Normal view

There are new articles available, click to refresh the page.
Before yesterdayMain stream

Patch Tuesday - April 2026

✇Rapid7 Cybersecurity Blog
By: Adam Barnett
14 April 2026 at 17:48

Microsoft is publishing 167 vulnerabilities on April 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for one of today’s vulnerabilities, and public disclosure for one other. Microsoft evaluates 19 of the vulnerabilities published today as more likely to see future exploitation. So far this month, Microsoft has provided patches to address 80 browser vulnerabilities, which are not included in the Patch Tuesday count above.

Increasing volumes of vulnerabilities

Regular Patch Tuesday watchers will know that these vulnerability totals are significantly higher than usual, especially the browser numbers. Late last week, Microsoft published patches to resolve more than 60 browser vulnerabilities in a single day, which is a new record in that very specific category.

A bar chart showing the number of Microsoft browser advisories per day from 2017 to 2026. A significant spike is visible in April 2026.

It might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing, but this is not the case. Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday. This reflects a significant industry-wide uptick in the volume of vulnerability reports over the past few weeks. A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities. We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.

SharePoint: zero-day spoofing

When everything is changing rapidly, it can be tempting to look to familiar things for comfort. SharePoint admins should start by addressing CVE-2026-32201, an exploited-in-the-wild spoofing vulnerability. The advisory doesn’t offer much detail, but does mention CWE-20: Improper Input Validation and low impact to confidentiality and integrity, with no impact to availability. Of course, the greatest attacker impact is typically achieved by chaining together multiple vulnerabilities that by themselves might not seem so bad.

Ever-increasing novel AI capabilities in offensive cybersecurity now appear to provide real competition for all but the most elite human researchers; if it was ever valid to suppose that a vulnerability with a CVSS v3 base score of 6.5 was unlikely to cause much pain, it’s certainly not a safe defensive assumption in 2026. Patches are available for all supported versions of SharePoint, including SharePoint 2016, which moves beyond extended support on July 14, 2026.

Defender: zero-day elevation of privilege

Microsoft Defender receives a patch today for CVE-2026-33825, a local privilege escalation vulnerability for which Microsoft is aware of public disclosure. Successful exploitation leads to SYSTEM privileges, so this is certainly worth patching sooner rather than later. Microsoft points out that no action should be required to install this update, since the Microsoft Defender Antimalware Platform automatically updates by default. A further silver lining is that systems that have disabled Microsoft Defender are not in an exploitable state. Hopefully, any such system is running a suitable third-party replacement for Defender’s capabilities.

Windows [I don’t like] IKE: zero-day pre-auth RCE

The Windows Internet Key Exchange (IKE) Services Extensions is the site of CVE-2026-33824, a critical unauthenticated remote code execution vulnerability. Exploitation requires an attacker to send specially crafted packets to a Windows machine with IKE v2 enabled, which could enable remote code execution. Vulnerabilities leading to unauthenticated RCE against modern Windows assets are relatively rare, or we’d see more wormable vulnerabilities self-propagating across the internet. However, since IKE provides secure tunnel negotiation services, for instance for VPNs, it is necessarily exposed to untrusted networks and reachable in a pre-authorization context. It’s hard to imagine this turning into a rampaging internet-wide worm, but there’s plenty of scope for initial access abuse, so this IKE vulnerability is still yikes.

The advisory does contain a section with potential mitigations for anyone unable to patch immediately, which center on least-privilege restriction of relevant UDP traffic. This same portion of the advisory also furnishes a helpful link to the definition of the word “mitigations” in the MSDN glossary. All versions of Windows back as far as Server 2016 and Windows 10 1607 LTSC receive patches.

The advisory credits both the WARP and MORSE (Microsoft Offensive Research & Security Engineering) teams at Microsoft. MORSE appears in Acknowledgements over the past few years, but today marks the first explicit mention of WARP in a Microsoft security advisory Acknowledgements section; we can speculate that WARP is an internal designator for the Microsoft Windows Enterprise Security Team.

