DEV Community

Cover image for Patch Tuesday Just Broke Its Own Record, and Two Kernel Bugs Turned 15 in the Same Week
Fabio Baensch
Fabio Baensch

Posted on

Patch Tuesday Just Broke Its Own Record, and Two Kernel Bugs Turned 15 in the Same Week

If you blinked this week, you missed a lot. It's July 15, 2026, and the last seven days have quietly been one of the densest stretches in recent memory for anyone who cares about what's happening below the application layer: the biggest Patch Tuesday Microsoft has ever shipped, two Linux kernel vulnerabilities that have been sitting untouched since the early 2010s, and an OpenSSH release that looks boring right up until you read the second paragraph.

Here's the roundup, with the parts that actually matter to us as developers.

Microsoft's biggest Patch Tuesday ever

Tuesday's release is being called Microsoft's largest ever, and depending on whose count you trust — Microsoft's own release notes or Trend Micro's ZDI tracker — the tally lands somewhere between roughly 570 and 622 CVEs across Windows, Office, Exchange Server, SharePoint Server, SQL Server, Azure, and Visual Studio. Windows alone reportedly accounts for the bulk of it.

Three things stood out beyond the raw number:

Three zero-days. Two were already being exploited in the wild before patches landed: a SharePoint Server privilege-escalation flaw (CVE-2026-56164) that lets an unauthenticated attacker escalate over the network, and an Active Directory Federation Services bug (CVE-2026-56155). A third, a BitLocker bypass (CVE-2026-50661) that lets someone with physical access get past device encryption, was already public but hasn't been confirmed as actively exploited.

Kerberos RC4 support is finally, permanently gone. This has been a slow-motion rollout since January, when Microsoft started logging audit events for RC4 ticket usage. April flipped the default encryption type to AES for any account without an explicit override. This week's update removes the RC4DefaultDisablementPhase registry key that let administrators roll that back. If any service account in your environment is still requesting RC4 Kerberos tickets, it can start failing authentication the moment this update lands — worth auditing before it pages someone at 2am. The underlying issue (CVE-2026-20833) is a Kerberoasting vector: RC4-encrypted service tickets can be cracked offline once captured.

RoguePlanet got its official fix folded in. This is the Windows Defender / Malware Protection Engine privilege-escalation bug (CVE-2026-50656) that let a local attacker win a race condition against an NTFS reparse point and land a SYSTEM shell. Microsoft actually shipped the fix out-of-band on July 8–9, ahead of this week's cumulative update, after a public proof-of-concept circulated. If you manage air-gapped or manually-updated fleets, it's worth double-checking that engine version 1.1.26060.3008 (or later) actually reached those machines — the automatic channel doesn't always cover everything.

Two kernel bugs that are old enough to have a mortgage

The Linux side of the week was arguably wilder, mostly because of how long these bugs had been hiding.

Januscape — a 16-year-old KVM escape

CVE-2026-53359, named Januscape, is a use-after-free in the shadow MMU code that KVM uses on x86 hosts. Researcher Hyunwoo Kim found that a malicious guest VM can drive KVM into reusing a stale shadow page-table entry, corrupting host memory in the process. It's the first known guest-to-host KVM escape that works on both Intel and AMD, which makes it a real problem for multi-tenant cloud environments running nested virtualization.

The bug traces back to a commit from August 2010 and was only patched upstream in June 2026 — sixteen years in the wild. Kim originally demonstrated it as a zero-day submission to Google's kvmCTF bounty program, which pays up to $250,000 for a full guest-to-host escape. The public proof-of-concept reliably panics the host; a complete code-execution exploit reportedly exists but hasn't been released.

GhostLock — 15 years in the locking code

CVE-2026-43499, GhostLock, lives in the kernel's real-time mutex code, in the cleanup path for futex priority inheritance. A cleanup routine was clearing the wrong thread's bookkeeping, leaving a dangling reference that an unprivileged local user can turn into root — and it works from inside a container to escape to the host, since the only prerequisite (CONFIG_FUTEX_PI) is on by default nearly everywhere.

It was introduced in kernel 2.6.39 back in 2011 and wasn't fixed until version 7.1. The security firm that found it, Nebula Security, discovered it with an internal AI-assisted scanning tool while chaining it to a Firefox JIT bug for a full browser-to-root exploit chain. Their write-up reports a 97% reliable exploit that gets root in about five seconds, and it earned them a $92,337 bounty through Google's kernelCTF program.

Two vulnerabilities, three-plus decades of combined kernel history, both found this year. Worth checking your kernel version if you're running anything KVM-based or multi-tenant.

The boring update that isn't: OpenSSH 10.4

Released July 6, OpenSSH 10.4 rolled up eight security fixes and got framed by most outlets as routine hygiene. Two are worth knowing about: a malicious SFTP or SCP server could previously redirect where downloaded files land or write into the parent directory of your target path — both now closed. There's also a client-side use-after-free (CVE-2026-60002, CVSS 7.7) triggered when a server swaps its host key mid-session.

The more interesting part is buried further down: OpenSSH now has experimental support for a composite post-quantum signature scheme combining ML-DSA-44 and Ed25519. It's opt-in for now, but it's a good reminder that post-quantum-hybrid key exchange has quietly been the default in OpenSSH since April 2025 — most of us have been using it for over a year without noticing.

The pattern underneath all of it

Two of this week's headline bugs — GhostLock and, separately, Microsoft's own comments about its Windows codebase — point at the same thing: AI-assisted tooling is now finding vulnerabilities that sat untouched for over a decade of manual review. Microsoft has publicly said it expects more security updates going forward specifically because it's leaning on AI to hunt for flaws in its own code. That cuts both ways — the same tooling lowers the bar for attackers, too — but it's probably a big part of why patch counts keep setting records month over month.

None of this changes what you actually need to do this week: patch Windows, audit any service accounts still pinned to RC4 before they break, check your kernel version if you run KVM or containers, and update OpenSSH. But it's a decent snapshot of where things are headed — bugs that survived fifteen-plus years of human eyes are now getting found in weeks, on both sides of the fence.

What's your patch queue looking like this week? Anyone else still finding RC4-dependent service accounts they forgot existed?

Top comments (0)