#patch tuesday

The rest of my personal schedule may be chaotic and I often lose track of what day of the week it is (for instance I almost took my garbage to the curb last night even though pickup is tomorrow), but some things remain constant. Yesterday was Patch Tuesday for Microsoft – among others – and that means I have a quick rundown of updates and fixes to report on today.

Bleeping Computer, from whom I’ve gotten this catalog of changes, points out that this list only includes those releases from this day. Out of bounds patches to Mariner, Azure, Copilot, Microsoft Teams, and Microsoft Partner Center and the 131 Microsoft Edge/Chromium flaws that were fixed by Google earlier this month are not counted. What is are the 120 other vulnerabilities and bugs, 17 of which are considered critical. 61 Elevation of Privilege Vulnerabilities, 6 Security Feature Bypass Vulnerabilities, 31 Remote Code Execution Vulnerabilities, 14 Information Disclosure Vulnerabilities, 8 Denial of Service Vulnerabilities and 13 Spoofing Vulnerabilities. No zero-days were reported this time, although there are some vulnerabilities that are noteworthy and should be addressed by security admins.

Microsoft Office, Word and Excel have all received patches and should be updated as soon as possible to prevent remote code execution. Others that Bleeping Computer listed are CVE-2026-35421, Windows GDI Remote Code Execution Vulnerability: This flaw can be exploited by opening a malicious Enhanced Metafile (EMF) file using Microsoft Paint. CVE-2026-40365, Microsoft SharePoint Server Remote Code Execution Vulnerability: An authenticated attacker can perform a network-based attack that remotely executes code on a SharePoint server. And CVE-2026-41096, Windows DNS Client Remote Code Execution Vulnerability: An attacker-controlled DNS server could send a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory. This would allow the attacker to run code on the vulnerable system remotely. The complete list of updates is contained in the article.

Other updates today include Adobe has released security updates for After Effects, Premiere Pro, Media Encoder, Commerce, Illustrator, and more. AMD disclosed updates for an elevation of privileges vulnerability in the CPU operation (op/µop) cache on Zen 2‑based. Apple released security updates for macOS, iOS, watchOS, iPadOS, visionOS, and tvOS. Cisco released security updates for numerous products, including a DoS flaw that requires manual rebooting of affected systems for recovery. Fortinet released security updates for two critical flaws in FortiSandbox and FortiAuthenticator. Google released Android's May security bulletin, which fixes 10 vulnerabilities. Ivanti released security updates for a high-severity Endpoint Manager Mobile (EPMM) remote code execution vulnerability, which was exploited in zero-day attacks. Mozilla released security updates for five Firefox vulnerabilities. Palo Alto Networks warned of a critical PAN-OS User-ID Authentication Portal flaw that was exploited in attacks as a zero-day. Patches have still not been released, but mitigations are available. SAP released the May security updates, which include fixes for one high-severity and two Critical flaws. vm2 released security updates for a critical vulnerability in the popular Node.js sandboxing library.

I’ll see you tomorrow with my regularly scheduled bite sized breakdown of pertinent and/or interesting news.

Microsoft published its Security Updates for April 2026 today, and the good news is that there are no Windows Server Routing and Remote Access (RRAS) vulnerabilities this month. However, they disclosed a critical remote code execution (RCE) vulnerability that impacts deployments using Internet Key Exchange version 2 (IKEv2). IKE Service Extensions RCE CVE-2026-33824 addresses a security…

Yesterday’s patches from Microsoft covered 58 flaws, including 6 actively exploited zero-day vulnerabilities, of which three had been previously disclosed to the public. This is in addition to three Microsoft Edge flaws fixed earlier this month. This patch day also began the roll out of the refreshed Secure Boot certificates for Windows 11 users, a coordinated security update to ensure only verified and trusted bootloaders are running during startup. This is to prevent malicious software that may be present from executing during system startup (which is how many forms of malware maintain persistence).

Among the vulnerabilities covered by this month’s patches are 25 Elevation of Privilege vulnerabilities, 5 Security Feature Bypass vulnerabilities, 12 Remote Code Execution vulnerabilities, 6 Information Disclosure vulnerabilities, 3 Denial of Service vulnerabilities and 7 Spoofing vulnerabilities. Bleeping Computer has detailed these patches in their article.