Microsoft lifecycle update

In Microsoft lifecycle news, extended support ends April 14, 2026 for a wide range of Microsoft product legacy enterprise tools, including Dynamics C5 2016, Dynamics NAV 2016, App-V 5.0 and App-V 5.1, UE-V 2.1, and BitLocker Administration and Monitoring 2.5 SP1. Microsoft .NET 9 STS (Standard Term Support, as distinct from Long Term Support) was originally scheduled to move past the end of support in May 2026, but late last year, Microsoft granted a six-month extension, so that .NET 9 STS now reaches end of support on November 10, 2026.

Summary charts

A bar chart showing vulnerability count by component for Microsoft Patch Tuesday 2026-Apr

A bar chart showing vulnerability count by impact for Microsoft Patch Tuesday 2026-Apr

A bar chart showing distribution of impact type by component for Microsoft Patch Tuesday 2026-Apr

Summary tables

Azure vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-32171

Azure Logic Apps Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-32168

Azure Monitor Agent Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32192

Azure Monitor Agent Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32184

Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

Developer Tools vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-32203

.NET and Visual Studio Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-26171

.NET Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-32226

.NET Framework Denial of Service Vulnerability

Exploitation Less Likely

No

5.9

CVE-2026-23666

.NET Framework Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-32178

.NET Spoofing Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-33116

.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-23653

GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability

Exploitation Less Likely

No

5.7

CVE-2026-32631

GitHub: CVE-2026-32631 'git clone' from manipulated repositories can leak NTLM hashes

Exploitation Less Likely

No

7.4

CVE-2026-21637

HackerOne: CVE-2026-21637 TLS PSK/ALPN Callback Exceptions Bypass Error Handlers

N/A

No

7.5

CVE-2026-26143

Microsoft PowerShell Security Feature Bypass Vulnerability

Exploitation Less Likely

No

7.8

ESU vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-32072

Active Directory Spoofing Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-32181

Connected User Experiences and Telemetry Service Denial of Service Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-27924

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32154

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-27923

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32155

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32091

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-26152

Microsoft Cryptographic Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26155

Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-27914

Microsoft Management Console Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-25250

MITRE: CVE-2026-25250 Secure Boot disable Eazy Fix

Exploitation Less Likely

No

6.0

CVE-2026-32081

Package Catalog Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-26170

PowerShell Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26183

Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32157

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-26160

Remote Desktop Licensing Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26159

Remote Desktop Licensing Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26151

Remote Desktop Spoofing Vulnerability

Exploitation More Likely

No

7.1

CVE-2026-32085

Remote Procedure Call Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-0390

UEFI Secure Boot Security Feature Bypass Vulnerability

Exploitation More Likely

No

6.7

CVE-2026-32212

Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32214

Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32079

Web Account Manager Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-33104

Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-33826

Windows Active Directory Remote Code Execution Vulnerability

Exploitation More Likely

No

8.0

CVE-2026-26178

Windows Advanced Rasterization Platform Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-32073

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26168

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26173

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26177

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26182

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-27922

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-33099

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-33100

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32088

Windows Biometric Service Security Feature Bypass Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-27913

Windows BitLocker Security Feature Bypass Vulnerability

Exploitation More Likely

No

7.7

CVE-2026-26175

Windows Boot Manager Security Feature Bypass Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-26176

Windows Client Side Caching driver (csc.sys) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27926

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32162

Windows COM Elevation of Privilege Vulnerability

Exploitation More Likely

No

8.4

CVE-2026-20806

Windows COM Server Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-32070

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-33098

Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-26153

Windows Encrypted File System (EFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32087

