Microsoft dropped an eye-watering 621 vulnerability fixes on July 14, 2026, in a Patch Tuesday release so massive that security researchers called it the “Mother of All Releases.” Among them, two flaws—in SharePoint Server and Active Directory Federation Services (AD FS)—are already being exploited in attacks, and a third, a Hyper-V guest-to-host escape, scored 9.9 out of 10 on the severity scale. The update also introduces a point-in-time restore feature for Windows 11, giving users a way to roll back their entire PC to a snapshot, and fixes a troublesome Office integration regression from last month.
The sheer scale of the fix list
According to Trend Micro’s Zero Day Initiative (ZDI), the release covers 621 CVEs, breaking the previous single-month record and pushing Microsoft’s year-to-date total above any full-year tally from the past two decades. Not all are critical—ZDI counted 63 rated Critical, 6 Moderate, 1 Low, and the rest Important—but the volume alone demands a change in how organizations approach patching.
The two actively exploited vulnerabilities undercut any temptation to wait. CVE-2026-56164, a missing-authentication flaw in on-premises SharePoint Server 2016, 2019, and Subscription Edition, carries a seemingly modest CVSS 5.3 rating. Yet an unauthenticated attacker can reach it over a network without user interaction and gain elevated permissions. The US Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities catalog on release day, cementing its urgency. Internet-facing SharePoint servers are effectively sitting ducks.
CVE-2026-56155, the second exploited bug, is an elevation-of-privilege hole in AD FS. Rated Important with a 7.8 CVSS, it requires an attacker to already have local, low-privileged access. That precondition might sound reassuring, but ZDI warns it’s exactly the sort of local privilege escalation attackers chain with remote-code-execution exploits during ransomware intrusions. AD FS sits deep inside identity infrastructure, so a foothold there can quickly cascade.
Then there’s CVE-2026-57092, a use-after-free vulnerability in Windows VMSwitch with a 9.9 CVSS score—the highest in the release. A low-privileged attacker inside a guest virtual machine could break through the VM boundary and compromise the Hyper-V host. No active exploitation is confirmed, but the architectural implications are stark; hosting providers, VDI environments, and any shop running mixed-trust workloads on the same hardware should treat it as a top-tier risk.
Other high-severity standouts include a Copilot remote-code-execution bug (CVE-2026-48561, 9.6), two Critical Defender RCEs (CVE-2026-55011 and CVE-2026-55012), and an Exchange Server spoofing flaw (CVE-2026-55008, 9.6) exploiting stored cross-site scripting in Outlook on the web. Windows itself harbors five DHCP-related RCEs, multiple Remote Desktop vulnerabilities, and 21 RCE bugs across NTFS and ReFS file-system drivers.
A publicly disclosed BitLocker bypass (CVE-2026-50661) requires physical access but could let an attacker skirt Device Encryption. Because details are public, it’s unwise to defer the fix indefinitely, especially on laptops.
Windows 11 gains a point-in-time restore safety net
KB5101650 advances Windows 11 24H2 to build 26100.8875 and 25H2 to build 26200.8875, but the marquee addition is point-in-time restore. Unlike older System Restore, which only rolled back system files, this feature rewinds the entire PC—Windows, installed apps, settings, and local files—to a snapshot taken roughly every 24 hours and kept for up to 72 hours. The intent is to give users a quick undo for problematic updates, misconfigurations, or stubborn malware.
There’s a price: everything created after the snapshot is lost. Documents, passwords, certificates, and app changes revert; OneDrive files are safe because they live in the cloud. BitLocker-protected PCs demand a recovery key before restoration begins.
Point-in-time restore is turned on by default for unmanaged devices with an OS volume of at least 200 GB. Enterprise-managed machines won’t see it enabled until Windows 11 26H2, giving administrators time to weigh storage impacts and recovery procedures. The feature appears in the Windows Recovery Environment, alongside fresh pause-update controls that let users pick a pause end date up to 35 days away and re-pause later without forcing update installation after the pause lapses.
