Back to Posts

Patch Tuesday Record Broken Twice in As Many Months

July 14, 2026

Taco Tuesday with Taco crossed out with the word Patch replacing it

By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity

Executive Summary

Microsoft's July 2026 Patch Tuesday addressed 569 security vulnerabilities, the largest single release in the program's history. The batch included three zero-day vulnerabilities, two of which were already exploited before fixes existed, and 59 flaws rated Critical. Businesses running Windows, Microsoft 365, SharePoint Server, or Active Directory Federation Services should treat this release as a priority, not a routine update cycle.

Patch Tuesday is Microsoft's monthly release of security updates, issued on the second Tuesday of every month. A typical release addresses 60 to 130 vulnerabilities. Anything above 150 is considered unusually large. July's release of 569 fixes is well outside that range and stands as the biggest Patch Tuesday in Microsoft's history.

Interestingly, last month was also the biggest Patch Tuesday in history, with 210 security flaws addressed. The previous record was set in 2025 with 165 vulnerabilities.

Microsoft recently announced its Autonomous Code Security team built a multi-model agentic scanning harness (MDASH) to identify vulnerabilities faster. And they also warned that “customers will see a higher volume of security updates included in each security release.”

Unlike single-model approaches, the harness orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end, according to Microsoft.

For STACK Cybersecurity, the response began the moment Microsoft published the updates.

"This is unprecedented. We've never seen a Patch Tuesday of this size from Microsoft. It's the biggest one on record, and we're all over it. We're rolling out patches methodically to protect our clients without risking unnecessary downtime. That's exactly how managed cybersecurity should work."

Rob Moore, Service and Delivery Director, STACK Cybersecurity

What This Release Included

Microsoft's July 2026 Patch Tuesday covered the following.

The release addressed 569 security vulnerabilities across Microsoft products. Three of those were zero-day vulnerabilities, meaning they became known before Microsoft had a fix ready. Two of the three zero-days were already being actively exploited by hackers before patches were available. Fifty-nine vulnerabilities were rated Critical, meaning a successful exploit could allow someone to run malicious code or gain elevated system access. The fixes span Windows, Microsoft Office, SharePoint Server, Active Directory Federation Services, BitLocker, .NET, and Exchange Server.

History of Patch Tuesday

Patch Tuesday isn't Microsoft's official name for the release. It's an industry nickname, sometimes also called Update Tuesday, that stuck because it's how IT professionals talk about it. Microsoft formalized the practice in October 2003, and the term is now used broadly across the industry to describe the pattern of releasing software patches on a set schedule.

Inside Microsoft, the monthly release is referred to as the "B" release, a naming convention that distinguishes it from smaller "C" and "D" releases that follow later in the same month, in the third and fourth weeks respectively. When a vulnerability is serious enough that it can't wait for the next scheduled cycle, Microsoft issues what's known as an out-of-band release, a patch delivered outside the normal monthly rhythm.

The mechanics of release day follow a set pattern. Through Windows Update, the cycle begins at 10 a.m. Pacific time. Vulnerability details post immediately to Microsoft's Security Update Guide, the updates themselves typically appear in the Download Center before they reach Windows Update, and the associated knowledge base articles unlock afterward. Separate from all of this, Microsoft Defender receives daily malware definition refreshes that fall outside the Patch Tuesday cycle entirely, since those are database updates rather than security patches.

Free Download

AI Business Tips E-Book

When implemented incorrectly, any technology with access to sensitive data can create security risks. Because AI systems rely on large volumes of proprietary data, companies must prioritize security from the outset when evaluating AI implementation or selecting AI solutions. When used responsibly and securely, AI can streamline operations, help solve critical business challenges, and build client trust. Understanding real examples and their impact can help you make informed decisions about adopting AI.

Why This Matters to Business Leaders, Not Just IT Teams

An unpatched vulnerability is an open door into a company's network. Once a network is penetrated, the consequences typically fall into a small set of outcomes: ransomware encryption of company systems, theft of customer or financial data, takeover of Microsoft 365 accounts, days or weeks of operational disruption, costly recovery efforts, and lasting damage to customer trust.

For most businesses, the cost of recovering from a breach is significantly higher than the cost of preventing one. That math is what turns Patch Tuesday from an IT maintenance task into a business continuity decision.

The Risk of Waiting

Hackers monitor Patch Tuesday releases as closely as IT professionals do. Once Microsoft publishes what each patch fixes, they reverse-engineer that information to identify companies that haven't installed the update. The longer a critical patch sits unapplied, the larger that window of exposure becomes.

At the same time, rolling out hundreds of updates across servers, workstations, and business applications without a plan creates its own risk. Pushing every patch to every device at once can break compatibility with existing systems. The right approach moves quickly on the highest-risk fixes while testing and sequencing the rest, rather than choosing between speed and stability.

A Repeat Theme for SharePoint

This release includes an actively exploited vulnerability affecting Microsoft SharePoint Server, echoing a pattern STACK Cybersecurity has flagged in prior coverage of SharePoint security issues. Companies running SharePoint on premises should prioritize these updates. Recent SharePoint incidents have shown hackers take advantage of newly disclosed weaknesses quickly, often before businesses have finished testing a fix.

Frequently Asked Questions (FAQs)

What is a zero-day vulnerability?

A zero-day vulnerability is a flaw that becomes known before the vendor has released a fix for it. When attackers begin exploiting it before a patch exists, the risk to unprotected systems rises sharply. Two of the three zero-days in July's release were already under active attack before Microsoft issued patches.

Why did this release include so many more vulnerabilities than usual?

Microsoft has expanded its use of AI-assisted testing to find vulnerabilities during development, before software ships. A larger number of disclosed vulnerabilities does not necessarily mean Windows is less secure. In many cases it means Microsoft is catching more issues internally rather than attackers finding them in the wild.

Should small businesses take Patch Tuesday seriously?

Yes. Most cyberattacks are automated and scan the internet for vulnerable systems regardless of company size. Smaller businesses are frequently targeted precisely because they tend to have fewer dedicated cybersecurity resources than larger firms.

Can a business wait a few weeks to test these updates before installing them?

Testing matters, but delaying installation when attackers are already exploiting some of the disclosed flaws increases the chance of compromise. A structured deployment process that balances testing against timely installation is the safer path.

Does installing every patch eliminate cybersecurity risk?

No. Patch management is one layer of a complete cybersecurity program. Multi-factor authentication, endpoint detection and response, email security, employee security awareness training, reliable backups, and continuous monitoring all remain necessary alongside timely patching.

Need Help Managing Patch Cycles?

If you're not sure whether your current patch management, monitoring, and response processes are enough, start with a Cybersecurity Risk Assessment. You can also contact STACK Cybersecurity to talk through managed detection and response.

Cybersecurity Consultation

Is your company secure against cyber threats? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices. You'll get a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment