IT Brief Canada - Technology news for CIOs & IT decision-makers
Canada
Microsoft patches 622 flaws, including SharePoint bugs

Microsoft patches 622 flaws, including SharePoint bugs

Tue, 14th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Microsoft has released fixes for 622 vulnerabilities in its July Patch Tuesday update, including a record 416 affecting Windows.

The release includes two flaws under active exploitation and one that had already been publicly disclosed, according to Rapid7's analysis.

One of the most closely watched issues is CVE-2026-55040, a critical authentication bypass flaw in Microsoft SharePoint. Rapid7 said its Senior Principal Security Researcher, Stephen Fewer, discovered the vulnerability, and that patches are available for SharePoint Server Subscription Edition, 2019, and 2016.

According to Rapid7, the flaw is the first part of a two-step attack chain that could lead to unauthenticated remote code execution on a vulnerable SharePoint server. The second vulnerability in that chain remains undisclosed, with Microsoft expected to issue a patch later.

SharePoint appears elsewhere in this month's disclosures. Microsoft is also tracking exploitation of CVE-2026-56164, another SharePoint flaw that allows an attacker to elevate privileges over a network without prior access.

Although Microsoft assigns the flaw a CVSS v3 base score of 5.3, Rapid7 said the practical risk may be higher than that rating suggests. It noted that Microsoft classified the issue as Important and rated the attack complexity as low.

Active Directory Federation Services is another area drawing attention. Microsoft listed CVE-2026-56155 as an elevation of privilege flaw under active exploitation and published eight additional vulnerabilities affecting the same product family.

Rapid7 also highlighted a publicly known BitLocker security feature bypass, tracked as CVE-2026-50661. Microsoft's advisory says an attacker with physical access to a device could bypass Windows BitLocker protections.

The July release comes amid broader changes to how Microsoft presents security information. Rapid7 said Microsoft has stopped listing detailed vulnerability entries in the Security Update Guide, replacing them with a summary table by product family and a shorter list of notable CVEs.

The change comes as vulnerability volumes continue to rise across the industry. Microsoft no longer lists Chromium CVEs in the guide, and Rapid7 said the latest format further reduces the product-by-product detail available at publication.

Adam Barnett, Lead Software Engineer at Rapid7, pointed to the scale of the month's release and the pressure on defenders trying to assess risk across a growing number of disclosures.

"All of this only serves to illustrate the recent industry-wide trend of exploding vulnerability report counts, with an associated uptick in the publication of remediations as a trailing indicator," said Adam Barnett, Lead Software Engineer at Rapid7.

Patch process

Rapid7 said Microsoft's monthly patching cycle has been unsettled this year, with a mix of higher vulnerability volumes and awkward disclosures from external researchers. It pointed in particular to activity by the pseudonymous researcher Nightmare Eclipse, who has published or discussed several Microsoft-related flaws in recent weeks.

One of those issues, a Microsoft Defender elevation of privilege vulnerability, was later published and patched by Microsoft as CVE-2026-50656. Rapid7 said the same researcher has since raised fresh concerns, including a proof of concept for another issue known as LegacyHive, which appears to allow a non-privileged user to mount another user's hive.

The July release also includes an unusual entry outside Microsoft's more typical enterprise and infrastructure software. Age of Empires II: Definitive Edition appears in the CVE list with CVE-2026-50663, a flaw that Rapid7 said could let an attacker place malicious files in unexpected locations through a malicious scenario file, potentially leading to code execution.

Lifecycle pressure

The security update also coincides with support cutoffs for several Microsoft products. Rapid7 said SharePoint Server 2016 and 2019 have reached the end of extended support, leaving SharePoint Subscription Edition as the only fully supported self-hosted SharePoint option.

Other products reaching end of support include Project Server 2016 and 2019, Dynamics GP 2016 and 2016 R2, InfoPath 2013, and SharePoint Designer 2013. SQL Server 2016 is moving into the Extended Security Updates phase, while SQL Server 2014 is entering its third and final year under that scheme.

Visual Studio 2022 Version 17.12 Long-Term Servicing Channel is also reaching its release end date, narrowing the supported options for users who remain on that branch.

"After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026," Barnett said.