Other updates covered in the article include:

Adobe’s security updates for Audition, After Effects, InDesign, Substance 3D, Adobe Lightroom Classic, and other software. None of the flaws are exploited. BeyondTrust’s security updates for a critical RCE flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software. CISA issued a new binding operational directive requiring federal agencies to remove network edge devices that have reached the end of support. Cisco released security updates for Secure Web Appliance, Cisco Meeting Management, and more. Fortinet released security updates for FortiOS and FortiSandbox. n8n fixed critical vulnerabilities that act as a patch bypass for the previously fixed CVE-2025-68613 RCE flaw. And SAP released the February security updates for multiple products, including fixes for two critical vulnerabilities.

For those of us who keep track of what our devices are doing, there has also been a roll out of Sysmon functionality for Windows 11users enrolled in the Windows Insider program. For those who don’t know what this is, Sysmon (System Monitor) is the built-in logging program, similar to the types of programs used for analysis like Elastic’s Kibana.

This month’s patches, while still numerous, are less than January’s by almost half. That said, new vulnerabilities seem to crop up every day as both the Internet of Things and the way we interact with it gets bigger. The most critical fixes are in Azure, while others rated as ‘important’ cover a range of apps from GitHub Copilot to the Office Suite to kernel elevation privilege flaws. The full report list is available here. As always, I’ll be keeping my eye on any developments regarding exploitation of these flaws in the coming days.

Yesterday was the first Patch Tuesday of the year. Today, Windows users will find that their computers have restarted overnight and most will not even notice any changes...one hopes. Today is informally known as Exploit Wednesday, after all. So let’s recap the updates to security and fixes for known issues, shall we?

This patch addresses 114 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities, as well as eight "Critical" vulnerabilities, 6 of which are remote code execution flaws and 2 are elevation-of-privilege flaws (source: Bleeping Computer). Among those are 57 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 22 Remote Code Execution vulnerabilities, 22 Information Disclosure vulnerabilities, 2 Denial of Service vulnerabilities and 5 Spoofing vulnerabilities.

The actively exploited zero-day is an information disclosure flaw in the Desktop Window Manager (CVE-2026-20805), which allows an authorized attacker to disclose information locally. Successful leveraging of the vulnerability lets attackers read memory addresses associated with the remote ALPC port. While the flaw has been reported by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC), details of the exploitation in the wild have not been released to the public.

The other two zero-day vulnerabilities are the Secure Boot expiration bypass (CVE-2026-21265), which is also covered in a Bleeping Computer report, and the Windows Agere Soft Modem Driver Elevation of Privilege vulnerability (CVE-2023-31096), which Microsoft previously announced they would be removing at a future date.

Microsoft is not the only company to release patches this week. A number of others have followed suit on the monthly update schedule, including Adobe, Cisco, Fortinet, D-Link, Google, n8n, Trend Micro and Veeam, to name a few. The details of each are listed in the first link of this article, as well as a breakdown of the security updates to resolve vulnerabilities across the board. Eight of these patches have a severity rating of critical.

It’s become something of a habit for me to pay close attention to Patch Tuesday, not only because it’s good to know what’s changed, but because there will inevitably be attempts to exploit these now publicly listed vulnerabilities in the coming days. As your friendly neighborhood WISPer, it’s my job to report on those attempts. And every month there seems to be more and more of both fixed bugs and exploits thereof, something I’ve talked about before. But I won’t lie, it would be nice to have the rest of my week be boring. It’s unlikely – threat actors never rest – but it would be nice.

There has been a definite shift in what I report upon since starting this series in September. Some of that is due to my own experience level in doing the research; I have a better grasp on the ebb and flow of digital patterns now. When I started this job, I figured I would be reporting on the different types and families of malware more often, giving out warnings for what’s out there lurking in the dark corners of the internet for the unwary. But that’s not really what I do at all. Mostly, I report on vulnerabilities, and the exploitation thereof. And boy are there a lot of them these days.

Patch Tuesday has become a marker in my schedule for expecting to hear news that ranges from the ridiculous (how are we still seeing elevated privilege oversights?) to the terrifying (patching remote access in kernel spaces) to the exasperating (DNS outages that were repaired by reverting to a previous version). Microsoft products have become so pervasive and widely used that practically every corporation, small business, educational facility, hospital, airline, and personal computer is subject to this day. Indeed, my own computer restarted itself after updating this morning. What was once a time to prepare for rebooting all the systems in a network has turned into a ‘what will go wrong now?’ scenario. And there are so many little things being updated, upgraded or fixed that it’s nearly impossible to keep up with them all, especially in a short form report like mine. What takes priority? Which one do I think I’ll be seeing later this week as having been exploited?

