Tenable Patch Tuesday Commentary – July 2026
We knew this day would come. June 2026 Patch Tuesday broke the record, and July blew the record out of the water. July is the first time in Patch Tuesday’s history that over 500 CVEs were patched in a single month, with a staggering 569 CVEs patched, breaking last month’s record of 198 CVEs. Normally […]
Posted: Wednesday, Jul 15

i 3 Table of Contents

Tenable Patch Tuesday Commentary – July 2026

We knew this day would come. June 2026 Patch Tuesday broke the record, and July blew the record out of the water. July is the first time in Patch Tuesday’s history that over 500 CVEs were patched in a single month, with a staggering 569 CVEs patched, breaking last month’s record of 198 CVEs. Normally we have the wait for October or November to determine if we’ll break the previous year’s patch volume record, but July has locked it in that 2026 will be the largest annual Patch Tuesday ever, besting the previous record of 1,245 CVEs in 2020. It’s probable that we will not only exceed 2,000 CVEs in a calendar year, but potentially over 3,000 CVEs this year or more.

Last month, I said Pandora’s proverbial box had been opened, and Microsoft itself acknowledged similar earlier this month noting that customers will see “a higher volume of security updates included in each security release” as a result of AI aiding in the discovery of vulnerabilities. AI-assisted discovery is surfacing vulnerabilities that went undetected for years. The volume is striking, but it reflects how good these tools have become at finding bugs, not how many of those bugs actually pose a risk to organizations.

In the sea of vulnerabilities disclosed this month, there were three zero-days patched, including two that were exploited in the wild.

  • The two flaws exploited in the wild are both elevation of privilege vulnerabilities. CVE-2026-56155, an Active Directory Federation Services (AD FS) flaw, and CVE-2026-56164, a Microsoft SharePoint Server vulnerability.
  • CVE-2026-50661, a security feature bypass in Windows BitLocker, was noted as being publicly disclosed. We surmise that this could be related to a flurry of zero-day vulnerabilities disclosed by the researcher known as Nightmare-Eclipse or Chaotic-Eclipse, though no official confirmation was made. We also know that the researcher promised to drop something on Patch Tuesday.

While these were the noteworthy flaws this month, in addition to the 59 critical CVEs disclosed, the state of the Exploitability Index (how likely a vulnerability is to be exploited) must shift with the machine speed of discovery. For example, Microsoft originally tagged CVE-2026-45659, a SharePoint vulnerability, as exploitation less likely. However, the vulnerability was added to the CISA KEV on July 1. Anthropic’s Red Team’s own findings for known vulnerabilities (n-days) revealed how fragile this system has become, with its Mythos Preview model being able to produce proof-of-concept exploits for 13 of 14 vulnerabilities that were rated “Exploitation Less Likely” or “Exploitation Unlikely.” What this means is that our way of looking at Patch Tuesday has changed, because the exploitability index is centered around humans, not AI tools, and as these tools continue to improve, defense needs to improve alongside it.

Follow up for Dark Reading re: What changes should organizations be making to their patch and vulnerability management strategies right now to address the growing volume of vulnerabilities and the speed at which attackers are able to exploit them thanks to AI?

Understanding the context around vulnerabilities and prioritizing remediation action based on those that pose the biggest threats is an organization’s best strategy for quickly and demonstrably reducing risk. CVSS is a good foundation, but it’s just a number. Not every CVSS 9.8 is urgent, and not every CVSS <8.0 should be ignored. Context matters. This is one of the core principles of proactive exposure management.

Satnam Narang
Satnam is a charismatic Staff Research Engineer with 15+ years’ experience in cybersecurity across web filtering, antivirus, anti malware, and vulnerability management. He has helped companies build research teams and enhanced existing teams through his experience in research and content development. A self-proclaimed “social media scam whisperer,” his research into social media scams over the last decade has earned him placement in major publications including The New York Times, The Wall Street Journal, and The Washington Post. As a public spokesperson, he is regularly quoted in a variety of security trade publications and has appeared on the NBC Nightly News, Entertainment Tonight, Bloomberg Business, BBC World Service, CBS News, and PBS Studio SoCal. An early adopter of new technologies, apps, and services, Satnam was the first person to discover spambots on Tinder, fake Cash App giveaways, and a plethora of scams on TikTok. He was also one of the first people to disclose cryptocurrency giveaway scams on Twitter.
Share This