Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 102 additions & 0 deletions docs/briefings/2026-07.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
---
layout: default
title: "July 2026 Patch Tuesday Briefing — What to Patch First"
description: "Microsoft July 2026 Patch Tuesday triage: 67 Critical CVEs, two CISA KEV entries (SharePoint and AD FS elevation-of-privilege bugs under active exploitation), and a run of Critical SharePoint/DHCP/Exchange RCEs — ranked by real-world urgency."
---

# July 2026 Patch Tuesday Briefing

*Release date: July 14, 2026 · Generated from the [MSRC Security Update Guide](https://msrc.microsoft.com/update-guide) by [patch-tuesday-mcp](https://github.com/jonnybottles/patch-tuesday-mcp)*

## The month at a glance

The July 2026 security update spans **1,164 entries** in Microsoft's CVRF document
(including Chromium/Edge and open-source components Microsoft redistributes). Of those:

- **67 Critical** and **600 Important** severity
- **1 publicly disclosed** before the release: a BitLocker security-feature-bypass
- **2 on the CISA KEV catalog**, both already exploited in the wild: a **SharePoint Server**
elevation-of-privilege bug ([CVE-2026-56164](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164),
federal remediation due **July 17, 2026**) and an **AD FS** elevation-of-privilege bug
([CVE-2026-56155](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155), due **July 28, 2026**)
- Impact mix: Elevation of Privilege (256) leads, followed by Remote Code Execution (165) and Information Disclosure (108)

A note on ranking this month: EPSS scores are unusually flat across the board (nothing
above ~1.1% outside the two KEV entries), so a pure EPSS-first sort buries several Critical
RCEs on page two. The picks below override that raw sort with the same judgment an analyst
would apply — active exploitation and blast radius first, EPSS/CVSS second.

## What to patch first

1. **SharePoint Server** — [CVE-2026-56164](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164)
(Elevation of Privilege) is on the **CISA KEV catalog** and **confirmed exploited**, despite
carrying only a **Moderate 5.3** severity rating — don't let the score fool you. The same
release also ships two **Critical 9.8** RCEs, [CVE-2026-50522](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50522)
and [CVE-2026-58644](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644), plus a
**Critical 9.1** security-feature-bypass, [CVE-2026-55040](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55040).
Four SharePoint bugs, one under active attack: this is the month's top priority for anyone
running SharePoint Server on-prem (KB5002873–KB5002891 family).
2. **Active Directory Federation Services** — [CVE-2026-56155](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155)
(Elevation of Privilege, CVSS 7.8) is the second **CISA KEV** entry this month and is also
**confirmed exploited**. Any AD FS deployment used for SSO or federation should get this
immediately (KB5099444 family).
3. **Windows DHCP Server** — [CVE-2026-50518](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50518)
(RCE, CVSS 9.8), flagged **"Exploitation More Likely"** by MSRC — an unauthenticated,
network-facing DHCP server bug in the same family of components as June's DHCP client RCE.
4. **Windows Server network driver** — [CVE-2026-56188](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56188)
(RCE, CVSS 9.8), also **"Exploitation More Likely"** — shares a KB family with the DHCP fix,
so batch these together on server maintenance windows.
5. **Microsoft Exchange Server** — [CVE-2026-55008](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55008)
(Spoofing, CVSS 9.6), **"Exploitation More Likely"** — a high-severity spoofing bug on mail
infrastructure deserves the same urgency as the RCEs above.

The lone publicly disclosed item this month, BitLocker security-feature-bypass
[CVE-2026-50661](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50661)
(Important, 6.1), is a local issue: patch on the normal cycle, but assume proof-of-concept
code circulates.

