diff --git a/docs/briefings/2026-07.md b/docs/briefings/2026-07.md new file mode 100644 index 0000000..b23abad --- /dev/null +++ b/docs/briefings/2026-07.md @@ -0,0 +1,102 @@ +--- +layout: default +title: "July 2026 Patch Tuesday Briefing — What to Patch First" +description: "Microsoft July 2026 Patch Tuesday triage: 67 Critical CVEs, two CISA KEV entries (SharePoint and AD FS elevation-of-privilege bugs under active exploitation), and a run of Critical SharePoint/DHCP/Exchange RCEs — ranked by real-world urgency." +--- + +# July 2026 Patch Tuesday Briefing + +*Release date: July 14, 2026 · Generated from the [MSRC Security Update Guide](https://msrc.microsoft.com/update-guide) by [patch-tuesday-mcp](https://github.com/jonnybottles/patch-tuesday-mcp)* + +## The month at a glance + +The July 2026 security update spans **1,164 entries** in Microsoft's CVRF document +(including Chromium/Edge and open-source components Microsoft redistributes). Of those: + +- **67 Critical** and **600 Important** severity +- **1 publicly disclosed** before the release: a BitLocker security-feature-bypass +- **2 on the CISA KEV catalog**, both already exploited in the wild: a **SharePoint Server** + elevation-of-privilege bug ([CVE-2026-56164](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164), + federal remediation due **July 17, 2026**) and an **AD FS** elevation-of-privilege bug + ([CVE-2026-56155](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155), due **July 28, 2026**) +- Impact mix: Elevation of Privilege (256) leads, followed by Remote Code Execution (165) and Information Disclosure (108) + +A note on ranking this month: EPSS scores are unusually flat across the board (nothing +above ~1.1% outside the two KEV entries), so a pure EPSS-first sort buries several Critical +RCEs on page two. The picks below override that raw sort with the same judgment an analyst +would apply — active exploitation and blast radius first, EPSS/CVSS second. + +## What to patch first + +1. **SharePoint Server** — [CVE-2026-56164](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164) + (Elevation of Privilege) is on the **CISA KEV catalog** and **confirmed exploited**, despite + carrying only a **Moderate 5.3** severity rating — don't let the score fool you. The same + release also ships two **Critical 9.8** RCEs, [CVE-2026-50522](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50522) + and [CVE-2026-58644](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644), plus a + **Critical 9.1** security-feature-bypass, [CVE-2026-55040](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55040). + Four SharePoint bugs, one under active attack: this is the month's top priority for anyone + running SharePoint Server on-prem (KB5002873–KB5002891 family). +2. **Active Directory Federation Services** — [CVE-2026-56155](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155) + (Elevation of Privilege, CVSS 7.8) is the second **CISA KEV** entry this month and is also + **confirmed exploited**. Any AD FS deployment used for SSO or federation should get this + immediately (KB5099444 family). +3. **Windows DHCP Server** — [CVE-2026-50518](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50518) + (RCE, CVSS 9.8), flagged **"Exploitation More Likely"** by MSRC — an unauthenticated, + network-facing DHCP server bug in the same family of components as June's DHCP client RCE. +4. **Windows Server network driver** — [CVE-2026-56188](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56188) + (RCE, CVSS 9.8), also **"Exploitation More Likely"** — shares a KB family with the DHCP fix, + so batch these together on server maintenance windows. +5. **Microsoft Exchange Server** — [CVE-2026-55008](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55008) + (Spoofing, CVSS 9.6), **"Exploitation More Likely"** — a high-severity spoofing bug on mail + infrastructure deserves the same urgency as the RCEs above. + +The lone publicly disclosed item this month, BitLocker security-feature-bypass +[CVE-2026-50661](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50661) +(Important, 6.1), is a local issue: patch on the normal cycle, but assume proof-of-concept +code circulates. + +## Top 25 by urgency + +Ranked KEV/exploited first, then EPSS exploitation probability, severity, and CVSS. + +| CVE | Title | Impact | Sev | CVSS | EPSS | Why prioritized | +|---|---|---|---|---|---|---| +| [CVE-2026-56155](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155) | Active Directory Federation Services EoP | EoP | Important | 7.8 | — | **On CISA KEV (due 2026-07-28)**; exploited in the wild | +| [CVE-2026-56164](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164) | Microsoft SharePoint Server