Cloud Security · Research

Microsoft July 2026 Patch Tuesday Hits Record 622 CVEs With Critical DHCP Server RCEs

Illustration of enterprise DHCP server infrastructure under elevated risk during Microsoft July 2026 Patch Tuesday
AK
Alex Kim
Threat intelligence editor · Updated Jul 15, 2026, 5:01 PM EDT

Microsoft July 2026 Patch Tuesday Hits Record 622 CVEs With Critical DHCP Server RCEs

Microsoft’s July 2026 Patch Tuesday is the largest security release in the company’s history, addressing 622 vulnerabilities—roughly triple June’s previous record of about 200 issues—and packing more than 50 Critical flaws. Two of three zero-days are already under active exploitation and listed in CISA’s Known Exploited Vulnerabilities catalog. For enterprise defenders, the standout risk is a cluster of critical remote code execution bugs in Windows DHCP Server, led by CVE-2026-50518 (CVSS 9.8), which Microsoft rates “Exploitation More Likely” and which requires no authentication or user interaction over the network.

The combination of extreme volume and foundational networking flaws puts immediate pressure on Windows administrators, security teams, and CISOs. DHCP sits on nearly every enterprise network, frequently on domain controllers or core infrastructure. Successful compromise can deliver control of IP assignment and DNS options, open a path into identity services, and accelerate lateral movement for ransomware. Teams have a narrow window in the first 48–72 hours to inventory exposure, patch the highest-risk systems, and avoid operational breakage from the sheer size of the update set.

Record Volume and the New Normal

Vendor tallies range from about 569 to 622 depending on inclusion rules; Microsoft-centric consensus is 622. Of those, roughly 56–62 are Critical, with elevation of privilege accounting for about 40–44 percent of the total and remote code execution roughly a quarter. Windows alone accounts for more than 400 vulnerabilities—a record for that family—alongside large counts for Extended Security Updates and Office.

June had already set a high-water mark near 200 CVEs. July is approximately three times that figure and larger than the three prior months combined. Microsoft has attributed the surge in part to multi-model agentic scanning (MDASH) that accelerates discovery of flaws in its own code. Industry commentary is blunt: the era of relatively small Patch Tuesdays is ending. Defenders should treat sustained high monthly volume as the baseline through 2026, not a one-month anomaly. Microsoft’s Security Update Guide also changed presentation this month, emphasizing summary tables by product family and a shorter “Notable CVEs” section rather than a full enumerated list.

Critical DHCP Remote Code Execution Flaws

Several critical issues hit the Windows DHCP Server service and the DHCP client stack. The highest-priority items are heap-based buffer overflows that Microsoft flags as Critical and, in key cases, “More Likely” to be exploited.

CVEComponentTypeCVSSExploitabilityAttack vector / preconditions
CVE-2026-50518Windows DHCP ServerRCE (heap overflow)9.8More LikelyUnauthorized attacker over the network; no user interaction
CVE-2026-50370DHCP Server ServiceRCE (heap overflow)8.8More LikelyUnauthorized attacker over an adjacent network
CVE-2026-56159DHCP Server ServiceRCE (heap overflow)9.8UnlikelyNetwork
CVE-2026-48564DHCP Server ServiceRCE8.8Less LikelyNetwork
CVE-2026-54128Windows DHCP ClientRCE (use-after-free)8.4More LikelyUnauthorized attacker; local (client-side)

CVE-2026-50518 is the clear priority: unauthenticated network RCE against a service that assigns addresses and often runs with high privileges. CVE-2026-50370 is still Critical and “More Likely,” but limited to adjacent networks. Additional server RCEs carry Critical ratings even where Microsoft’s exploitability index is lower. On the client side, CVE-2026-54128 can enable local code execution and matters on segments where a malicious or compromised DHCP server can influence workstations.

Affected systems are supported Windows Server SKUs that host the DHCP Server role and Windows client SKUs running the DHCP client stack. Exact build and KB mappings are in the Security Update Guide per CVE. Domain controllers that also host DHCP are especially high-value targets because compromise can combine network control with identity infrastructure.

As of publication, there is no public report of active exploitation or public proof-of-concept code specifically for these July DHCP RCEs. Microsoft’s “More Likely” ratings and the strategic value of the service are the primary urgency signals.

Zero-Days and Active Exploitation

Three issues meet Microsoft’s zero-day criteria. Two are confirmed exploited in the wild and appear in CISA KEV:

  • CVE-2026-56155 — Active Directory Federation Services elevation of privilege (CVSS 7.8, Important). Insufficient access control allows a low-privileged local attacker to reach administrator privileges. Identity-critical after an initial foothold.
  • CVE-2026-56164 — Microsoft SharePoint Server elevation of privilege / missing authentication for a critical function (CVSS 5.3, Microsoft Moderate; often treated operationally as Important). Unauthenticated remote network attack, low complexity. CISA and Microsoft urge rapid remediation.
  • CVE-2026-50661 — Windows BitLocker security feature bypass (CVSS 6.1, Important). Requires physical access; publicly disclosed and not known to be exploited in the wild at release.

