Dashboard-style graphic showing three rows for Adobe, Google Chrome, and Microsoft, each with three colored tiles displaying security update counts.

Patch Tuesday Watch: What Led Up to July 2026

Adobe

Release date: June 30, 2026 (APSB26-68 — ColdFusion; same-day bulletin for Campaign Classic)

CVE count: 11 CVEs in ColdFusion, 1 in Campaign Classic (12 total)

Adobe's ColdFusion update resolved 11 vulnerabilities across ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier), including seven rated CVSS 10.0:

Fixed in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.

KEV callout: CVE-2026-48282 was not flagged as exploited at release, but exploitation began within roughly two hours of a public technical writeup on July 2. CISA added it to KEV on July 7, with a federal remediation deadline of July 10 — already passed. Any internet-facing ColdFusion instance still unpatched should be treated as an active incident, not a routine patch item.

Campaign Classic's CVE-2026-48286 (CVSS 10.0, incorrect authorization → arbitrary code execution) affects on-premise ACC v7 builds 7.4.3 and earlier. Adobe-hosted instances were already patched; no exploitation has been reported for this one.

Apple

Release date: July 1, 2026 (iOS/iPadOS 26.5.2, macOS Tahoe 26.5.2, Safari 26.5.2)

CVE count: 37 CVEs (26 in WebKit; 11 across kernel, WebRTC, Web Extensions, and other components)

Google Chrome

Release dates: June 24, 2026 (Chrome 149.0.7827.197) and July 8, 2026 (Chrome 150.0.7871.114/.115) CVE count: 10 CVEs (June 24) + 27 CVEs (July 8) = 37 CVEs across the two releases

The June 24 update resolved 10 vulnerabilities, the most severe being CVE-2026-13028 (CVSS 9.6, Critical) — a WebGL use-after-free enabling RCE, particularly on Android.

The July 8 update (Chrome 150) resolved 27 additional vulnerabilities: two Critical (CVE-2026-15112, CVE-2026-15129 — both use-after-free), 24 High-severity (largely use-after-free across Views, Extensions, Autofill, WebRTC, Codecs), and one Medium.

KEV callout: The prior Chrome zero-day, CVE-2026-11645 (V8 out-of-bounds read/write, exploited in the wild), was added to CISA's KEV catalog under BOD 26-04 with a June 23 deadline — already passed heading into this cycle. No new Chrome CVEs from the June 24 or July 8 releases have been confirmed as exploited so far.

Mozilla

Release dates: Most recent desktop security release was Firefox 152.0.4 (June 30, 2026, per MFSA 2026-62); subsequent MFSAs (2026-64 through 2026-66) cover Thunderbird 140.12.1 and Firefox for iOS 152.3/152.4 — minor and mobile-only updates

CVE count: No new desktop Firefox/Thunderbird CVE bulletin in the immediate week leading into Patch Tuesday

Patch Tuesday Summary

Microsoft's July 2026 Patch Tuesday resolves a massive 570 CVEs this month, the majority (509) of which are rated Important and 58 rated Critical, with three Moderate. From an impact perspective 249 Elevation of Privilege and 143 Remote Code Execution account for the bulk of the impact types, followed by 102 Information Disclosure. Two CVEs are confirmed exploited in the wild — a SharePoint elevation of privilege flaw (CVE-2026-56164) and an Active Directory Federation Services elevation of privilege flaw (CVE-2026-56155) — and one CVE, affecting Windows BitLocker (CVE-2026-50661), is publicly disclosed.

Adobe released 11 updates resolving 88 CVEs including 63 Critical, 22 Important, and three Moderate. Impact breakdown includes 51 Arbitrary Code Execution, 13 Security Feature Bypass, 12 Privilege Escalation, 7 Application Denial-of-Service, three Arbitrary File System Read, and two Memory Exposure vulnerabilities. Besides the pre-patch Tuesday ColdFusion release including a known exploit, the 11 Patch Tuesday updates did not include any known exploits or public disclosures.

Mozilla released Firefox 152.0.6 resolving two Critical CVEs. Both vulnerabilities (CVE-2026-15718 and CVE-2026-15719) have publicly disclosed exploit code available, however Mozilla is currently not aware of any active exploitation.

Google Chrome Desktop 150.0.7871.124/.125 has released for Windows and Mac. No CVEs were reported upon release, but given the massive number of vulnerabilities resolved in the past month and a half it would be best to ensure all Chrome installs are up to the latest release.

Microsoft’s exploited vulnerabilities

Microsoft resolved an Elevation of Privilege vulnerability in Microsoft SharePoint Server (CVE-2026-56164). The vulnerability is rated Moderate by Microsoft and has a CVSS score of 5.3, but has been actively exploited in the wild. An unauthorized attacker could elevate privileges over a network. The CVE attack vector is Network because it is remotely exploitable from the internet. Attack complexity is also classified as low. Microsoft has provided some mitigating factors that could help detect a possible attack, but a risk-based prioritization methodology warrants resolving this vulnerability as soon as possible.

Microsoft has resolved an Elevation of Privilege vulnerability in Active Directory Federation Services (CVE-2026-56155). The vulnerability is rated Important and has a CVSS score of 7.8, but has been actively exploited in the wild. The vulnerability could allow an attacker to elevate privileges locally to gain administrator privileges. Microsoft rates the vulnerability as Important, but a risk-based prioritization methodology warrants resolving this vulnerability as soon as possible.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved a Security Feature Bypass vulnerability in Windows Bitlocker (CVE-2026-50661). The vulnerability is rated Important by Microsoft and has a CVSS score of 6.1, but has been publicly disclosed. A successful attack could bypass the BitLocker Device Encryption feature on the system storage device allowing access to encrypted data. While the code maturity for this vulnerability is currently listed as unproven, the disclosure means information is available to point a threat actor down a path to exploitation. A risk-based prioritization approach warrants resolving this vulnerability as a priority this month.

Ivanti security advisories

Ivanti has released a security update for Ivanti Xtraction resolving two CVEs (one High and one Medium). More details and information about mitigations can be found in the July Security Advisory.

July update to-do list

  • Consider shifting to a more continuous remediation approach if you have not already done so. The continued increase in both CVE discovery and update frequency due to AI accelerated vulnerability discovery is going to continue to increase and regulatory pressure to resolve highest-risk exposures in a matter of days to hours will become the new normal.
  • Update your browsers! All of them. They are on a weekly basis at this point, but consider checking for and updating twice a week, if not daily, to reduce the exploit window for know exploited vulnerabilities.
  • Resolve or mitigate known exploited vulnerabilities in Microsoft SharePoint (CVE-2026-56164), the Windows OS (CVE-2026-56155), and Adobe ColdFusion (CVE-2026-48282) as soon as possible.