Microsoft — Security Activity Report

Windows + Azure + Office (MSRC advisories)

Generated Jul 13, 2026Cohort: 9 vendors with ≥10 CVE advisoriesMethodology ↗

CVE Disclosure Volume

Total all-time: 21,903 CVEs with Microsoft advisories. Source: NVD CVE records joined with vendor advisory publish dates.

2,25420222,10220233,40920243,74820254,4452026

Severity Composition

+12.3 pp

55.5% of Microsoft's 21,903 CVEs are CRITICAL or HIGH severity. Industry median: 43.2%. Source: NVD CVSS v3.1.

CRITICAL 979 (4.5%)HIGH 11,168 (51.0%)MEDIUM 8,666 (39.6%)LOW 450 (2.1%)NONE 422 (1.9%)

CISA KEV Listings

at industry median

126 of 12,474 Microsoft CVEs in the last 3 years are on CISA's Known Exploited Vulnerabilities catalog (1.0%). Industry median: 1.0%.

Source: CISA Known Exploited Vulnerabilities catalog (current snapshot). KEV listing means CISA observed active in-the-wild exploitation.

Vendor Patch Velocity

-6.2 days

Median time from CVE disclosure to Microsoft advisory: 9 days (p25 2 days – p75 52 days). Industry median: 15 days.

Sample size: 8,708 CVE→advisory pairs over the last 3 years. Source: vendor advisory published_at minus CVE published.

Top Recurring Weakness Classes

Most-frequently mapped CWEs across Microsoft's last 3 years of CVE disclosures. Source: NVD — CWE mapping per MITRE taxonomy.

  • CWE-416Use After Free1,820 CVEs
  • CWE-476NULL Pointer Dereference875 CVEs
  • CWE-125Out-of-bounds Read768 CVEs
  • CWE-122Heap-based Buffer Overflow697 CVEs
  • CWE-20Improper Input Validation531 CVEs

Recent Security Advisories

Latest advisories published by Microsoft, straight from the vendor's own feed. Severity labels are the vendor's — scales differ across vendors.

  • CVE-2026-59997MediumCVSS 4.2
    Jul 11, 2026

    internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.

  • CVE-2026-59996MediumCVSS 4.2
    Jul 11, 2026

    scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.

  • CVE-2026-59995MediumCVSS 4.2
    Jul 11, 2026

    sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.

  • CVE-2026-60001MediumCVSS 6.5
    Jul 11, 2026

    sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.

  • CVE-2026-60000LowCVSS 3.7
    Jul 11, 2026

    sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.

  • CVE-2026-59999MediumCVSS 5.9
    Jul 11, 2026

    In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.

  • CVE-2026-60002HighCVSS 7.7
    Jul 11, 2026

    ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)

  • CVE-2026-56002HighCVSS 8.5
    Jul 11, 2026

    libXfont2 PCF Font Parsing Heap Buffer Overflow

Full advisory archive: /pulse/vendor-advisories →

Data sources & corrections

  • NVD National Vulnerability Database (nvd.nist.gov) — CVE records + CVSS v3.1 severity
  • MITRE cvelistV5 (github.com/CVEProject/cvelistV5) — CNA-published CVE timestamps
  • CISA Known Exploited Vulnerabilities catalog (cisa.gov/known-exploited-vulnerabilities-catalog)
  • Vendor security advisories (RHSA, USN, MSRC, GHSA, etc.) — published_at timestamps
  • MITRE CWE taxonomy (cwe.mitre.org) — weakness class mappings

Snapshot generated Jul 13, 2026. Industry medians refresh every 6 hours; raw vendor counts are queried live on each request.

Spot a factual error in this report?

Email [email protected] with the specific number you're disputing and a link to the authoritative source. We review every report and publish corrections on the methodology page.