Microsoft’s July 14, 2026 security release bundles 622 CVEs—but administrators should scroll past most of them. Three flaws are being exploited right now, and one of those, a SharePoint vulnerability tracked as CVE-2026-56164, carries a U.S. government remediation deadline of July 17. If your SharePoint servers face the internet and you haven’t patched this one yet, you are the target.

What changed in the July 2026 Patch Tuesday release

The July 2026 security update from Microsoft covers 622 CVEs across Windows (416), Office (82), Edge (46), developer tools (27), SharePoint Server (17), and other products. Within that release, 569 CVEs were first disclosed on July 14; the rest were published earlier in the month. Microsoft also re-lists 428 non-Microsoft Chromium vulnerabilities separately—these are not additional Microsoft fixes.

Three CVEs are the reason this month’s patch cycle demands a break-glass response. All three have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirmed as actively exploited:

CVE Product Impact Microsoft Rating / CVSS CISA Deadline
CVE-2026-56164 SharePoint Server Network-based elevation of privilege Moderate / 5.3 July 17
CVE-2026-58644 SharePoint Server Network-based remote code execution Critical / 9.8 July 19
CVE-2026-56155 Active Directory Federation Services (AD FS) Local elevation to administrator privileges Important / 7.8 July 28

CVE-2026-56164 is particularly deceptive: a “Moderate” 5.3 CVSS score that, on a dashboard, would sink beneath the 62 Critical-rated CVEs in the release. But it allows an unauthenticated attacker to gain unauthorized access over the network. Microsoft’s own advisory confirms exploitation, and CISA’s July 17 deadline underlines the urgency. For anyone running an internet-facing SharePoint farm, this is not a routine update—it’s an incident.

CVE-2026-58644 adds complexity. Microsoft says a fix was already available earlier, but the CVE was inadvertently left off the June Patch Tuesday list. The company corrected the exploitability assessment, exploited flag, and CVSS vector on July 15, and CISA added it to the KEV on July 16 with a July 19 deadline. This isn’t a fresh zero-day; it’s a past patch that now has confirmed wild exploitation. Administrators need to verify that the earlier security update is installed—applying only the July cumulative might not close the gap.

There’s also an oddity in Microsoft’s documentation for CVE-2026-58644: the CVSS vector says no privileges are required, but an FAQ scenario describes an attacker authenticated as a SharePoint Site Owner. Such contradictions can slow down threat modeling, but they shouldn’t delay patching. The confirmed attack activity and the three-day CISA window are what matter.

CVE-2026-56155 hits AD FS. It’s a local elevation-of-privilege bug rated Important (CVSS 7.8) with a July 28 deadline. It likely requires the attacker to already have a foothold on an AD FS system, but once exploited, it hands over administrator control of a critical identity service. If your AD FS servers are not isolated, patch them in the same emergency window.

Dell hold adds a bump to the Windows 11 rollout

Microsoft has paused delivery of the July 14 cumulative update, KB5101650, for certain Dell devices with Intel processors. This update applies to Windows 11 24H2 (build 26100.8875) and 25H2 (build 26200.8870). The incompatibility, reported by Dell, involves the Intel Innovation Platform Framework Processor Participant driver and a conflict with the Windows USB-C Connection Manager introduced in a June preview update. Symptoms include unexpected shutdowns, performance drops, heat, and battery drain.

Affected devices are currently blocked from receiving the update through Windows Update. Microsoft says it is working with Dell on a fix, aiming for “within days” as of July 15, but no specific date has been given. Do not manually force-install KB5101650 on these machines to satisfy a compliance report—the side effects can be severe.

Kerberos hardening moves to final enforcement

The July update also removes the temporary rollback registry value for CVE-2026-20833, a Kerberos hardening that began in January with an audit phase and moved to AES as the default in April. Now, RC4 is fully blocked. Any service accounts without AES keys, or non-Windows systems still relying on RC4, will fail to get service tickets. Domain controllers will log KDCSVC event IDs 201–209 when this happens. Test those dependencies now.

Secure Boot certificate rotation continues

Two Microsoft root certificates—the Microsoft Corporation KEK CA (2011) and the Microsoft UEFI CA—expired on June 24 and June 27, respectively. Systems missing the newer 2023-generation certificates can still boot and receive ordinary updates, but they won’t gain newer pre-boot protections. The July update expands high-confidence targeting to deliver those replacement certificates automatically to more devices. It’s a good moment to verify Secure Boot status.

What it means for you

For IT administrators and managed environments

The patch priority is clear: SharePoint first, then AD FS, then everything else. Even if you have no federal mandate, CISA’s deadlines are a reliable indicator of real-world danger. Externally facing SharePoint servers that handle sensitive documents or integrate with business workflows are the top target. If you cannot patch immediately, enable Microsoft’s recommended mitigations: turn on Antimalware Scan Interface (AMSI) for SharePoint and IIS worker processes and set Request Body Scan to Full. These are not a substitute for the update but provide a partial shield.

For CVE-2026-58644, check your patch inventory. If you missed the earlier fix, the July cumulative may not protect you—the CVE was a June omission. Confirm with Microsoft’s Security Update Guide which update resolves it for your SharePoint version.