SharePoint also received critical authentication-bypass and deserialization RCE fixes, including CVE-2026-55040 (critical security feature bypass that can serve as the first stage of an unauthenticated RCE chain; a related second issue remains embargoed toward August) and CVE-2026-50522 / CVE-2026-58644 (CVSS 9.8, Exploitation More Likely, unauthenticated network RCE). On-premises SharePoint estates should be treated as top-tier for this cycle.

Temporary mitigation for SharePoint until fully patched: ensure Antimalware Scan Interface (AMSI) is integrated with SharePoint and IIS worker processes, and set Request Body Scan mode to Full so POST bodies are inspected. Network restriction of management and public exposure and WAF/IDS monitoring for anomalous POSTs remain useful compensating controls.

Other High-Impact Fixes and Lifecycle Cliff

Beyond DHCP and the zero-days, Critical remote code execution also hits Dynamics NAV / Dynamics 365 Business Central (on-premises) via CVE-2026-55944 (CVSS 9.8, Exploitation More Likely, unauthenticated deserialization through a crafted login), plus networking components (TCP/IP, RMCAST, SSTP, Print Spooler, server network drivers), Active Directory Domain Services, MSMQ, media and graphics stacks, Hyper-V, WSUS, and others. Office document-triggered RCEs remain numerous and typically require user interaction. Niche titles such as Minecraft Bedrock Dedicated Server and Age of Empires II: Definitive Edition also appear on this month’s list.

The same week, SharePoint Server 2016 and 2019 (and Project Server 2016/2019) reach extended end of support on July 14, 2026, with no Extended Security Updates path. The only fully supported self-hosted SharePoint route going forward is Subscription Edition. SQL Server 2016 enters the paid ESU phase; SQL Server 2014 is in its final ESU year. Organizations still on SharePoint 2016/2019 face both unpatched risk after today and the strategic debt of a forced migration decision.

Who Must Act and in What Order

Highest-severity exposure concentrates on Windows Servers running the DHCP Server role (especially domain controllers), AD FS servers, on-premises SharePoint (Subscription Edition, 2019, 2016), Dynamics NAV / Business Central on-premises, domain controllers and other AD DS / AD CS roles, Hyper-V hosts, WSUS, Exchange, SQL, high-value Office clients, and ESU-entitled legacy Windows systems.

Ranked 48–72 hour plan

  1. Inventory DHCP servers (flag DC-hosted instances), AD FS farms, all on-prem SharePoint, Dynamics on-prem, internet-facing Microsoft web apps, and Hyper-V hosts. Identify SharePoint 2016/2019 for migration versus risk-acceptance discussion.
  2. Patch first (with change control and rollback):
  • CISA KEV / exploited: CVE-2026-56155 (AD FS), CVE-2026-56164 (SharePoint).
  • Critical unauthenticated or network RCE: DHCP CVE-2026-50518 (then 50370, 56159, 48564 as capacity allows); SharePoint 50522 / 58644 / 55040; Dynamics CVE-2026-55944.
  • Other Critical “More Likely” RCEs and high-value EoPs on domain-joined servers.
  1. Then clients and remaining Important: kernel and Win32k EoPs (many “More Likely”), Office document RCEs, DHCP client, BitLocker (physical threat model).
  2. Test before broad rollout. Volume is extreme—use pilot rings. Watch for Kerberos/RC4 and service-account authentication breakage reported as an operational risk. Stage DHCP failover pairs and AD FS farm nodes carefully; validate AMSI/Defender health on SharePoint; back up DHCP databases, AD, and SharePoint before mass deployment.

Compensating controls until patches land: restrict who can send DHCP traffic (ACLs, disable rogue DHCP, 802.1X where feasible); keep DHCP off untrusted segments; monitor for anomalous DHCP packets or service crashes. For AD FS, tighten local logon rights and focus EDR on privilege-escalation behavior. There is no robust “disable the feature” workaround for the critical DHCP server RCEs—patching is the control. EDR/NDR signatures and updated Snort rulesets for many of this month’s issues are already shipping from major vendors.

Broader 2026 Pattern

July continues a clear 2026 theme: networking services and identity/collaboration platforms repeatedly host high-blast-radius flaws. Hostile or theatrical public disclosure outside coordinated timelines adds noise and pressure. AI-assisted discovery on both the vendor and attacker side means “Exploitation Less Likely” ratings age faster than they used to. Process redesign—automated inventory, risk-ranked rings, and special handling for DHCP and identity—matters more than treating each Patch Tuesday as a one-off fire drill.

Takeaways

Prioritize KEV items and critical network RCE on DHCP, SharePoint, and Dynamics within the first two to three days; use pilot rings and watch Kerberos/service-account behavior; apply AMSI Full body scanning on SharePoint as a temporary control; and treat SharePoint 2016/2019 end of support the same day as a hard migration deadline. Confirm exact KBs and builds in the Microsoft Security Update Guide and track CISA KEV deadlines for federal and regulated environments.