Key Takeaways
- Multiple vendors have updated their security update cadence, while others are just released more frequently. In general, the patch apocalypse continues to drive a faster pace for detection of high-risk exposures and fast and continuous remediation capabilities:
- Adobe, effective July 14, 2026, moves from monthly to twice-monthly bulletins, published the 2nd and 4th Tuesday of each month, citing AI-accelerated vulnerability discovery compressing the disclosure-to-exploitation window.
- Cisco has also just shifted to a risk-based, twice-monthly disclosure model (1st and 3rd Wednesday of each month), consolidating related vulnerabilities into "umbrella" CVEs and deprioritizing individual advisories for low-risk findings. This changes how Cisco CVE volume will look going forward.
- Mozilla has picked up their release pace and has been resolving more CVEs than normal since April of this year and are on a near weekly security update cadence.
- Google still remains on a weekly security update cadence but is resolving record numbers of CVEs (including 915 resolved in June 2026 across five releases).
- Oracle's new Critical Security Patch Update (CSPU) programme delivers targeted critical-severity fixes on the 3rd Tuesday of non-CPU months, beginning May 28.
- CISA BOD 26-04 was announced on June 10, 2026 and change the remediation target for highest-risk vulnerabilities to 72 hours.
- Microsoft has not changed their cadence, but in a blog post on May 12 they shared a key message to customers that AI-driven scanning will increase vulnerability discovery and "Organisations whose patching, exposure management, and identity practices have evolved with that pace will absorb this change more easily. Others may find that practices designed for a slower-moving landscape need a closer look." They also stated that they anticipate more frequent out-of-band updates that will require immediate action.
Patch Tuesday Watch: What Led Up to July 2026
Adobe
Release date: June 30, 2026 (APSB26-68 — ColdFusion; same-day bulletin for Campaign Classic)
CVE count: 11 CVEs in ColdFusion, 1 in Campaign Classic (12 total)
Adobe's ColdFusion update resolved 11 vulnerabilities across ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier), including seven rated CVSS 10.0:
Fixed in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
KEV callout: CVE-2026-48282 was not flagged as exploited at release, but exploitation began within roughly two hours of a public technical writeup on July 2. CISA added it to KEV on July 7, with a federal remediation deadline of July 10 — already passed. Any internet-facing ColdFusion instance still unpatched should be treated as an active incident, not a routine patch item.
Campaign Classic's CVE-2026-48286 (CVSS 10.0, incorrect authorization → arbitrary code execution) affects on-premise ACC v7 builds 7.4.3 and earlier. Adobe-hosted instances were already patched; no exploitation has been reported for this one.
Apple
Release date: July 1, 2026 (iOS/iPadOS 26.5.2, macOS Tahoe 26.5.2, Safari 26.5.2)
CVE count: 37 CVEs (26 in WebKit; 11 across kernel, WebRTC, Web Extensions, and other components)
Google Chrome
Release dates: June 24, 2026 (Chrome 149.0.7827.197) and July 8, 2026 (Chrome 150.0.7871.114/.115) CVE count: 10 CVEs (June 24) + 27 CVEs (July 8) = 37 CVEs across the two releases
The June 24 update resolved 10 vulnerabilities, the most severe being CVE-2026-13028 (CVSS 9.6, Critical) — a WebGL use-after-free enabling RCE, particularly on Android.
The July 8 update (Chrome 150) resolved 27 additional vulnerabilities: two Critical (CVE-2026-15112, CVE-2026-15129 — both use-after-free), 24 High-severity (largely use-after-free across Views, Extensions, Autofill, WebRTC, Codecs), and one Medium.
KEV callout: The prior Chrome zero-day, CVE-2026-11645 (V8 out-of-bounds read/write, exploited in the wild), was added to CISA's KEV catalogue under BOD 26-04 with a June 23 deadline — already passed heading into this cycle. No new Chrome CVEs from the June 24 or July 8 releases have been confirmed as exploited so far.
