
Microsoft just dropped its biggest security update in company history. On July 14, 2026, the company released patches for at least 570 vulnerabilities across Windows and other software. That’s nearly triple the number fixed in last month’s release, which was itself a record at the time.
Nearly 60 of the bugs are rated ‘critical,’ meaning attackers could use them to take remote control of a Windows device with little or no help from the user. Microsoft also fixed three zero-day flaws, two of which are already being actively exploited.
The reason for the massive jump in patch count? Microsoft says artificial intelligence is helping its security teams find bugs faster and at scale. That might sound like progress, and it is. But the same tools are also helping attackers move faster, and that tension is what makes this update so significant.
Microsoft Executive Vice President Pavan Davuluri wrote in a blog post on July 9 that Windows users should expect higher volumes of security updates going forward. ‘The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,’ Davuluri wrote.
The two actively exploited zero-days both allow an attacker to escalate their privileges on a Windows system. They are part of a much larger group of roughly 250 elevation-of-privilege bugs fixed this month. The specific zero-days are:
- CVE-2026-56155: A flaw in Active Directory Federation Services
- CVE-2026-56164: A vulnerability in Microsoft SharePoint
A third zero-day, CVE-2026-50661, is a BitLocker security feature bypass. If an attacker has physical access to a device, they could use it to access encrypted data. Microsoft says the bug has been publicly documented but is not aware of active exploitation yet.
One of the more alarming bugs this month is CVE-2026-48561, a remote code execution flaw in Microsoft Copilot with a CVSS score of 9.6 out of 10. Jack Bicer, director of vulnerability research at Action1, flagged it as a standout risk. According to Microsoft, an attacker could exploit it by hosting a malicious website that tricks Microsoft Edge for Android into automatically sending crafted prompts to Copilot when a user visits the page. No special permissions needed on the attacker’s side.
Beyond the individual bugs, security researchers are raising a bigger structural concern: Microsoft’s exploitability index is no longer keeping up with reality. That index is Microsoft’s rating system for how likely attackers are to develop a working exploit for a given flaw. The SharePoint zero-day this month was originally rated ‘less likely’ to be exploited, yet it was added to CISA’s Known Exploited Vulnerabilities list on July 1, before this patch even dropped.
Satnam Narang, senior staff research engineer at Tenable, put it plainly. Anthropic’s Red Team recently tested its Mythos Preview AI model against known vulnerabilities and found it could produce working proof-of-concept exploits for 13 out of 14 vulnerabilities that Microsoft had rated ‘Exploitation Less Likely’ or ‘Exploitation Unlikely.’ ‘What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools,’ Narang said.
This isn’t a Microsoft-only problem. Chris Goettl at Ivanti pointed out that several other major software companies are also increasing how often they release security updates, all citing AI as the driver:
- Adobe announced it is moving to twice-monthly security bulletins, on the 2nd and 4th Tuesday of each month
- Cisco, Mozilla, and Oracle are also shipping patches more frequently
- Google released more than 900 security fixes in June 2026 alone
The industry is clearly shifting into a higher gear. Patch cycles that once ran monthly are compressing. The assumption that a 30-day window gives defenders enough time to assess and respond is getting harder to justify when AI can generate working exploits in hours.
For everyday Windows users, the practical advice is straightforward. Back up your system before applying these updates. With a patch batch this large, there’s a real chance some fixes introduce stability issues, so waiting a few days for early reports to surface is a reasonable approach. Enterprise teams will need to prioritize the actively exploited zero-days and the Copilot remote code execution bug first.
The bigger takeaway is that the volume of this month’s update isn’t a one-off. Microsoft has signaled this is the new normal, and other vendors are following the same path. Security teams that haven’t already automated their patch workflows are going to feel this pressure compound quickly.