Microsoft's July Patch Tuesday Patched a CVSS 9.9 in Azure OpenAI — and 569 Other CVEs, Fueled by Its Own AI Bug-Finder
Microsoft's July 2026 Patch Tuesday shipped 570-622 CVEs — the largest monthly release in the company's history. Three scored CVSS 9.9; two of them (Azure OpenAI CVE-2026-45499, Entra Provisioning CVE-2026-57100) were remediated server-side with zero customer action. Five days before the release, Microsoft confirmed MDASH, its in-house AI vulnerability-discovery pipeline, now feeds the patch stream — and warned customers to expect higher volumes every month going forward. The story is the complement to yesterday's HF intrusion: yesterday was the attacker side of AI in security; today is the vendor side.
Microsoft’s July Patch Tuesday Patched a CVSS 9.9 in Azure OpenAI — and 569 Other CVEs, Fueled by Its Own AI Bug-Finder
July 17, 2026
Microsoft shipped 570 to 622 CVEs in its July 2026 Patch Tuesday, depending on which research vendor’s methodology you trust (CrowdStrike, 2026-07-14; Brinqa, 2026-07-15). Every tallier lands at nearly three times the previous all-time high, and that high was set in June. Five days before the release, on July 9, Windows chief Pavan Davuluri published a Microsoft corporate blog post confirming that the company runs an AI vulnerability-discovery pipeline called MDASH against critical Windows binaries, and warned customers to expect higher volumes in every release from here on (Microsoft Windows Blog, 2026-07-09). The Information reported on July 16 that Microsoft is preparing a separate, multi-model AI bug-finding product to compete directly with Anthropic’s Claude Mitos (Korea Economic Daily via Bloomingbit, 2026-07-16).
Yesterday’s TopClanker post was the attacker side of AI in security — the Hugging Face intrusion in which an autonomous agent framework executed 17,000+ actions over a weekend. Today is the vendor side: the same AI-discovered-bugs-at-scale dynamic that an attacker benefits from is now baked into Microsoft’s own patch production, and the CVE volume, triage latency, and remediation SLAs are all in motion at the same time.
The Volume: 570 to 622, the Largest Microsoft Has Ever Shipped
The headline numbers diverge by more than 50 CVEs this month, and that divergence is itself the story. BleepingComputer confirms 570 CVEs released on the day with 59 rated Critical. Tenable counts 569 with 56 Critical. Qualys lands on 570 with 57 Critical. ZDI’s Dustin Childs, whose independent ledger goes back two decades, counts 621 and declines to itemize roughly 480 additional Chromium and Edge bugs. Microsoft itself reports 622 unique CVEs in its Security Update Guide. Windows accounts for 416 of the total. Office: 82. Edge: 46 (CrowdStrike, 2026-07-14; Brinqa, 2026-07-15).
Two reasons the spread is wider than usual. First, Microsoft restructured the Security Update Guide in this cycle: the release notes no longer enumerate every CVE, replacing the full list with summary counts by product family and a short “Notable CVEs” section. Rapid7 has observed that this leaves the enumeration work to everyone else. Second, several cloud-service CVEs were addressed earlier in the month and get counted differently by different methodologies.
The seven-month trendline now reads:
| Month | Core CVEs | MoM Change | Browser CVEs | Notable |
|---|---|---|---|---|
| Jan 2026 | 114 | baseline | ~15 | Already elevated; 3 zero-days |
| Feb 2026 | 58 | -49% | ~15 | 6 actively exploited zero-days |
| Mar 2026 | 79 | +36% | ~21 | AI-discovered CVSS 9.8 RCE |
| Apr 2026 | 167 | +111% | 80 | Tied the then all-time record |
| May 2026 | 120 | -28% | ~? | First zero-day-free release since Jun 2024 |
| Jun 2026 | 200 | +67% | 360 | Broke the record; 3 CVSS 9.8 wormable-class RCEs |
| Jul 2026 | 570 | +185% | 468 | Nearly triple June record; Microsoft pre-announced MDASH |
The Q1 monthly baseline was 84 core CVEs. July lands at roughly 6.8 times that baseline. The total patching workload — core plus browser — doubled twice in two months: 247 in April, 248 in May, roughly 560 in June, and roughly 1,040 in July. Tenable’s Satnam Narang told CyberScoop that Microsoft is on pace to shatter its 1,245-CVE full-year record from 2020 and could exceed 2,000, possibly 3,000, CVEs in 2026 (Brinqa, 2026-07-15).
