Yesterday was patch day, and so today I will be doing my monthly coverage of it. The first thing I noticed this morning was that my own computer did not restart until nearly 2 am, but upon checking my news feed I see why. This was a large set of patches. A record-breaking 507 flaws, according to Bleeping Computer’s breakdown.
Included in this month’s patching are 254 Elevation of Privilege Vulnerabilities, 17 Security Feature Bypass Vulnerabilities, 145 Remote Code Execution Vulnerabilities, 102 Information Disclosure Vulnerabilities, 35 Denial of Service Vulnerabilities, and 16 Spoofing Vulnerabilities. 59 of these are considered critical, 48 of which are remote code execution, 9 are elevation of privilege, 1 is a security bypass, and 1 is a spoofing. This amount of flaws reflects only what Microsoft has patched as part of the monthly update, but there have been numerous other fixes released out of band this month. Additionally, a massive 468 Microsoft Edge/Chromium flaws were fixed by Google earlier this month, as well as 360 flaws that were discovered and later ported to Microsoft Edge after June’s Patch Tuesday.
If this amount seems particularly high, there’s a reason for it. Last week Microsoft announced that this month’s patches would be larger, as they’ve started using an AI-powered security scanning tool called multi-model agentic scanning harness (MDASH). It uses a twofold process, scanning critical Windows binaries for vulnerabilities and then validating the findings using multiple AI models. Vulnerability candidates are then passed through a second Windows-specific validation pipeline designed to eliminate false positives before engineers investigate the issues. This tool is also helping Microsoft engineers understand update failures, as those have been happening with more regularity, as well as suggesting possible bug fixes, and identifying similar bugs elsewhere in the Windows source code with human oversight still being the final arbiter for review and judgment.
As is typical, Patch Tuesday isn’t solely a Microsoft routine. Other enterprises have also fixed a slew of issues, with specifics linked to their own announcements in the article.
Adobe recently patched seven max-severity ColdFusion and Campaign flaws, including the ColdFusion flaw CVE-2026-48282, which was later exploited in attacks.
BeyondTrust released security updates for two critical authentication bypass flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software.
Cisco released security updates for numerous products, including Cisco Identity Services Engine, Catalyst Center, and ClamAV. Cisco also confirmed that CVE-2026-20230, fixed in June, was actively exploited in attacks.
Fortinet released security updates for numerous flaws in FortiOS, FortiSandbox, FortiPam, FortiSandbox, FortiSASE, and FortiProxy.
Gitea released a security update for a critical auth bypass in the Gitea Docker image.
Ivanti released security updates for two vulnerabilities in Ivanti Xtraction.
Linux kernel maintainers released a patch for the Januscape vulnerability, a flaw that allows attackers to escape a virtual machine and execute arbitrary code on the host.
NVIDIA released security updates for NVIDIA Triton Inference Server and NVIDIA TensorRT-LLM.
Progress Software released security updates for a high-severity path traversal zero-day vulnerability that led to the emergency shutdown of ShareFile Storage Zone Controllers last week.
Ubiquiti released security updates for vulnerabilities in UniFi OS, including a maximum-severity flaw that can be exploited in command injection attacks.
U-Boot maintainers introduced patches to fix new flaws that could enable stealthy firmware attacks.
SAP released the July security updates, which include fixes for four critical flaws in NetWeaver, Commerce Cloud, and AppRouter.
VMware released security updates for VMware Avi Load Balancer, which include authentication bypasses and remote code execution flaws.
Zimbra released security updates for a critical XSS vulnerability affecting the Classic Web Client in the Zimbra Collaboration suite.
Bleeping Computer has compiled a list of each flaw and vulnerability patched this month, as always. It is extensive and long, as a warning to anyone wishing to read it for themselves. Should any of these experience the failure to update that’s been recurrent of late, or other issues pop up (this being informally designated Exploit Wednesday), I’ll be sure to let you know.