Microsoft fixed at least 570 security flaws in its July Microsoft Patch Tuesday release, a jump that nearly triples the record set just a month earlier. That’s a staggering volume for any software vendor, and it shows how AI is reshaping the vulnerability‑finding game.
Key Takeaways
- Microsoft addressed a record‑high 570 vulnerabilities in July.
- Nearly 60 bugs earned a “critical” severity rating.
- Three zero‑day flaws were patched, two of which are already being exploited.
- AI helped uncover the bulk of the issues, according to Microsoft.
- Experts warn the exploitability index may lag behind AI‑driven discovery speed.
In a blog post on July 9, EVP Pavan Davuluri warned users they’d notice “a higher volume of security updates included in each security release” because AI is now accelerating both discovery and analysis. “The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,” he wrote.
Historical Context: The Road to 570
Microsoft’s Patch Tuesday tradition dates back to the early 2000s, when the company first formalized a monthly cadence for security updates. Over the years, the average number of CVEs per release hovered in the low‑hundreds. A notable spike occurred in June, when a record‑breaking count of around 210 flaws was disclosed. That June release set a benchmark that many analysts thought would stand for a while.
July’s figure of 570 didn’t just break the previous record—it shattered it. The jump represents a 171% increase over June’s total. Such a leap suggests a shift in methodology rather than a sudden surge of sloppy code. Microsoft has been investing in large‑scale AI models that can parse billions of lines of source code in parallel, a capability that simply wasn’t available a decade ago.
Earlier attempts to boost detection relied on manual code reviews and rule‑based scanners. Those tools excelled at known patterns but struggled with novel logic bugs. AI, by contrast, can infer intent from surrounding code and flag anomalies that evade static rules. The July patch therefore serves as a proof point for how far automated analysis has come.
Microsoft Patch Tuesday Hits 570 Vulnerabilities
That number—570—is almost three times the count from last month’s record‑smashing release. It’s clear the software giant isn’t slowing down; rather, it’s using AI to sift through billions of lines of code faster than ever before.
Zero‑Day Flaws and Immediate Threats
Three zero‑day vulnerabilities made the cut, and two of them are already being exploited in the wild. One of those lets attackers elevate their user rights on a Windows system, a tactic that mirrors roughly 250 other elevation‑of‑privilege flaws fixed this month. The other zero‑day, CVE‑2026‑50661, bypasses BitLocker security, potentially giving a thief physical access to encrypted data.
Microsoft says it hasn’t seen active exploitation of the BitLocker bypass, but the mere fact that the bug was publicly detailed should set off alarms for anyone relying on hardware encryption.
AI’s Role in the Surge
Davuluri’s comments make it clear the company attributes the surge to AI‑driven discovery. The tools can scan massive codebases, flagging patterns that human reviewers might miss. That’s why the patch count is soaring—because the machines are finding more issues, faster.
It’s not just about quantity, though. AI also helps rank the severity of each flaw, though some experts think the current system still lags behind the speed of discovery.
Critical and Elevation‑of‑Privilege Bugs
Nearly 60 of the patched bugs earned a “critical” severity rating, meaning an attacker could gain remote control with little or no user interaction. That’s a sobering reminder that even a single missed patch can open a door for ransomware or espionage tools.
Critical Severity Count
Those 60 critical bugs span a range of components, from the Windows kernel to Microsoft Office. The sheer breadth shows that no part of the ecosystem is immune to serious flaws.
- CVE‑2026‑56155 – Active Directory Federation Services bug.
- CVE‑2026‑56164 – SharePoint vulnerability.
- CVE‑2026‑48561 – Remote code execution flaw in Microsoft Copilot (CVSS 9.6).
Each of those CVEs carries a high CVSS score, indicating a strong likelihood of exploitation if left unpatched.
Elevation of Privilege Landscape
About 250 elevation‑of‑privilege flaws were fixed this month, showing that privilege‑escalation remains a favorite attack vector. The two zero‑days that enable privilege escalation underscore how dangerous such bugs can be when they’re actively exploited.
