Microsoft has unveiled its July 2026 Patch Tuesday cumulative updates for Windows 11, addressing a multitude of security vulnerabilities while enhancing Secure Boot functionalities, implementing security hardening measures, and refining compatibility across systems.
Key Vulnerabilities Addressed
This month’s updates are particularly significant, as they rectify a publicly disclosed BitLocker bypass vulnerability and an actively exploited privilege escalation flaw within Active Directory Federation Services (AD FS). The updates include:
- KB5101650 for Windows 11 25H2 and 24H2, elevating systems to builds 26200.8875 and 26100.8875, respectively.
- KB5101649 for Windows 11 26H1, updating devices to build 28000.2525.
In total, the July Patch Tuesday release addresses 622 Microsoft Common Vulnerabilities and Exposures (CVEs) across various products, including:
- 416 vulnerabilities in Windows
- Fixes for Microsoft Office, Edge, Exchange Server, SharePoint Server, SQL Server, Defender, and Azure services
Among the critical vulnerabilities is CVE-2026-50661, an Important BitLocker Security Feature Bypass vulnerability, which allows an attacker with physical access to potentially bypass BitLocker Device Encryption. Although Microsoft considers the likelihood of exploitation to be low, the urgency of addressing this flaw is clear.
Another notable fix is for CVE-2026-56155, an AD FS Elevation of Privilege vulnerability that has already been exploited in the wild. This flaw enables an authenticated local attacker with limited privileges to escalate their access to administrator levels. This vulnerability was reported by members of Microsoft’s Detection and Response Team (DART).
Additionally, CVE-2026-56164, a SharePoint Server Elevation of Privilege vulnerability, was also addressed. Discovered by a collaborative effort involving researchers from Mandiant Incident Response and Google Cloud, this flaw allows unauthenticated attackers to elevate privileges over the network due to a lack of authentication for a critical function. Microsoft advises SharePoint administrators to ensure that Anti-Malware Scan Interface (AMSI) integration is enabled and configured for full request body scanning to detect malicious payloads effectively.
Enhancements and Security Hardening
The July updates also mark a continuation of Microsoft’s initiative to roll out new Secure Boot certificates, a process that began in June 2026. The company has broadened its device targeting to encompass a wider array of eligible systems, with Windows Update set to deploy replacement certificates in the coming months.
Furthermore, the updates rectify an issue stemming from June’s security patches that hindered some third-party applications utilizing OLE Automation from launching Microsoft Office applications or accessing Office documents.
In terms of security enhancements, Windows now incorporates curl 8.21.0, which features the latest security improvements. The updates also introduce support for SHA-2 certificate thumbprints for trusted Remote Desktop publishers, while initiating a transition away from SHA-1. Additionally, Transport Driver Interface (TDI) transport registration requirements have been enforced, which may impact applications relying on unregistered third-party TDI transports.
Microsoft has stated that it is currently unaware of any known issues affecting either of the cumulative updates. Users can easily install the updates by navigating to Settings > Windows Update > Download & Install all.
A system reboot will be necessary for the updates to take effect. It is highly recommended that users back up important data prior to applying the system update to mitigate the risk of data loss should any complications arise during the process.