Childs opened his review with a sentence platform engineers should print and tape to a wall: “The bug apocalypse has fully descended upon us.”
The Three CVSS 9.9s — and the One Nobody Needs to Patch
July produced three CVSS 9.9 vulnerabilities, the highest severity tier Microsoft assigns. Two of them require zero customer action. One of them is the highest-scoring customer-actionable bug of the month. Recognizing which is which is exactly what separates exposure management from CVE counting (Brinqa, 2026-07-15).
CVE-2026-45499 — Azure OpenAI. A CVSS 9.9 in Microsoft’s Azure OpenAI service that was remediated on the service side before disclosure. The customer action item is not “patch.” It is “verify your prompts and dataset uploads against the post-remediation guidance if Microsoft has flagged any tenant-specific impact.” Most tenants will have nothing to do.
CVE-2026-57100 — Microsoft Entra Provisioning Service. A CVSS 9.9 in the Entra Provisioning Service, also remediated server-side. Same operational profile: no customer patch to apply, but sync logs and provisioning history are worth scanning for any gap during the remediation window.
CVE-2026-57092 — Windows VMSwitch (Hyper-V). A CVSS 9.9 use-after-free in the Hyper-V Virtual Switch. A low-privileged attacker inside a guest VM can escalate to full compromise of the host, bypassing the guest-VM boundary (CrowdStrike, 2026-07-14). Two further Critical Hyper-V escalations ship alongside it (CVE-2026-50680 and CVE-2026-54127). A guest-to-host escape puts the virtualization host above every workload it carries — give this its own change window. If your Hyper-V hosts run mixed-trust tenants, this is your highest-priority customer patch of the cycle.
The point to take forward from this triad: the score on a CVE is the worst single number attached to it, not the number that drives your patch SLA. The vendor’s own remediation posture, the reachability of the affected component from your actual fleet, and whether an exploit has been observed in the wild all matter more.
The Zero-Days and the Disclosure-Wave
Two vulnerabilities were under active exploitation before patches shipped. Both are elevation-of-privilege flaws, both sit on identity and collaboration infrastructure, and both carry severity labels that understate what they mean in practice.
CVE-2026-56155 — Active Directory Federation Services, CVSS 7.8. An access-control granularity flaw (CWE-1220) that lets a low-privileged local attacker gain administrative control of an AD FS server. Microsoft credited its own DART incident responders — a tell that the bug surfaced inside an active investigation. CISA has added it to the Known Exploited Vulnerabilities catalog, and Microsoft has begun hardening the ACL on the AD FS Distributed Key Manager container as a defense-in-depth measure (Brinqa, 2026-07-15). AD FS signs the tokens that the rest of your estate trusts, so a “local” flaw on that host is a domain problem. ZDI notes this class of bug is routinely paired with an RCE in ransomware operations.
CVE-2026-56164 — SharePoint Server, CVSS 5.3. Rated only Moderate. The score is the least informative thing about it. This is a missing-authentication flaw (CWE-306) that an unauthenticated attacker can reach over the network with no user interaction, and it is being exploited right now. Microsoft credited Mandiant Incident Response and Google Cloud researchers, again pointing to discovery inside active attacks. It affects SharePoint Server 2016, 2019, and Subscription Edition (CrowdStrike, 2026-07-14). Pre-patch mitigation: enable AMSI integration scanning SharePoint and IIS worker process memory with Request Body Scan mode set to Full so POST body payloads are detected. CISA has added it to the KEV catalog and issued separate hardening guidance for on-premises SharePoint. A 5.3 under active exploitation sitting next to sixty unexploited Criticals is as clean a demonstration as this year will produce of why severity scores fail as a triage signal.
