SecurityNews & Analysis

Microsoft Patch Tuesday July 2026: 127 CVEs, Act Now

Digital security shield with Windows logo and CVE labels representing Microsoft Patch Tuesday July 2026
Microsoft Patch Tuesday July 14 2026: 127 CVEs including a wormable CVSS 9.8 RCE

Microsoft drops 127 patches tomorrow. The headline fix is a wormable CVSS 9.8 remote code execution flaw that touches every Windows machine since Server 2008. Kerberos RC4 support dies permanently at the same moment. And a disgruntled security researcher has July 14 circled. Three threats converging on one Tuesday is not normal — and none of them are optional.

CVE-2025-47981: Patch This First

The most urgent fix this month is CVE-2025-47981, a heap-based buffer overflow in the Windows SPNEGO Extended Negotiation (NEGOEX) security mechanism. The CVSS score is 9.8. The attack vector is network. No credentials required, no user interaction, fully wormable. If you have Windows servers exposed to a network — and you do — this is an emergency patch.

SPNEGO is the authentication negotiation layer that sits underneath Kerberos and NTLM. It is enabled by default on every supported Windows version from 10 1607 and Windows Server 2008R2 onward. Microsoft assesses exploitation as “more likely within 30 days.” Realistically, working exploits will appear faster than that once security researchers reverse the patch. ZeroPath’s technical breakdown covers the heap overflow mechanics in detail.

There is no workaround. Apply the July cumulative update.

Kerberos RC4: Do This Before You Patch

The July 14 cumulative update permanently removes the RC4DefaultDisablementPhase rollback control from all supported Windows Server domain controllers. That is the mechanism organizations have used as a safety net since Microsoft began hardening Kerberos RC4 support in January 2026. After tomorrow, the safety net is gone.

If any service account in your environment still uses RC4 for Kerberos ticket requests, it may fail authentication the moment the update is applied. The fix is straightforward but the order matters: audit first, then patch.

The January 2026 update added nine new audit events to the Windows System Event Viewer specifically to surface RC4 usage. Check those events now. For any service account flagged, change the password — Windows generates AES keys automatically on password change. Once the accounts are migrated, apply the July update.

Printers, third-party appliances, and legacy network devices are the usual culprits. They tend to be invisible in normal monitoring and then extremely visible when authentication breaks at 2 AM.

Nightmare-Eclipse: Keep an Eye on July 14

Security researcher Nightmare-Eclipse has been in an escalating public feud with Microsoft since April 2026, dropping six Windows zero-days in six weeks: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Microsoft reported the researcher to law enforcement. The researcher responded by threatening a “bone shattering” exploit dump on July 14 — the same day as Patch Tuesday.

As of yesterday, the researcher walked it back partially, citing exhaustion from RoguePlanet (CVE-2026-50656), the Windows Defender privilege-escalation flaw disclosed last week. Microsoft issued an emergency patch on July 9. The July 14 threat was not formally canceled. Apply tomorrow’s cumulative update early, verify the July 9 patch is in place, and keep Microsoft MSRC open throughout the day.

Developer Toolchain: Don’t Skip the Visual Studio Updates

Seven Visual Studio CVEs are in this month’s release, along with additional .NET SDK vulnerabilities. Developers running Visual Studio on Windows are directly in scope. Apply Windows Update on your workstation tomorrow. It takes fifteen minutes and the alternative is carrying known vulnerabilities in your dev environment indefinitely.

The Bigger Problem: 127 CVEs Is the New Normal

June 2026 set a record with 206 Microsoft CVEs — 571 when Chromium and bundled third-party components are counted. July’s 127 is being framed as a “normalization,” but it is above every pre-2026 monthly average. Microsoft is on pace to patch over 1,000 vulnerabilities this year. FIRST forecasts 66,000 CVEs industry-wide for 2026.

The root cause is AI-assisted vulnerability discovery. Automated fuzzing, static analysis, and variant hunting are finding bugs faster than teams can fix them. Microsoft told customers directly to expect continued volume growth. This is not a temporary spike.

At this scale, the traditional “assess every CVE” workflow breaks. A CVSS High or Critical rating sounds urgent until you realize it applies to 58% of all CVEs published. You cannot treat all of them as priorities — that word stops meaning anything.

The modern alternative is EPSS (Exploit Prediction Scoring System) combined with CISA’s Known Exploited Vulnerabilities catalog. EPSS predicts the probability a CVE will be exploited in the next 30 days. Setting a threshold of 0.088 covers 82% of CVEs that end up exploited while requiring action on only 7.3% of all published CVEs — versus the 58% you would need to patch under a CVSS-only strategy. The open-source CVE_Prioritizer automates the workflow.

None of this means ignoring July’s Patch Tuesday. It means applying it intelligently: CVE-2025-47981 first because it is wormable and will be exploited fast, Kerberos RC4 cleanup before you patch, and the rest through normal update channels. The three items above are not candidates for EPSS triage — they are unconditional.

Checklist for July 14

  • Audit Kerberos RC4 usage now via Windows Event Viewer (nine audit events, added January 2026)
  • Change passwords on RC4-using service accounts to trigger AES key generation
  • Apply July Windows cumulative update (covers CVE-2025-47981 and 126 others)
  • Verify the July 9 emergency patch for RoguePlanet (CVE-2026-50656) is already applied
  • Update Visual Studio and .NET SDK on developer workstations
  • Monitor MSRC and security feeds throughout the day

Full breakdown of all 127 fixes is available in Sophos’s July Patch Tuesday analysis. For CVE triage methodology, Help Net Security’s July forecast covers the EPSS versus CVSS debate in detail.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security