It is the largest single Patch Tuesday on record, roughly triple last month's count and dwarfing the old high of 198. Fifty-six of the fixes are rated critical, most of them remote code execution. Some trackers put the tally past 600 once bundled third-party CVEs are counted; either way, this is a big one, and the sheer volume is the story on its own. Two of the three zero-days are under active attack. CVE-2026-56155 is an elevation-of-privilege bug in Active Directory Federation Services, found by Microsoft's own DART responders, that hands an attacker admin rights. CVE-2026-56164 is a moderate-severity privilege bug in on-prem SharePoint Server (see the advisory below). The third, a BitLocker bypass, was publicly disclosed but needs physical access — no reason to lose sleep over that one. If you run ADFS or on-prem SharePoint, patch those first and treat the rest as a normal, if enormous, monthly cycle.