Adobe splits Patch Tuesday in two as AI compresses the exploit window
From 14 July 2026 Adobe publishes security bulletins twice a month instead of once, citing AI-accelerated vulnerability discovery that is shrinking the disclosure-to-exploitation window from days to hours.
What is this?
On 25 June 2026, Adobe’s Chief Security Officer Aanchal Gupta announced that the company would move from monthly to twice-monthly publication of security bulletins and advisories. The new cadence took effect on 14 July 2026: Adobe now ships fixes on both the second and the fourth Tuesday of each month, instead of only the second, for every bulletin that carries a formally published CVE requiring customer action.
This is not an attack or a vulnerability. It is a structural change to how a major vendor releases patches — and Adobe is explicit about why. The reason it gives is the same one behind Microsoft’s warning of heavier Patch Tuesdays and Oracle’s shift from quarterly to monthly patching: AI has changed the economics of finding and exploiting flaws.
What’s changing
Adobe’s rationale, in the CSO’s own words, is that “the window between public vulnerability disclosure and active exploitation is compressing from days to hours.” Frontier models and agentic analysis tools now surface bugs across large codebases faster than traditional review could — a capability that Adobe is using internally to find and fix issues, but that is equally available to attackers once a fix is public and can be reverse-engineered.
More discovery means more fixes to ship, and Adobe concluded that a once-a-month publication window was “no longer fast enough.” The move mirrors Oracle’s decision to increase its quarterly cycle to monthly, also citing AI-driven threat acceleration. Adobe’s out-of-band process for actively exploited or externally reported zero-days stays in place on top of the new schedule.
The pressure was already visible before the change formally started. On 30 June 2026 — a fifth Tuesday, outside the normal cadence — Adobe shipped two out-of-sequence advisories for ColdFusion (APSB26-68) and Campaign Classic (APSB26-69), closing several maximum-severity, code-execution flaws. Adobe reported no exploitation at release, but security researchers observed one of the patched ColdFusion path-traversal flaws being probed in the wild within hours of disclosure — a concrete illustration of the compressed window Adobe is describing.
Why it matters
For defenders, a vendor doubling its patch frequency is a double-edged signal. The upside is that critical fixes reach customers on a predictable schedule rather than waiting up to four weeks for the next cycle. The downside is operational: every team that patches Adobe products now has twice as many planned maintenance events, and the tolerance for slipping any one of them shrinks as the exploitation window narrows.
The deeper point is that this is becoming an ecosystem trend, not a single vendor’s choice. When Oracle, Adobe and Microsoft all restructure their release calendars in the same year and name the same cause, patch cadence stops being a fixed background assumption and becomes a moving variable that vulnerability-management programs have to plan around. Teams that still budget staff and change windows against a monthly rhythm will be planning against a calendar that no longer exists.
Defenses
Concrete steps to adapt to the faster cadence:
- Update your patch calendar now. Add the second and fourth Tuesday of each month for Adobe products, and subscribe to Adobe’s security notification service so releases reach you the moment they publish.
- Triage on exploitability, not volume. With more advisories per month, prioritise on active-exploitation signals (CISA KEV, EPSS) and internet-exposed, unauthenticated attack surface rather than trying to apply everything at once.
- Shrink the disclosure-to-patch gap for exposed services. On-premise ColdFusion and Campaign instances are the kind of high-value, code-execution surface attackers probe within hours; keep them behind authentication and patch them first.
- Plan for out-of-band releases too. The scheduled cadence is a floor, not a ceiling — zero-day and active-exploitation fixes still arrive off-schedule, so keep an emergency change path ready.
- Watch for the same move from other vendors. Treat cadence changes as a governance input: revisit SLAs, staffing and maintenance windows as more suppliers follow Oracle and Adobe.
Status
| Item | Value |
|---|---|
| Announced | 25 June 2026 (Adobe Security Blog) |
| Effective | 14 July 2026 |
| Old cadence | Monthly (2nd Tuesday) |
| New cadence | Twice monthly (2nd and 4th Tuesday) |
| Scope | Every bulletin/advisory with a CVE requiring customer action |
| Stated driver | AI-accelerated discovery; disclosure-to-exploitation “days to hours” |
| Early trigger | Out-of-sequence ColdFusion (APSB26-68) and Campaign (APSB26-69) advisories, 30 June 2026 |
| Precedent | Oracle: quarterly → monthly (same stated cause) |
Key dates: 25 June 2026 — Adobe announcement. 30 June 2026 — out-of-sequence critical advisories. 14 July 2026 — twice-monthly cadence in effect.
Sources
- → https://blog.adobe.com/security/protecting-customers-faster-how-adobe-is-responding-to-ai-accelerated-vulnerability-discovery
- → https://www.csoonline.com/article/4192789/adobe-premieres-a-second-patch-tuesday-each-month-to-deliver-fixes-faster.html
- → https://thehackernews.com/2026/07/adobe-patches-7-cvss-100-flaws-in.html
- → https://www.computerworld.com/article/4192802/adobe-premieres-a-second-patch-tuesday-each-month-to-deliver-fixes-faster-2.html