Microsoft has never shipped a bigger security update. Its July Patch Tuesday fixed a record haul of flaws, and the company says AI is why the count keeps climbing.
The scale is hard to ignore. By Microsoft’s own count, the update patched 622 vulnerabilities. That more than tripled June’s tally, which had set a record of its own. Krebs on Security, which first reported the release, put the figure at 570. Another 428 Chromium bugs in Edge sit on top.
Three zero-days, two under attack
Fifty-eight of the flaws count as critical. Three are zero-days, which means they were public or exploited before a fix existed. Two of those are already in active use.
The first, CVE-2026-56155, lets an attacker raise their privileges through Active Directory Federation Services, the system that signs a network’s logins. The second, CVE-2026-56164, does the same through on-premises SharePoint. Neither carries a scary severity score. Attackers are using both anyway.
That is the real lesson. CISA has added both to its known-exploited list and told federal agencies to patch within days. The third zero-day, a BitLocker bypass, needs physical access, so it is less urgent.
AI is writing the patch notes
Microsoft is blunt about the cause. In a blog post a week earlier, Windows chief Pavan Davuluri warned customers to expect “a higher volume of security updates” as AI helps find more bugs, faster.
The tools are doing the digging. Microsoft’s own scanner, MDASH, found 16 of May’s flaws by itself. Anthropic’s Mythos model has been credited with a surge of fixes across the industry. The monthly count has risen with them, from 79 in March to 206 in June to 622 now.
It fits a wider theme. OpenAI recently showed off an in-house AI hacker that hunts flaws in its own models.
The same tools help attackers
There is a catch. Once a patch ships, attackers can compare it with the old code, spot the hole it plugs, and build an exploit within hours. The old habit of waiting a week to patch is fading.
It also breaks how teams triage. When a release carries 600 flaws and dozens rate critical, the label stops sorting anything. This month’s two exploited bugs prove it. Both score mid-tier, and both are in use.
Teams are already stretched. Benchmarks built to measure AI’s hacking skills keep getting saturated, and researchers keep tricking coding assistants into unsafe behaviour.
A rocky rollout
The update has not been smooth. Microsoft paused the rollout for some Dell devices with Intel chips, after reports of sudden shutdowns, overheating, and battery drain. A fix is due within days.
For everyone else, the advice is the same as ever, only more urgent. Sort by what is being exploited, not by the number on the box. And patch faster than you used to.