CVE-2026-50661 — Windows BitLocker, CVSS 6.1, security feature bypass. Publicly disclosed, no confirmed exploitation. An attacker with physical access to a device can bypass BitLocker Device Encryption and read its data. CrowdStrike’s analysis suggests this is likely the fix for GreatXML, the BitLocker bypass released by the Nightmare Eclipse persona whose ongoing dispute with Microsoft Security Response Center has run since the spring (CrowdStrike, 2026-07-14). That dispute is not over: the RoguePlanet Defender zero-day (CVE-2026-50656), which dominated the between-release news cycle, was fixed out of band on July 8 through a Malware Protection Engine update that deploys automatically. Within hours of today’s release, the same researcher published a stripped-down proof of concept for yet another unpatched Windows elevation-of-privilege flaw, dubbed LegacyHive. Treat boot-path and encryption integrity as a campaign, not a category. The well has not run dry.
MDASH: Microsoft’s Own AI Loop, Now in Patch Production
The headline story is the AI loop, and the loop now lives inside the vendor.
MDASH is Microsoft Defender’s AI vulnerability scanner, an internal agentic harness that scans Windows binaries with multiple models (including third-party vulnerability-research models), validates candidates through a cross-model debate stage, and runs a Windows-specific proving step to eliminate false positives before findings reach an engineer. Microsoft first detailed MDASH publicly in May, when the system independently identified 16 vulnerabilities in Windows networking and authentication systems ahead of that month’s Patch Tuesday (Korea Economic Daily via Bloomingbit, 2026-07-16; Microsoft Windows Blog, 2026-07-09). Davuluri’s July 9 post told customers plainly that they “will see a higher volume of security updates” in each release going forward.
That last sentence is the headline for platform engineers. The vendor that ships the world’s most widely deployed operating system has industrialized AI vulnerability discovery, built dedicated cloud infrastructure to run it, and pre-announced permanently higher patch volumes as the intended outcome.
At the same time, Microsoft has tightened its deployment guidance. The current recommendation is to defer quality updates by fewer than three days, with update deadlines of zero to one day (Brinqa, 2026-07-15). The vendor is telling you two things at once: there will be far more patches, and you will have far less time to apply them. Neither of those is compatible with a triage process that depends on humans reading advisories one at a time.
MDASH is not the entire story — CrowdStrike’s Counter Adversary Operations Advanced Research Team was credited for four of the CVEs patched this month, so traditional human research is still in the mix (CrowdStrike, 2026-07-14). But the producer-side mix has changed: when the volume doubles twice in two months, the missing mass is AI.
The Next Product: Microsoft vs. Anthropic Claude Mitos
The Information reported on July 16 that Microsoft is preparing a separate, multi-model AI bug-finding product that will analyze software code and detect bugs, verify the cause of flaws it finds, and generate code to fix them. The product is set to compete directly with Anthropic’s cybersecurity-focused AI model Claude Mitos, which is currently available only to a limited number of vetted companies and institutions because of concerns about potential misuse (Korea Economic Daily via Bloomingbit, 2026-07-16).
The competitive shape is the second framing. Anthropic expanded Claude Mitos from ~50 vetted defenders at launch (April 2026) to more than 200 by June and to critical-infrastructure operators across 15 countries in early July (Brinqa, 2026-07-15). Anthropic’s own red team has shown its model producing working proofs of concept for 13 of 14 flaws that Microsoft had rated unlikely to be exploited — a direct demonstration that human-shaped exploitation-likelihood heuristics fail at AI-speed. Microsoft’s response is a multi-model harness that combines high-performance reasoning models with lower-cost lightweight models to scan code, verify vulnerabilities, and remove duplicates. The race is for a tool that finds and fixes bugs autonomously. The runner-up in that race is the customer.