That’s why Microsoft’s rapid rollout is crucial; the longer a privilege‑escalation bug lingers, the more time an attacker has to move laterally across a network.
Industry Reaction and the Exploitability Index
Jack Bicer, director of vulnerability research at Action1, highlighted CVE‑2026‑48561, a remote code execution flaw in Microsoft Copilot that lets an attacker run code over the network. He warned that the bug could be triggered by a malicious website that forces Edge for Android to send crafted prompts to Copilot.
Satnam Narang, senior staff research engineer at Tenable, argued that Microsoft’s exploitability index needs to keep pace with AI‑driven discovery. He pointed out that the SharePoint zero‑day initially received a “less likely” rating, even though the flaw was already being weaponized.
“The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,” Davuluri wrote.
That criticism isn’t just academic; if the index underestimates a flaw’s exploitability, organizations might prioritize the wrong patches, leaving the most dangerous bugs unaddressed.
Competitive Landscape
Microsoft isn’t the only vendor turning to AI for vulnerability hunting. Competitors in the enterprise software space have announced similar initiatives, promising to combine large language models with static analysis pipelines. While those programs are still in early stages, the public numbers from Microsoft set a benchmark that others will likely try to match.
From a defender’s perspective, AI’s growth‑generated disclosures means that the industry as a whole will see an acceleration in the volume of patches. Vendors that can deliver timely, accurate assessments will gain trust. Those that lag behind may find their customers questioning the value of their security updates.
Regulators are also watching. The speed at which new flaws appear could pressure compliance frameworks to adapt, especially in sectors where breach notification timelines are strict. If AI keeps surfacing hundreds of bugs each month, auditors may start demanding proof that organizations can ingest and remediate patches at comparable speed.
What This Means For You
Developers and IT teams should treat this July release as a top‑priority update cycle. With critical and zero‑day bugs on the line, delaying patches can expose systems to ransomware, data theft, or persistent footholds.
If you manage Windows servers, double‑check that the Active Directory Federation Services and SharePoint patches are applied immediately. For those using Microsoft Copilot or Edge on Android, verify that the latest versions are installed to block the remote code execution pathway.
Beyond patching, consider integrating AI‑based scanning tools into your own security workflow. If AI can help Microsoft find hundreds of bugs, it can help you spot the ones you might otherwise miss.
Three concrete scenarios illustrate the urgency:
- Scenario 1 – SaaS startup. Your service runs on Azure VMs that host a web front‑end. An unpatched elevation‑of‑privilege flaw could let an attacker move from the web tier into the database tier, compromising customer data. Deploying the July patches within 24 hours eliminates that path.
- Scenario 2 – Enterprise IT department. A fleet of laptops uses BitLocker for data‑at‑rest protection. Even though Microsoft hasn’t observed active exploitation of the BitLocker bypass, the vulnerability exists in the code base. Updating the OS and firmware right away prevents a potential physical data breach.
- Scenario 3 – Independent developer. You embed the Edge WebView component in a desktop app. The Copilot remote code execution bug could be triggered by a malicious website you don’t control. Shipping the latest Edge version with the July fixes protects your users from a silent takeover.
Those examples show that the same patch can protect very different workloads. The common thread is speed. The faster you apply the updates, the fewer opportunities attackers have.
Looking ahead, the question isn’t whether AI will keep surfacing more vulnerabilities—it’s how quickly we can respond to them. Will the industry’s remediation processes evolve fast enough to stay ahead of the threats that AI uncovers?
Key Questions Remaining
AI‑driven discovery raises several unanswered issues that will shape the next round of Patch Tuesdays:
- How will the exploitability index be recalibrated to reflect AI‑found flaws in near real‑time?
- Will vendors provide more granular guidance on which patches address the most active threats?
- Can organizations automate the testing of patches without introducing regression bugs?
- What role will third‑party security platforms play in triaging the flood of new CVEs?
Answers to those questions will determine whether the security community can keep pace with the accelerating discovery curve. Until then, the safest bet remains to treat every new release as urgent, test carefully, and deploy widely.


