July 2026 Windows Update — 570 Fixes and 2 Zero-Days, the Biggest Patch Tuesday Ever
Microsoft shipped 570 security fixes on 14 July. Fifty-nine of them Critical. Two zero-days already being exploited in real attacks. This is the biggest single Patch Tuesday Microsoft has ever released, roughly three times the size of last month's already record-breaking update. Install it now.
The two zero-days
Both target business infrastructure rather than home PCs directly. But attackers who get into a company network don't stop at one machine, and these are being used in real incidents right now.
2 zero-days, actively exploited
Other flaws worth knowing
- CVE-2026-58608, Windows Print Spooler. Remote code execution, rated Critical. Print Spooler vulnerabilities keep coming back and this is another one. Affects any PC with printing enabled.
- CVE-2026-55008, Exchange Server. Open a crafted email in Outlook Web Access and it runs code in your browser. No clicking needed. Officially classified as "spoofing" but it's functionally a stored cross-site scripting bug. CVSS 9.6.
- CVE-2026-57092, Hyper-V VMSwitch. CVSS 9.9, the single highest-rated bug this month. An attacker inside a virtual machine can break out and take over the host.
- CVE-2026-50518, Windows DHCP Server. Buffer overflow, no login required, CVSS 9.8. Server-only, but it shows the scale of what's being patched.
The Print Spooler flaw is the one most likely to affect a home PC. The rest are server and enterprise, but when 48 of your 59 Critical bugs are remote code execution, you don't wait around.
How to install
- Settings → Windows Update
- Check for updates
- Wait 10-30 minutes
- Restart when prompted, not two days later
KB5101650 (24H2 and 25H2). Look in Update history to confirm it's installed.
After June's update problems
Last month's KB5094126 caused boot failures, BitLocker recovery prompts, blue screens and broken OneDrive on some PCs. HP machines had it worst. If that put you off installing updates for a while, fair enough.
This month's update fixes several of those June bugs, and Microsoft says there are no known issues with KB5101650 so far. If you skipped June, installing July should sort both months.
One more to know about: a BitLocker bypass (CVE-2026-50661) was publicly disclosed before the patch landed. It needs physical access to your machine, so it's not a remote threat. But if you carry a work laptop with sensitive data, get it updated.
Windows 10
This month's Windows 10 patch is KB5099539. Microsoft quietly extended the free Extended Security Updates programme, so you now get free patches until October 2027 instead of October 2026. That buys another year to plan your upgrade. See the Windows 10 end-of-life guide for how to enrol.
If Windows Update itself is broken
A PC that can't update is a PC with 570 unpatched holes. The usual culprits are low disk space, corrupted update files, or antivirus clashing with Defender. I've covered the fixes in my common PC problems post. If storage is the bottleneck, speeding up a slow Windows 11 PC has that covered too.
If they keep failing and you're stuck, that's bread-and-butter computer repair stuff. Get in touch and I'll sort it.
For the full technical breakdown, Bleeping Computer covers every CVE and Krebs on Security analyses which ones matter most.
Mark has been fixing computers since the late '90s and went self-employed in 2008. Based in St Helens since 2013, he works evenings and weekends from his home in Laffak — friendly, affordable repairs for PCs, laptops, and Macs. See reviews on Google
Updates failing or something not right?
If Windows Update is stuck, your PC is running worse since you installed, or you're not sure you're protected — get in touch and I'll sort it.
★★★★★"I cant fault this guy. Fit me in speedily and resolved the issue. Had another issue once I got home and he did fixed that too. Would defo use again."
— Melanie Atherton, via Google