Bear in mind final month once we have been awed by Microsoft’s record-setting Patch Tuesday that addressed 206 CVEs? That was a quaint period in comparison with this month: Redmond simply rolled out patches for 622 CVEs particular to its merchandise, barely greater than tripling final month’s all-time excessive.
Redmond’s Patch Tuesday release is as soon as once more one for the file books, with every thing beneath the solar getting some safety fixes – together with 428 non-Microsoft Chromium CVEs affecting Edge that aren’t included in that 622 rely. Fifty-eight of these are essential, two are beneath lively exploit, and one has already been publicly disclosed, that means it may be a part of these different two briefly order.
There’s a lot to dig by way of, and we will hardly cowl the entire gamut given the scale of this launch. As we famous final month, there was concern within the infosec group that AI-enabled bug searching would possibly imply huge patch volumes are the brand new regular. Microsoft didn’t disclose how a lot AI might have contributed to the large patch listing this month, however given the quantity it’s secure to say human contributors in all probability had some help.
Microsoft’s huge month
To start out, let’s cowl the pair of actively exploited points that Microsoft patched.
The primary, CVE-2026-56155, is an Energetic Listing Federation Providers elevation of privilege vulnerability. Attackers who exploit the problem, which Microsoft solely described as being as a result of “inadequate granularity of entry management on ADFS,” may achieve administrator privileges. They do have to have entry already and be native, nonetheless, which is why that is solely rated with a CVSS rating of seven.8.
The second actively exploited vulnerability, CVE-2026-56164, is one other privilege elevation challenge, this time in Microsoft SharePoint. SharePoint is outwardly lacking authentication for a essential perform, which may let an unauthorized attacker on a community elevate their SharePoint permissions. As with the opposite challenge beneath exploit, this one is considerably restricted, incomes it a CVSS of simply 5.3.
With each beneath lively exploitation, that rating doesn’t matter as a lot as eliminating the vulnerability by way of good patch administration, nonetheless.
As for the publicly reported however not-yet-exploited challenge, CVE-2026-50661, that includes BitLocker with the ability to have its safety measures bodily bypassed by anybody with native entry to a BitLocker-secured machine.
Now let’s spherical up a couple of of these 58 essential points.
Everybody’s favourite untrustworthy AI is packing a CVSS 9.6 distant code execution vulnerability. CVE-2026-48561 finds Copilot improperly neutralizing its enter, permitting an unauthorized attacker to execute code with nothing however low-privileged Hyper-V visitor entry. Exploiting the vulnerability will be finished with out consumer consciousness by, for instance, internet hosting a malicious web site that prompts the various embedded Copilot options of Home windows machines to course of a immediate upon touchdown on the web page.
Microsoft Alternate is affected by a CVSS 9.6 spoofing vuln as a result of failure to neutralize enter, resulting in cross-site scripting being potential from inside a maliciously crafted e mail. CVE-2026-55008 permits an unauthorized attacker to carry out spoofing over a community by sending stated malicious e mail to a goal, permitting arbitrary JavaScript execution.
Lastly, we’re not selecting out one vulnerability on your third discover on this huge listing, however are highlighting a full 16 distant code execution vulnerabilities in Microsoft Workplace and its related purposes. They’re attributable to quite a lot of points within the Workplace suite, like heap-based buffer overflow and use after free vulns, and all are scored round a CVSS 7.8.
For sure, we suggest following Microsoft’s recommendation and getting all these a whole bunch of safety patches put in ASAP.
Adobe throws mud at essential points in a number of merchandise
Microsoft tends to command the headlines on Patch Tuesday (it’s exhausting to not while you deal with greater than 600 CVEs in a single day), however Adobe launched a bunch of patches throughout its ecosystem too, 64 distinctive CVEs throughout seven bulletins for Commerce, Experience Manager, Creative Cloud Desktop, Illustrator, Content Credentials SDK, ColdFusion, and Animate. Each one of many bulletins included at the very least a few essential CVEs.
The very best-severity challenge amongst Adobe’s many Patch Tuesday entries comes within the type of a CVSS 9.9 path traversal vulnerability in ColdFusion that may enable arbitrary code execution. CVE-2026-48318 doesn’t but seem in on-line CVE directories, however even with restricted data, we’d say a 9.9-level challenge is one you need to deal with with a quickness.
The second-worst challenge that Adobe addressed at this time is in its Commerce suite. CVE-2026-48356 is a CVSS 9.6 privilege escalation vulnerability that an attacker can set off because of Commerce failing to limit the add of harmful file varieties.
Adobe Expertise Supervisor additionally features a pair of CVSS 9.6 points (CVE-2026-48259 and CVE-2026-48359). Each enable arbitrary code execution: one due to a server-side request forgery vulnerability, and the opposite due to improper restriction of XML exterior entity references.
Different notable Patch Tuesday releases
Broadcom addressed seven CVEs in its Avi Load Balancer at this time, which it charges from 7.1 to 9.8 on the CVSS scale. The vulnerabilities embrace authentication bypass, RCE, privilege escalation, and listing traversal.
SAP published 16 safety updates and one GitHub advisory at this time; 9 of these updates have a CVSS rating of 8.1 or greater. CVE-2026-44747 (CVSS 9.9) is a reminiscence corruption challenge in SAP NetWeaver Software Server ABAP that would enable an authenticated attacker to realize unauthorized entry to system knowledge; CVE-2026-27690, CVSS 9.1, would let an unauthenticated attacker smuggle an HTTP request by way of SAP Approuter resulting in system unavailability; and CVE-2026-44761, CVSS 9.1, includes the retention of a pattern OAuth2 shopper in SAP Commerce Cloud that isn’t documented and, if recognized, may let an attacker break in.
Let’s hope August is a bit quieter, although, given the actual fact the previous two months have set consecutive information for the variety of vulnerabilities Microsoft patched; we now have our doubts. Godspeed, sysadmins and safety groups. ®









