I was off by a month in my forecast of record-setting CVE releases from Microsoft. In June, we saw the deluge of over 200 reported CVEs that I expected in May. There were 116 CVEs for Windows 11 and 104 for Windows 10. In addition, we saw large numbers in both common applications like Office and SharePoint Server as well as the host of development tools and libraries like Visual Studio and .NET. Will the trend continue this month?
It was interesting that Microsoft did not have any OOB releases this month despite the large numbers of fixes in the June Patch Tuesday releases. They fixed the update issues in Windows Server 2016 and had only some minor reported issues such as a problem where the recycle bin displays the internal file name. On the flip side, there were some interesting announcements to be aware of.
Microsoft announced Windows 11 26H2 is now available in the Windows Insiders Development channel and will be released for general use later this year. This feature release is part of the same service channel as Windows 11 24H2 and 25H2, so you will be able to update via an enablement package. This is much less disruptive than a full OS replacement which is required for Windows 11 23H2 or older versions. Note that Windows 11 26H1 is not part of this service channel and also has a different OS kernel. It will be provided a separate upgrade path in the future. Microsoft extended its free consumer Windows 10 ESU support another year until October 2027; however, with a few exceptions, enterprise customers must still subscribe for updates.
The drama continued this month between the researcher Nightmare-Eclipse and Microsoft. The researcher announced a new zero-day vulnerability referred to as RoguePlanet continuing the string of Microsoft Defender flaws that have been identified. RoguePlanet, tracked as CVE-2026-50656, is a race condition privilege escalation vulnerability. The POC code the researcher posted on GitHub can result in a System privilege shell running on the compromised system.
CISA has announced the previously reported vulnerabilities, such as BlueHammer which has been patched, are already being exploited by ransomware. This will be one to watch on Patch Tuesday to see if a fix is made available because I’m sure it won’t be long before it is exploited as well.
The impact of AI on vulnerability identification continues to drive changes in our patch management industry. Adobe announced they are moving to two security releases a month with one on Patch Tuesday and the other on the fourth Tuesday of each month. This is coming in hot after Adobe released patches for six vulnerabilities in various versions of Cold Fusion, all with a max CVSS of 10. As per Adobe, “More vulnerabilities found means more fixes to deploy and a once-a-month publication window is no longer fast enough to stay ahead of our adversaries.”
This is becoming a very common theme as Google just released Chrome 150 on June 30th with a reported 433 security fixes. Even Apple is changing their age old patch policy with more frequent security updates throughout the year for their OS as more vulnerabilities are announced and exploited.
The Patch Apocalypse is here so planning and executing patch deployments at an increased rate is more important than ever. There is a growing sense that keeping track of CVEs is no longer practical due to sheer volume, and professionals are falling back to just patching as soon as possible with the latest vendor releases to keep systems as secure as possible.
July 2026 Patch Tuesday forecast
- I anticipate the large CVE trend will continue this month for Microsoft even though July is historically a quiet month. Microsoft Office 2016 is continuing to get plenty of updates despite it being beyond EOS. We saw Exchange Server updates last month, so maybe Microsoft SQL Server is in the rotation this month.
- It’s hard to tell how Adobe will phase their product updates now with two releases each month, but I would expect Photoshop, Illustrator, and Connect on the list.
- Apple provided security updates macOS Tahoe 26.5.2 and Safari 26.5.2 for Sonoma and Sequoia on June 29th. I wouldn’t rule out a separate OS update next week for the latter two operating systems.
- Google Chrome continues to amaze each week so expect the same on Patch Tuesday.
- Mozilla is slowly settling on bi-weekly releases and since the last for Thunderbird and Firefox were on June 30th, we should expect two or more new updates (depending upon ESR releases) next week.
- Oracle has their next Critical Patch Update (CPU) scheduled for July 21st so plan for it the week after Patch Tuesday.
The AI evolution has begun, and the first impact is the acceleration of vulnerability discovery and exploitation. Time will tell how patch processes will evolve but maybe the first question to answer is if CVE tracking will remain practical.