 28 for AD FS's CVE-2026-56155.
| CVE | Target and Impact | Microsoft Rating | CISA Deadline |
|---|---|---|---|
| CVE-2026-56164 | SharePoint Server, network-based elevation of privilege | Moderate / 5.3 | July 17 |
| CVE-2026-58644 | SharePoint Server, network-based code execution | Critical / 9.8 | July 19 |
| CVE-2026-56155 | AD FS, local elevation to administrator privileges | Important / 7.8 | July 28 |
CVE-2026-56164 carries a CVSS score of only 5.3 (Moderate), yet it allows unauthenticated, network-based elevation of privilege in SharePoint and is already being exploited in attacks. As a mitigation, Microsoft advises enabling Antimalware Scan Interface (AMSI) on SharePoint and IIS worker processes and setting Request Body Scan to Full. Ranking vulnerabilities by CVSS score alone risks pushing this one behind the 62 Critical-rated CVEs.
CVE-2026-58644 is handled in an even more convoluted way. Microsoft states that although a patch had already been released, the CVE was inadvertently omitted from the June 2026 Patch Tuesday list. On July 15, Microsoft corrected the Exploitability Index, the actively-exploited flag, and the CVSS vector, and CISA added it to the KEV catalog the following day, July 16. This isn't a zero-day first fixed on July 14—it's an update that reconnects a past fix with current attack activity.
Inconsistencies also remain within Microsoft's own description of the attack conditions for this same CVE-2026-58644. The write-up describes an "unauthorized attacker" and the CVSS vector specifies PR:N, while the FAQ assumes an attacker who is at minimum authenticated as a Site Owner. Administrators shouldn't delay remediation over discrepancies in the stated authentication requirements—they should prioritize the confirmed exploitation and the short CISA deadline.
There is also CVE-2026-50661, which has been disclosed but not confirmed as actively exploited. An attacker with physical access could bypass BitLocker Device Encryption and reach encrypted data on the system drive. Microsoft rates it Important, CVSS 6.1, with exploitability described as "low." An internet-facing SharePoint deployment and a PC whose threat model includes theft or physical tampering shouldn't be assigned the same deployment priority.
AI Increases Discovery Volume, But Doesn't Shorten Verification
On July 9, Pavan Davuluri, Executive Vice President of Windows + Devices at Microsoft, signaled that AI would increase the volume of updates in each security release going forward. For Windows, Microsoft Security uses tools such as the multi-model agentic scanning harness "MDASH" to scan critical binaries. Candidates are reviewed across multiple models, then reproduced through a separate Windows-specific verification process. Remaining false positives are filtered out there before issues are handed to engineers.
This is not a claim that "AI found all 622 CVEs." MSRC states that the increase reflects reporting volume that has grown over several years, maturing automation, and expanding participation from external researchers. AI is one factor accelerating discovery and verification, but risk assessment and code review remain human tasks.
This month's 622 CVEs span attack conditions ranging widely—from internet-facing SharePoint deployments to BitLocker scenarios that presuppose physical access. Microsoft itself recommends triaging not by raw count but by exposure and potential impact, weighing the Exploitability Index, confirmed exploitation, and available public exploit code together. Organizations need to keep asset inventories and external exposure status continuously updated, and restructure their deployment rings accordingly.
Dell Delivery Pause, Forced RC4 Migration, and Secure Boot Certificate Updates
Even amid the urgency to patch, Microsoft has paused delivery of KB5101650 to certain Dell devices. Affected are some Windows 11 24H2/25H2 devices using the Intel Innovation Platform Framework Processor Participant driver. A conflict between the Windows USB-C Connection Manager, introduced in the June 23 preview update, and an Intel-side component can alter performance, power consumption, and system behavior. Windows Server is not affected.
Affected devices will not be offered the update. Microsoft and Dell are preparing a fix; as of July 15, Microsoft said it planned to deliver one within a few days, but no delivery-resumption date has been announced. Administrators should avoid manually installing the update to bypass the pause and instead wait for announcements identifying affected models and the fix.
On the server side, a Kerberos change is coming. Following the January audit phase and the April switch to AES by default, remediation for CVE-2026-20833 enters its final enforcement phase with the July update. The temporary rollback registry value, RC4DefaultDisablementPhase, is being removed. Any service accounts lacking AES keys, or non-Windows devices still relying on RC4, will have service ticket issuance denied, surfacing as authentication failures.
Secure Boot certificate updates are proceeding in parallel. The 2011-issued Microsoft Corporation KEK CA expired on June 24, and the Microsoft UEFI CA expired on June 27. Devices that haven't been updated can still boot and receive normal Windows Updates, but they won't receive the newer pre-boot protections tied to Windows Boot Manager, the Secure Boot database, and revocation lists. The July update expands automatic delivery of the new 2023-generation certificates to more devices.
Splitting the July Update Into Three Deployment Rings
The first ring should contain the SharePoint and AD FS CVEs added to the CISA KEV catalog. For internet-facing SharePoint deployments, verify update status for CVE-2026-56164 and CVE-2026-58644, and simultaneously check for indicators of compromise. For AD FS, apply the fix for CVE-2026-56155 to close off any path by which already-obtained low-privilege access could escalate to administrator rights.
The second ring is for compatibility verification. Keep the delivery pause in place for affected Dell devices, and check domain controllers' KDCSVC event IDs 201–209 to identify remaining RC4 dependencies. Don't just monitor update success or failure—also watch for authentication failures and changes in power consumption or performance.
The third ring covers the remaining phased rollout of Windows, Office, and developer tool updates, along with verifying Secure Boot certificate status. This month's updates cannot be deployed safely without reordering the rollout based on active exploitation, compatibility, and asset exposure. The next things to watch are when delivery of KB5101650 to Dell devices resumes, and how Microsoft further corrects the authentication requirements for CVE-2026-58644.