Two years ago – when Patch Tuesday unofficially turned 20 years old – CrowdStrike published an article on the changes and exponential growth leading to the need for this day. The article included a graph of the number of vulnerabilities patched by year, dating back to 1999. That graph is a steady upward curve, peaking in 2020 with roughly 1300 patches and fixes. And while the following years were considerably lower than that, never once has the need for patching dropped back to levels predating 2013, the tech boom year that Microsoft released both Windows 8.1 and the Xbox One, along with many other tech companies releasing new versions of products, or entirely new ones. In the subsequent years since the article was written, not much has changed save one aspect.

The move to more remote work has increased both the demand for secure software able to deliver the tools necessary for it and the vectors by which it can be attacked. If the internet is a highway, then vulnerabilities are the cracks and potholes. Anyone who’s ever driven down an interstate can tell you that the work to repair the road surface is never ending. The running joke where I live is that there are two seasons: winter and construction. And the more traffic there is, the faster that surface degrades from constant use. The analogy isn’t quite 1:1 in digital space, but it’s comparable. Greater web traffic means that the vulnerabilities that exist are more likely to become problematic simply because of the sheer volume and variations of use. Keeping up with that is Sisyphean in scope, a repetitive task carried on infinitely.

But the real issue is versions of products and software being released with those vulnerabilities unaccounted for in the first place. CrowdStrike’s article talked about how the onus has been put on the consumer to be aware of risks rather than on the vendor to release a product without flaws. Some of this is a volume issue again, this time stemming from the wide variety of technology, software, applications, cloud offerings and more that is the hallmark of industry growth and innovation. Microsoft as an entity is inescapable, even in other operating systems. Those ‘risks’ are deemed acceptable because there isn’t really an alternative. (There’s a term for that...)

Today is ‘Exploit Wednesday’, the informal designation for what follows all the patches publicly released the previous day. The rest of my week will be waiting to see what happens, hence the somewhat less technical nature of today’s report. Yesterday’s patches included 3 zero-day fixes and 57 flaws, which is down from November and October. A good way to end the year, one might say.

But pardon me if I don’t hold my breath on it.

Yesterday was Patch Tuesday for Windows, and among the numerous updates was a zero-day fix for CVE 2025-62215. According to its listing in Microsoft’s vulnerability database, this particular entry is summarized as ‘concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally’.

Well that’s a word salad.

The key ingredient to understanding it is the Windows Kernel. A kernel is the ground zero of a computer’s functionality, and without it the system will not run. It’s the program responsible for determining the order of operations when it comes to doing literally anything between the hardware and software. It controls the drivers, arbitrates conflicts between processes, and optimizes the use of caching, file systems and network sockets as well as the CPU. In most systems, it’s the first thing to boot upon startup after the boot menu itself. It then handles the rest of the startup, like memory, I/O requests from software, and translation into data processing for the CPU. This is, incidentally, how malware persistence functions; attaching to the startup so that the payload remains active.

Due to the critical nature of a kernel, it’s usually loaded into a separate portion of the memory, inaccessible by software applications under the user’s control. It runs all its tasks from this discrete space, always in the background, ideally without consuming too much CPU power. If you’ve ever had a BSOD crash, you may have noticed that some are caused by a kernel interruption or failure (this is especially common in older hardware with lower processing power, ask me about my ancient laptop sometime).

CVE-2025-62215 allows for an attacker to win a race condition in the kernel. If it is tasked with simultaneous requests, one of them must be completed before the other. Think of merging traffic on a highway; someone has to go first and someone has to wait to be let in. Otherwise you have a crash (pun totally intended). In the event that the attacker ‘wins’, they can then override commands to the kernel to elevate their privilege and hack the system.

Now, exploitation of CVE-2025-62215 is predicated upon an attacker already being inside the system via some other type of compromise. With low-privilege local access, an attacker can run an application designed to trigger multiple race conditions. Attacks will interact with the kernel in an unsynchronized way, confusing the kernel’s memory management until it frees the same memory block twice, leading to corruption of the kernel heap and allowing the attacker to overwrite memory and hijack the system’s execution flow (source: Immersive’s Ben McCarthy). With the number of command-and-control malwares that exist, and the prevalence of social engineering and phishing, this scenario is a probable danger. Hence the advisory by Microsoft and the patch.