What this means for you
Home users: Install the patch. Two actively exploited flaws justify no delay. Once updated, open Settings > System > Recovery to explore point-in-time restore. If you ever need it, you’ll boot into WinRE, pick a snapshot, and wait while the machine rewinds. Back up your BitLocker recovery key now (it’s in your Microsoft account or saved file) or risk permanent data loss later. The BitLocker CVE-2026-50661 patch closes a physical-access risk, so don’t skip it on laptops.
IT administrators: Triage is everything. Start with internet-facing SharePoint servers—patch CVE-2026-56164 immediately and inspect for signs of compromise, because patching doesn’t evict an existing attacker. AD FS servers come next (CVE-2026-56155). Then accelerate testing for Hyper-V hosts (CVE-2026-57092). After that, prioritize remaining Critical-rated updates for Exchange, SQL Server, Defender, and Office according to exposure.
KB5101650 also fixes last month’s OLE Automation regression that broke third-party apps launching Microsoft Office, so retest those integrations. A new TDI transport enforcement may break unregistered third-party network drivers—VPNs, monitoring tools, legacy security products—so pilot those first. Remote Desktop gained SHA-2 certificate thumbprint support for trusted publishers; migrate away from SHA-1 now, because Microsoft plans to drop it. Dell systems with Intel processors are temporarily blocked from the update due to a hardware incompatibility; check your fleet and deploy a workaround when available.
Point-in-time restore remains off by default on managed devices. Decide whether and when you’ll enable it via Group Policy or CSP once it becomes available in a future release. In the meantime, educate users about the manual pause controls, but don’t rely on them for security—enforce deadlines through your management tools.
Developers: The TDI transport hardening may affect applications that open sockets over unregistered third-party transports. Verify your network drivers are properly registered. The OLE fix should restore Office automation functionality that broke in June. Also note curl was upgraded to 8.21.0, which may require testing if your app bundles or depends on it.
How we got here
The July deluge didn’t appear out of nowhere. Microsoft’s 2026 trajectory has been steep: by mid-July, the CVE count already exceeded any full-year total from 2006 onward. June’s patch cycle introduced the OLE Office regression, immediately jeopardizing line-of-business workflows. Meanwhile, Secure Boot certificate expirations have been rolling out gradually, with KB5101650 expanding automatic coverage.
Point-in-time restore first appeared in preview builds and draws inspiration from features like Apple’s Time Machine. Its arrival in a production update signals Microsoft’s concern about update-induced disruptions—a trend that also explains the extended pause controls.
Security researchers noted that the combination of an authentication-less SharePoint flaw and an AD FS privilege escalation is a classic “low-and-slow” attack chain, often seen in espionage and ransomware gangs. The Hyper-V escape, while an architectural nightmare, hasn’t been seen in the wild yet, but proof-of-concept code will likely follow.
What to do now
- Patch now. The active exploits make delay costly. If you’re a home user, grab the update from Windows Update. Admins, roll it out via WSUS or Microsoft Endpoint Manager.
- Prioritize by risk, not severity score. SharePoint and AD FS take precedence because exploitation is real. Hyper-V should follow quickly.
- Test compatibility. Pilot the update on a subset of devices to catch TDI transport breaks, Office integration hiccups, and the Dell Intel issue.
- Plan for restore. For personal devices, know where your BitLocker recovery key is. For enterprise, document the point-in-time restore settings you’ll enforce when it becomes available for managed devices.
- Harden RDP. Begin migrating trusted .rdp publisher configurations to SHA-256 and adjust Group Policy to limit which .rdp files can execute.
- Don’t forget that BitLocker fix. Especially on portable devices, apply the update to close a physical-access vector.
Outlook
With half the year gone and a record-shattering patch load already shipped, the remainder of 2026 looks intense. Point-in-time restore will become the default for commercial customers in Windows 11 26H2, likely arriving in the autumn. The SharePoint and AD FS exploits will be studied, and evasion techniques may evolve. If you manage servers or endpoints, now is a good time to review your patch automation and incident-response playbooks. For everyone else, enable automatic updates and take the restore feature for a test drive—you might be surprised how often a simple rollback saves the day.