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32093

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-32086

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32150

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-27931

Windows GDI Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-27930

Windows GDI Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-27906

Windows Hello Security Feature Bypass Vulnerability

Exploitation More Likely

No

4.4

CVE-2026-26156

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32149

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-27910

Windows Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33824

Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-27912

Windows Kerberos Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-26180

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26163

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32215

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32217

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32218

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-26169

Windows Kernel Memory Information Disclosure Vulnerability

Exploitation More Likely

No

6.1

CVE-2026-32071

Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-27929

Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-20930

Windows Management Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26162

Windows OLE Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32084

Windows Print Spooler Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-27927

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26184

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32069

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32074

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32078

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26167

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-32158

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32159

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32160

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-26172

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-20928

Windows Recovery Environment Security Feature Bypass Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-27909

Windows Search Service Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-26161

Windows Sensor Data Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26174

Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26154

Windows Server Update Service (WSUS) Tampering Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-27918

Windows Shell Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32151

Windows Shell Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-32225

Windows Shell Security Feature Bypass Vulnerability

Exploitation More Likely

No

8.8

CVE-2026-32202

Windows Shell Spoofing Vulnerability

Exploitation More Likely

No

4.3

CVE-2026-32082

Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32083

Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32068

Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-32183

Windows Snipping Tool Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33829

Windows Snipping Tool Spoofing Vulnerability

Exploitation Unlikely

No

4.3

CVE-2026-32089

Windows Speech Brokered Api Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32090

Windows Speech Brokered Api Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32153

Windows Speech Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33827

Windows TCP/IP Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-27908

Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-27921

Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-27915

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27919

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32075

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-27916

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27920

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32077

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27925

Windows UPnP Device Host Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-32156

Windows UPnP Device Host Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.4

CVE-2026-32165

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27911

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32163

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32164

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-23670

Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability

Exploitation Less Likely

No

5.7

CVE-2026-27917

Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

Microsoft Dynamics vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-33103

Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-26149

Microsoft Power Apps Security Feature Bypass

Exploitation Less Likely

No

9.0

Microsoft Office vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-32188

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-32189

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32197

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32198

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32199

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32190

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-32200

Microsoft PowerPoint Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-20945

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-32201

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Detected

No

6.5

CVE-2026-33822

Microsoft Word Information Disclosure Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-33095

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-23657

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33114

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-33115

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

Open Source Software vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-40386

n/a

No

4.0

CVE-2026-40385

n/a

No

4.0

CVE-2026-40393

n/a

No

8.1

CVE-2026-31416

netfilter: nfnetlink_log: account for netlink header size

n/a

No

8.1

CVE-2026-31423

net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()

n/a

No

5.5

CVE-2026-31424

netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP

n/a

No

5.5

CVE-2026-31417

net/x25: Fix overflow when accumulating packets

n/a

No

8.1

CVE-2026-31422

net/sched: cls_flow: fix NULL pointer dereference on shared blocks

n/a

No

5.5

CVE-2026-31414

netfilter: nf_conntrack_expect: use expect->helper

n/a

No

8.1

CVE-2026-31427

netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp

n/a

No

7.8

CVE-2026-31426

ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()

n/a

No

5.5

CVE-2026-31419

net: bonding: fix use-after-free in bond_xmit_broadcast()

n/a

No

7.1

CVE-2026-31420

bridge: mrp: reject zero test interval to avoid OOM panic

n/a

No

5.5

CVE-2026-31421

net/sched: cls_fw: fix NULL pointer dereference on shared blocks

n/a

No

5.5

CVE-2026-31428

netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD

n/a

No

5.5

CVE-2026-31418

netfilter: ipset: drop logically empty buckets in mtype_del

n/a

No

8.1

SQL Server vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-33120

Microsoft SQL Server Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-32167

SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.7

CVE-2026-32176

SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.7

System Center vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-33825

Microsoft Defender Elevation of Privilege Vulnerability

Exploitation More Likely

Yes

7.8

Windows vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-32072

Active Directory Spoofing Vulnerability

Exploitation Less Likely

No

6.2

CVE-2023-20585

AMD: CVE-2023-20585 IOMMU Write Buffer Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-25184

Applocker Filter Driver (applockerfltr.sys) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32181

Connected User Experiences and Telemetry Service Denial of Service Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-27924