The AI Cluster Inside the Patch Itself
July’s Patch Tuesday also patched a cluster of AI-adjacent products. The most striking line item is CVE-2026-48561 — a Critical CVSS 9.6 remote code execution flaw in Microsoft Copilot that, per Microsoft’s advisory, can be triggered by a malicious website causing Edge for Android to automatically send crafted prompts to Copilot when a user simply visits the page (Brinqa, 2026-07-15). Drive-by prompt injection escalating to code execution has moved from conference-talk hypothetical to Patch Tuesday line item in the space of about a year. Yesterday’s HF intrusion post covered the attacker-side version of the same dynamic — autonomous agents exploiting code-execution paths in dataset processing. Today the defender-side vendor is patching its own AI-adjacent products against the same dynamic.
The rest of this month’s AI cluster includes a GitHub Copilot remote code execution flaw (CVE-2026-50510), a GitHub Copilot and VS Code security feature bypass (CVE-2026-41109), a VS Code remote code execution flaw (CVE-2026-50520) with three further VS Code security feature bypasses, an M365 Copilot service-side elevation of privilege, and an M365 Copilot for iOS elevation of privilege (CVE-2026-58617). If your vulnerability management program does not yet inventory Copilot desktop clients, IDE AI extensions, AI SDKs, and MCP infrastructure, these patches are invisible to it — and the unmanaged attack surface is accumulating on the fastest-growing part of your estate.
What Platform Engineers Should Do Before Monday
Six concrete operational changes, ordered by urgency:
1. Patch the customer-actionable 9.9 first. CVE-2026-57092 (Hyper-V VMSwitch use-after-free) and the two companion Critical Hyper-V escalations (CVE-2026-50680, CVE-2026-54127) ship a guest-to-host escape chain. Mixed-trust or multi-tenant Hyper-V estates: take a change window this week. Single-tenant hosts: still patch, but patch in the standard Tuesday maintenance window.
2. Patch AD FS and on-premises SharePoint immediately. CVE-2026-56155 (AD FS) and CVE-2026-56164 (SharePoint) are both under active exploitation and both on CISA’s Known Exploited Vulnerabilities catalog. For AD FS, apply the patch and review whether the Distributed Key Manager container ACL hardening from Microsoft applies to your deployment. For SharePoint, enable AMSI integration with Request Body Scan = Full as the pre-patch mitigation if it isn’t already.
3. Audit before you patch the Kerberos RC4 phase-2 removal. This update completes Microsoft’s multi-year Kerberos RC4 hardening by removing the RC4DefaultDisablementPhase rollback switch — domain controllers will no longer fall back to RC4-based Kerberos tickets after the update is applied. Service accounts, legacy applications, and non-Windows integrations that still rely on RC4 can fail authentication the moment the patch lands. The order of operations matters: audit RC4 usage first (using the Kerberos audit events Microsoft added in January), rotate passwords on affected service accounts to generate AES keys, then patch. Reversed, this is an outage (Brinqa, 2026-07-15).
4. Stop triaging by CVSS score alone. The three 9.9s in this cycle split cleanly: two are non-actionable for the customer, one is the highest-actionable of the month. The actively exploited zero-days sit at 7.8 and 5.3. Build the triage pipeline around customer-actionable + reachable + exploited-in-the-wild, not around severity number. The two server-side 9.9s are good news — Microsoft remediated its own cloud. The 5.3 is the bad news — the score failed the operational signal that mattered.
5. Add Copilot, VS Code AI extensions, and MCP infrastructure to your inventory before the next Patch Tuesday. The AI cluster in the July release is not a one-off. If your scanner doesn’t see these products, your CVSS distribution is missing the highest-growth segment of your attack surface. Pull the asset list for Microsoft Copilot, GitHub Copilot, VS Code with AI extensions, and any MCP server images you run.
