Overview
- Microsoft released its largest Patch Tuesday on Tuesday, listing 622 unique CVEs in its Security Update Guide and covering Windows, Office, Edge, Azure, SharePoint, AD FS and other products.
- Two flaws were disclosed as actively exploited zero‑days: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server, and a BitLocker bypass (CVE-2026-50661) was publicly detailed before the update.
- Microsoft says AI-assisted tooling, including its MDASH multi-model scanning system, helped find many of the new bugs and warned customers last week to expect higher monthly patch volumes.
- The release includes many high‑severity remote code execution and privilege‑escalation bugs — Windows received about 416 fixes and Office dozens more — and raises short‑term risks of outages from mass patching such as Kerberos RC4 hardening issues.
- Security vendors and analysts are urging defenders to prioritize actively exploited and KEV/EPSS‑flagged bugs, deploy detection rules and mitigations, and adapt triage processes because AI-driven discovery could push 2026 totals far above prior years.