Mozilla
Release dates: Most recent desktop security release was Firefox 152.0.4 (June 30, 2026, per MFSA 2026-62); subsequent MFSAs (2026-64 through 2026-66) cover Thunderbird 140.12.1 and Firefox for iOS 152.3/152.4 — minor and mobile-only updates
CVE count: No new desktop Firefox/Thunderbird CVE bulletin in the immediate week leading into Patch Tuesday
Patch Tuesday Summary
Microsoft's July 2026 Patch Tuesday resolves a massive 570 CVEs this month, the majority (509) of which are rated Important and 58 rated Critical, with three Moderate. From an impact perspective 249 Elevation of Privilege and 143 Remote Code Execution account for the bulk of the impact types, followed by 102 Information Disclosure. Two CVEs are confirmed exploited in the wild — a SharePoint elevation of privilege flaw (CVE-2026-56164) and an Active Directory Federation Services elevation of privilege flaw (CVE-2026-56155) — and one CVE, affecting Windows BitLocker (CVE-2026-50661), is publicly disclosed.
Adobe released 11 updates resolving 88 CVEs including 63 Critical, 22 Important, and three Moderate. Impact breakdown includes 51 Arbitrary Code Execution, 13 Security Feature Bypass, 12 Privilege Escalation, 7 Application Denial-of-Service, three Arbitrary File System Read, and two Memory Exposure vulnerabilities. Besides the pre-patch Tuesday ColdFusion release including a known exploit, the 11 Patch Tuesday updates did not include any known exploits or public disclosures.
Mozilla released Firefox 152.0.6 resolving two Critical CVEs. Both vulnerabilities (CVE-2026-15718 and CVE-2026-15719) have publicly disclosed exploit code available, however Mozilla is currently not aware of any active exploitation.
Google Chrome Desktop 150.0.7871.124/.125 has released for Windows and Mac. No CVEs were reported upon release, but given the massive number of vulnerabilities resolved in the past month and a half it would be best to ensure all Chrome instals are up to the latest release.
Microsoft’s exploited vulnerabilities
Microsoft resolved an Elevation of Privilege vulnerability in Microsoft SharePoint Server (CVE-2026-56164). The vulnerability is rated Moderate by Microsoft and has a CVSS score of 5.3, but has been actively exploited in the wild. An unauthorised attacker could elevate privileges over a network. The CVE attack vector is Network because it is remotely exploitable from the internet. Attack complexity is also classified as low. Microsoft has provided some mitigating factors that could help detect a possible attack, but a risk-based prioritisation methodology warrants resolving this vulnerability as soon as possible.
Microsoft has resolved an Elevation of Privilege vulnerability in Active Directory Federation Services (CVE-2026-56155). The vulnerability is rated Important and has a CVSS score of 7.8, but has been actively exploited in the wild. The vulnerability could allow an attacker to elevate privileges locally to gain administrator privileges. Microsoft rates the vulnerability as Important, but a risk-based prioritisation methodology warrants resolving this vulnerability as soon as possible.
Microsoft’s publicly disclosed vulnerabilities
Microsoft has resolved a Security Feature Bypass vulnerability in Windows Bitlocker (CVE-2026-50661). The vulnerability is rated Important by Microsoft and has a CVSS score of 6.1, but has been publicly disclosed. A successful attack could bypass the BitLocker Device Encryption feature on the system storage device allowing access to encrypted data. While the code maturity for this vulnerability is currently listed as unproven, the disclosure means information is available to point a threat actor down a path to exploitation. A risk-based prioritisation approach warrants resolving this vulnerability as a priority this month.
Ivanti security advisories
Ivanti has released a security update for Ivanti Xtraction resolving two CVEs (one High and one Medium). More details and information about mitigations can be found in the July Security Advisory.
July update to-do list
- Consider shifting to a more continuous remediation approach if you have not already done so. The continued increase in both CVE discovery and update frequency due to AI accelerated vulnerability discovery is going to continue to increase and regulatory pressure to resolve highest-risk exposures in a matter of days to hours will become the new normal.
- Update your browsers! All of them. They are on a weekly basis at this point, but consider checking for and updating twice a week, if not daily, to reduce the exploit window for know exploited vulnerabilities.
- Resolve or mitigate known exploited vulnerabilities in Microsoft SharePoint (CVE-2026-56164), the Windows OS (CVE-2026-56155), and Adobe ColdFusion (CVE-2026-48282) as soon as possible.