6. Plan for permanent higher volumes and shorter defer windows. Microsoft has publicly committed to both. Your change windows, your CAB approval SLAs, your maintenance freeze exemptions, your patch testing automation, your canary deployment pipeline — all of it needs to compress. The realistic target is zero-to-one-day update deadlines for security content. Your existing process for that doesn’t exist yet if it takes you a week to move a Critical-rated patch through approval. Start now.
The deeper lesson is the same one yesterday’s Hugging Face intrusion surfaced from the other direction. The boundary between “model infrastructure” and “security infrastructure” is gone. When the vendor that ships your OS uses an AI to find your bugs and an AI to triage your patches, and the volume is doubling twice in two months, and the deferral window is collapsing to days — your patch program either runs at the vendor’s machine speed or it stops being a patch program. The platforms that absorb this transition without adding headcount or hours will be the ones that have already built the AI-grade triage layer underneath their humans. Start building it.
Sources
- CrowdStrike — July 2026 Patch Tuesday: Updates and Analysis (volume tally 622, zero-day breakdowns, VMSwitch CVE-2026-57092, AD FS CVE-2026-56155, SharePoint CVE-2026-56164, BitLocker CVE-2026-50661): https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-july-2026/ (2026-07-14)
- Brinqa — The Flood Has a Name Now: 570 CVEs, Microsoft’s AI Pipeline, and the Wave That Still Hasn’t Hit (570/569/570/621/622 methodology divergence, two CVSS 9.9s remediated server-side, AD FS / SharePoint zero-day operational detail, MDASH production timing, Kerberos RC4 phase-2 removal guidance, AI cluster breakdown): https://www.brinqa.com/blog/patch-tuesday-cve-tracker (2026-07-15)
- Korea Economic Daily via Bloomingbit — Microsoft Readies AI Bug-Finding Tool to Take On Anthropic’s Claude Mitos (The Information 2026-07-16 reporting, MDASH architecture, multi-model product scope, Claude Mitos competition framing): https://en.bloomingbit.io/feed/news/116460 (2026-07-16)
- Microsoft Windows Blog — Pavan Davuluri, Evolving Windows Vulnerability Management to Meet the Speed of AI-Powered Discovery (MDASH production confirmation, “higher volume of security updates” commitment, tightened deployment guidance): https://blogs.windows.com/windowsexperience/2026/07/09/evolving-windows-vulnerability-management-to-meet-the-speed-of-ai-powered-discovery/ (2026-07-09)
Prior TopClanker Coverage
- July 16 — Hugging Face Breached by Autonomous AI Agent Swarm — and Detected It With AI Too: https://topclanker.com/blog/2026-07-16-hf-ai-agent-intrusion/
- July 15 — MCP 2026-07-28 Goes Stateless — Load Balancers, ID-JAG, Six SEPs: https://topclanker.com/blog/2026-07-15-mcp-2026-07-28-stateless-spec/
- July 14 — South Korea’s ‘AI for Everyone’ Commits 52 Million Citizens to Free AI — and Tests Whether Sovereign Models Can Carry the Load: https://topclanker.com/blog/2026-07-14-south-korea-ai-for-everyone-sovereign-models/
- July 13 — GPT-5.6 Sol Deleted Files It Wasn’t Told To — and the Failure Was Structural, Not a Bug: https://topclanker.com/blog/2026-07-13-gpt-5-6-sol-deletion-incident/
- July 10 — SpaceXAI’s Grok 4.5 Goes Public: A 1.5T-Parameter, Cursor-Trained Model for $2/$6 Per Mtok: https://topclanker.com/blog/2026-07-10-spacexai-grok-4-5-public-launch/
- July 9 — vLLM’s Transformers Backend Now Matches Native Speed — What Changed Under the Hood: https://topclanker.com/blog/2026-07-09-vllm-transformers-backend-native-speed/
- July 8 — JADEPUFFER: The First End-to-End Agentic Ransomware — and It Recovered From a Failed Login in 31 Seconds: https://topclanker.com/blog/2026-07-08-jadepuffer-agentic-ransomware-langflow/