Cybersecurity

Microsoft fixed 570 Windows security flaws in one month. AI found most of them

Adrian Kessler

The largest security update Microsoft has ever released is also the most unusual, because the thing that made it so large is the same tool defenders are supposed to use to get ahead of attackers. This month’s Patch Tuesday fixed 570 security vulnerabilities across Windows and related products — a number that exceeds any previous monthly release by a significant margin. Microsoft attributed the surge to AI-assisted vulnerability discovery tools that have been scanning its codebase since early 2025.

The practical consequence of that scanning has compounded quickly. In the first seven months of 2026, Microsoft has patched 1,308 vulnerabilities — nearly double the roughly 650 it addressed in the same period last year. Tom Gallagher, Microsoft’s vice president of engineering, warned in May that customers should expect larger monthly updates as AI tools continued to find issues. The July number confirmed the forecast.

Not all 570 vulnerabilities carry the same risk, but three qualify as zero-days: bugs that were known before a patch existed. Two of those three are already being exploited by attackers. CVE-2026-56164 is an elevation-of-privilege flaw in SharePoint Server, which the U.S. Cybersecurity and Infrastructure Security Agency had flagged as under active exploitation before Microsoft’s patch landed. CVE-2026-56155 is a similar privilege escalation in Active Directory Federation Services. The third zero-day is publicly disclosed but not yet actively exploited.

Twenty-six of the 570 vulnerabilities carry CVSS base scores above 9.0 on a 10-point severity scale, and 13 of those sit at 9.8. One stands out by name: CVE-2026-48561 is a remote code execution flaw in Microsoft Copilot that scored 9.6, meaning a remote attacker could potentially run arbitrary code on an affected system without user interaction. Microsoft describes the exploitability as “more likely.”

The caveat in the AI-assisted discovery story is that finding bugs faster does not mean fixing them faster or safer. A monthly update of this size carries its own risk: larger patch packages require more testing time, increase the chance of compatibility regressions, and demand more IT resources to deploy across enterprise environments. Organizations that automated their patch deployment around a predictable monthly cadence are now managing a considerably heavier load.

Microsoft’s Windows leadership has indicated that the trend is not expected to reverse. As AI scanning tools improve and are applied to older layers of the codebase, the number of newly discovered legacy vulnerabilities is expected to remain elevated for the foreseeable future. The update history for 2026 suggests the company itself anticipated this: it has been gradually expanding AI-assisted code review since late 2024, well before the public acceleration in patch counts.

The July 2026 patch is available via Windows Update. For enterprise environments, Microsoft has prioritized the two actively exploited zero-days and the Copilot RCE as the most urgent fixes. Organizations running unpatched SharePoint or AD Federation Services deployments should treat those as priority-one updates regardless of their standard patch cycle schedule.

Tags: , , , , ,

Discussion

There are 0 comments.