## Top 25 by urgency

Ranked KEV/exploited first, then EPSS exploitation probability, severity, and CVSS.

| CVE | Title | Impact | Sev | CVSS | EPSS | Why prioritized |
|---|---|---|---|---|---|---|
| [CVE-2026-56155](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155) | Active Directory Federation Services EoP | EoP | Important | 7.8 | — | **On CISA KEV (due 2026-07-28)**; exploited in the wild |
| [CVE-2026-56164](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164) | Microsoft SharePoint Server EoP | EoP | Moderate | 5.3 | — | **On CISA KEV (due 2026-07-17)**; exploited in the wild |
| [CVE-2026-8925](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8925) | SASL double-free | — | Moderate | 5.9 | 1% | Highest EPSS this month |
| [CVE-2026-9079](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-9079) | Stale proxy password leak | — | Important | — | 1% | High EPSS |
| [CVE-2026-11856](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11856) | Cross-origin Digest auth state leak | — | Moderate | 5.3 | 1% | — |
| [CVE-2026-10536](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10536) | HTTP/2 stream-dependency tree UAF | — | Moderate | 5.5 | 1% | — |
| [CVE-2026-41109](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41109) | GitHub Copilot / VS Code security feature bypass | SFB | Important | 8.8 | 1% | High CVSS |
| [CVE-2026-8927](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8927) | Env-set cross-proxy Digest auth state leak | — | Moderate | 5.3 | 1% | — |
| [CVE-2026-57991](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57991) | Edge (Chromium) Information Disclosure | Info | Important | 7.4 | 1% | — |
| [CVE-2026-58250](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58250) | NATS Server pre-auth crash via double INFO | DoS | Moderate | 7.5 | 1% | — |
| [CVE-2026-58281](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58281) | Edge (Chromium) RCE | RCE | Important | 8.3 | 1% | — |
| [CVE-2026-56646](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56646) | Edge (Chromium) Spoofing | Spoofing | Important | 6.5 | 1% | — |
| [CVE-2026-8924](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8924) | Trailing dot domain super cookie | — | Important | 9.1 | 1% | High CVSS |
| [CVE-2026-56003](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56003) | libXfont2 computeProps heap buffer overflow | — | Important | 8.5 | 1% | — |
| [CVE-2026-57100](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57100) | Microsoft Entra Provisioning Service EoP | EoP | Critical | 9.9 | 1% | Critical severity |
| [CVE-2026-54998](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54998) | Microsoft Exchange Online EoP | EoP | Critical | 8.8 | 1% | Critical severity |
| [CVE-2026-57987](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57987) | Edge (Chromium) Spoofing | Spoofing | Important | 6.5 | 1% | — |
| [CVE-2026-8926](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-8926) | Password leak with netrc and user in URL | — | Critical | 9.1 | 1% | Critical severity |
| [CVE-2026-45499](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45499) | Azure OpenAI EoP | EoP | Critical | 9.9 | 1% | Critical severity |
| [CVE-2026-57993](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57993) | Edge (Chromium) Spoofing | Spoofing | Important | 7.4 | 1% | — |
| [CVE-2026-12413](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-12413) | IKEv2 DoS via malformed fragmentation | DoS | Important | 7.5 | 1% | — |
| [CVE-2026-58208](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58208) | NATS Server MQTT-over-WebSocket crash | DoS | Moderate | 6.8 | 1% | — |
| [CVE-2026-56002](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56002) | libXfont2 PCF font parsing heap buffer overflow | — | Important | 8.5 | 1% | — |
| [CVE-2026-58291](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58291) | Edge (Chromium) Information Disclosure | Info | Important | 6.1 | 1% | — |
| [CVE-2026-12064](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-12064) | Proto-default skips SSH verification | — | Important | 7.5 | 1% | — |

## Reproduce this briefing

This page is the output of one tool call against the free, keyless MSRC API:

```
msrc_search(month="2026-Jul", include_stats=True, format="markdown")
```

Run it from any MCP client via [patch-tuesday-mcp](https://github.com/jonnybottles/patch-tuesday-mcp)
(`uvx patch-tuesday-mcp`), or try the [hosted endpoint](https://github.com/jonnybottles/patch-tuesday-mcp#try-it-instantly--hosted-endpoint-no-install)
with no install at all.

*Data sources: [MSRC CVRF v3 API](https://github.com/microsoft/MSRC-Microsoft-Security-Updates-API) · [FIRST.org EPSS](https://www.first.org/epss/) · [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). EPSS scores are point-in-time as of 2026-07-15.*
1 change: 1 addition & 0 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ MCP client) answer questions like *"what do I patch first this month?"*

## Briefings

- [July 2026]({{ site.baseurl }}/briefings/2026-07)
- [June 2026]({{ site.baseurl }}/briefings/2026-06)

## Ask these questions yourself
Expand Down