AD FS servers are less likely to be the initial entry point, but they’re a prime target for lateral movement. If an attacker has already compromised a workstation, CVE-2026-56155 gives them a quick path to domain dominance. Patch these servers in the first ring, right after SharePoint.

Dell users on Windows 11 need to pause. The safeguard hold is protecting your fleet. Monitor Dell’s and Microsoft’s communications for the fix and model-specific guidance. In the meantime, your compliance reports may show unpatched devices; accept that. Forced instability is worse than a documented delay.

Before deploying the July update broadly, test Kerberos changes in a controlled ring. Use event IDs 201–209 on domain controllers to spot remaining RC4 dependencies. Common culprits: old Unix systems, network appliances, and service accounts created before AES was the default. Remediate these before the update reaches production.

For home and small-business users

If you run a small SharePoint server, perhaps for document management in a professional practice, the same urgency applies if it’s accessible from the internet. Patch immediately via Windows Update or Microsoft Update, and verify the security update installed. For the AD FS flaw, it’s less likely you’ll have an AD FS server at home, but if you do (e.g., for a lab environment that federates with Office 365), patch it. The Dell issue is what’s most likely to affect you: if you have a Dell laptop or desktop with an Intel chip and Windows 11 24H2/25H2, the update won’t be offered automatically. Do not chase it manually. Wait for the all-clear.

Regular home users with no servers can largely stick to the normal Windows Update rhythm, but pay attention to any Dell-specific alerts. And, as always, keep your browser updated: the 46 Edge CVEs are patched in the latest version.

How we got here

Patch Tuesday volumes have been growing for years. Microsoft’s own data shows that July 2026’s 622 CVEs represent a trend, not an anomaly. The company attributes the increase to expanding external research, maturing automation, and now AI-assisted discovery. On July 9, Pavan Davuluri, Executive Vice President of Windows + Devices, said AI would drive even larger releases. Microsoft’s internal tool, MDASH (a multi-model agentic scanning harness), scans Windows binaries, but findings go through a human-verified reproduction and filtering process before reaching engineers. AI accelerates finding issues; it doesn’t replace risk assessment.

The three exploited flaws didn’t appear out of nowhere. SharePoint has long been a target for nation-state and ransomware actors because it hosts sensitive documents and often sits at the network edge. AD FS is a bridge to cloud identities, making it a valuable pivot point. The Dell hold stems from a specific driver conflict tied to a relatively recent Windows feature (USB-C Connection Manager) introduced in a June preview—a reminder that even routine patches can uncover hardware-software interop bugs.

CISA’s KEV list, created in 2021, binds U.S. federal agencies to rapid remediation, but the deadlines serve as a public gauge of severity. When three Microsoft CVEs hit the list simultaneously, the signal is unambiguous.

What to do now

  1. Emergency patching for SharePoint and AD FS
    - Identify all SharePoint servers, especially those accessible from the internet. Apply the security updates for CVE-2026-56164 and CVE-2026-58644. Check Microsoft’s Security Update Guide for specific KB numbers per SharePoint version.
    - Verify that the fix for CVE-2026-58644 is actually present; don’t assume a July cumulative covers it.
    - If patching isn’t possible right now, enable AMSI and set Request Body Scan to Full as an interim mitigation. But schedule the update for the earliest maintenance window.
    - Patch AD FS servers for CVE-2026-56155. No mitigation is listed—the update is the only defense.

  2. Dell device owners: wait
    - Do not manually download or force-install KB5101650 on affected Dell systems. Check Windows Update—if it’s not offered, your device is likely protected by the safeguard hold.
    - Monitor Dell Support and the Windows release health dashboard for a fix announcement. Once available, the update will be re-released normally.

  3. Kerberos enforcement testing
    - Before broad deployment of the July update, check domain controllers for event IDs 201–209 indicating RC4 usage.
    - Ensure all service accounts have AES keys (msDS- SupportedEncryptionTypes attribute). Test any cross-realm trusts or non-Windows Kerberos clients (Linux, macOS, appliances) for RC4 dependence.
    - If you’ve been running the audit phase since January, you should already have a list; validate it now.

  4. Deploy the rest in phases
    - After the exploited flaws are contained, roll out the remaining Windows, Office, Edge, and developer tool updates through your standard rings. Include Secure Boot certificate status checks: “Get-SecureBootUEFI” in PowerShell can list current KEK and DB certificates. If the 2023 certificates are missing, the expanded delivery in this update may bring them; verify after reboot.

  5. Watch for Microsoft’s clarifications on CVE-2026-58644
    - The authentication requirement discrepancy may be resolved in an advisory update. Monitor for changes to the CVSS vector or attack scenario, which could affect your incident response planning.

Outlook

The immediate next milestone is the Dell fix—too many enterprise fleet rollouts are on hold until that’s resolved. Microsoft’s “within days” promise puts pressure on this week. Meanwhile, CISA’s July 17 deadline for the moderate-severity SharePoint flaw is already upon us; administrators who haven’t acted yet are playing with fire. Looking further ahead, expect the CVE volume to climb. AI-driven discovery may surface more bugs, but the human decision about which ones to patch first will remain the linchpin of security. Asset inventory quality and exposure awareness are your real defense—not a CVSS filter.

For now, three CVEs should top your to-do list. Start with CVE-2026-56164, and do not let the “Moderate” label fool you.