EoP | EoP | Moderate | 5.3 | — | **On CISA KEV (due 2026-07-17)**; exploited in the wild | +| [CVE-2026-8925](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8925) | SASL double-free | — | Moderate | 5.9 | 1% | Highest EPSS this month | +| [CVE-2026-9079](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-9079) | Stale proxy password leak | — | Important | — | 1% | High EPSS | +| [CVE-2026-11856](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11856) | Cross-origin Digest auth state leak | — | Moderate | 5.3 | 1% | — | +| [CVE-2026-10536](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10536) | HTTP/2 stream-dependency tree UAF | — | Moderate | 5.5 | 1% | — | +| [CVE-2026-41109](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41109) | GitHub Copilot / VS Code security feature bypass | SFB | Important | 8.8 | 1% | High CVSS | +| [CVE-2026-8927](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8927) | Env-set cross-proxy Digest auth state leak | — | Moderate | 5.3 | 1% | — | +| [CVE-2026-57991](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57991) | Edge (Chromium) Information Disclosure | Info | Important | 7.4 | 1% | — | +| [CVE-2026-58250](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58250) | NATS Server pre-auth crash via double INFO | DoS | Moderate | 7.5 | 1% | — | +| [CVE-2026-58281](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58281) | Edge (Chromium) RCE | RCE | Important | 8.3 | 1% | — | +| [CVE-2026-56646](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56646) | Edge (Chromium) Spoofing | Spoofing | Important | 6.5 | 1% | — | +| [CVE-2026-8924](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8924) | Trailing dot domain super cookie | — | Important | 9.1 | 1% | High CVSS | +| [CVE-2026-56003](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56003) | libXfont2 computeProps heap buffer overflow | — | Important | 8.5 | 1% | — | +| [CVE-2026-57100](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57100) | Microsoft Entra Provisioning Service EoP | EoP | Critical | 9.9 | 1% | Critical severity | +| [CVE-2026-54998](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54998) | Microsoft Exchange Online EoP | EoP | Critical | 8.8 | 1% | Critical severity | +| [CVE-2026-57987](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57987) | Edge (Chromium) Spoofing | Spoofing | Important | 6.5 | 1% | — | +| [CVE-2026-8926](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8926) | Password leak with netrc and user in URL | — | Critical | 9.1 | 1% | Critical severity | +| [CVE-2026-45499](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45499) | Azure OpenAI EoP | EoP | Critical | 9.9 | 1% | Critical severity | +| [CVE-2026-57993](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57993) | Edge (Chromium) Spoofing | Spoofing | Important | 7.4 | 1% | — | +| [CVE-2026-12413](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-12413) | IKEv2 DoS via malformed fragmentation | DoS | Important | 7.5 | 1% | — | +| [CVE-2026-58208](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58208) | NATS Server MQTT-over-WebSocket crash | DoS | Moderate | 6.8 | 1% | — | +| [CVE-2026-56002](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56002) | libXfont2 PCF font parsing heap buffer overflow | — | Important | 8.5 | 1% | — | +| [CVE-2026-58291](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58291) | Edge (Chromium) Information Disclosure | Info | Important | 6.1 | 1% | — | +| [CVE-2026-12064](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-12064) | Proto-default skips SSH verification | — | Important | 7.5 | 1% | — | + +## Reproduce this briefing + +This page is the output of one tool call against the free, keyless MSRC API: + +``` +msrc_search(month="2026-Jul", include_stats=True, format="markdown") +``` + +Run it from any MCP client via [patch-tuesday-mcp](https://github.com/jonnybottles/patch-tuesday-mcp) +(`uvx patch-tuesday-mcp`), or try the [hosted endpoint](https://github.com/jonnybottles/patch-tuesday-mcp#try-it-instantly--hosted-endpoint-no-install) +with no install at all. + +*Data sources: [MSRC CVRF v3 API](https://github.com/microsoft/MSRC-Microsoft-Security-Updates-API) · [FIRST.org EPSS](https://www.first.org/epss/) · [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). EPSS scores are point-in-time as of 2026-07-15.* diff --git a/docs/index.md b/docs/index.md index e4da648..5ac47ca 100644 --- a/docs/index.md +++ b/docs/index.md @@ -15,6 +15,7 @@ MCP client) answer questions like *"what do I patch first this month?"* ## Briefings +- [July 2026]({{ site.baseurl }}/briefings/2026-07) - [June 2026]({{ site.baseurl }}/briefings/2026-06) ## Ask these questions yourself