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32152

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-32154

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-27923

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32155

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33096

HTTP.sys Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-26181

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32219

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-32091

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-26152

Microsoft Cryptographic Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26155

Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-27914

Microsoft Management Console Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-25250

MITRE: CVE-2026-25250 Secure Boot disable Eazy Fix

Exploitation Less Likely

No

6.0

CVE-2026-32081

Package Catalog Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-26170

PowerShell Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26183

Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32157

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-26160

Remote Desktop Licensing Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26159

Remote Desktop Licensing Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26151

Remote Desktop Spoofing Vulnerability

Exploitation More Likely

No

7.1

CVE-2026-32085

Remote Procedure Call Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-0390

UEFI Secure Boot Security Feature Bypass Vulnerability

Exploitation More Likely

No

6.7

CVE-2026-32220

UEFI Secure Boot Security Feature Bypass Vulnerability

Exploitation Less Likely

No

4.4

CVE-2026-32212

Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32214

Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32079

Web Account Manager Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-33104

Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-33826

Windows Active Directory Remote Code Execution Vulnerability

Exploitation More Likely

No

8.0

CVE-2026-32196

Windows Admin Center Spoofing Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-26178

Windows Advanced Rasterization Platform Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-32073

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26168

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26173

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26177

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26182

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-27922

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-33099

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-33100

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32088

Windows Biometric Service Security Feature Bypass Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-27913

Windows BitLocker Security Feature Bypass Vulnerability

Exploitation More Likely

No

7.7

CVE-2026-26175

Windows Boot Manager Security Feature Bypass Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-26176

Windows Client Side Caching driver (csc.sys) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27926

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32162

Windows COM Elevation of Privilege Vulnerability

Exploitation More Likely

No

8.4

CVE-2026-20806

Windows COM Server Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-32070

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-33098

Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-26153

Windows Encrypted File System (EFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32087

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32093

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-32086

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32150

Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-27931

Windows GDI Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-27930

Windows GDI Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32221

Windows Graphics Component Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-27906

Windows Hello Security Feature Bypass Vulnerability

Exploitation More Likely

No

4.4

CVE-2026-27928

Windows Hello Security Feature Bypass Vulnerability

Exploitation Less Likely

No

8.7

CVE-2026-26156

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32149

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-27910

Windows Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33824

Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-27912

Windows Kerberos Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-26179

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26180

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32195

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26163

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32215

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32217

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-32218

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-26169

Windows Kernel Memory Information Disclosure Vulnerability

Exploitation More Likely

No

6.1

CVE-2026-32071

Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-27929

Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-20930

Windows Management Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26162

Windows OLE Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33101

Windows Print Spooler Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32084

Windows Print Spooler Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-27927

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26184

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32069

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32074

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32078

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26167

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-32158

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32159

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32160

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-26172

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-20928

Windows Recovery Environment Security Feature Bypass Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-32216

Windows Redirected Drive Buffering System Denial of Service Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-27909

Windows Search Service Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-26161

Windows Sensor Data Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26174

Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32224

Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-26154

Windows Server Update Service (WSUS) Tampering Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-26165

Windows Shell Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-26166

Windows Shell Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-27918

Windows Shell Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32151

Windows Shell Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-32225

Windows Shell Security Feature Bypass Vulnerability

Exploitation More Likely

No

8.8

CVE-2026-32202

Windows Shell Spoofing Vulnerability

Exploitation More Likely

No

4.3

CVE-2026-32082

Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32083

Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32068

Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-32183

Windows Snipping Tool Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33829

Windows Snipping Tool Spoofing Vulnerability

Exploitation Unlikely

No

4.3

CVE-2026-32089

Windows Speech Brokered Api Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32090

Windows Speech Brokered Api Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32153

Windows Speech Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27907

Windows Storage Spaces Controller Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32076

Windows Storage Spaces Controller Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-33827

Windows TCP/IP Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-27908

Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-27921

Windows TDI Translation Driver (tdx.sys) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-27915

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27919

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32075

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-27916

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27920

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-32077

Windows UPnP Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27925

Windows UPnP Device Host Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-32156

Windows UPnP Device Host Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.4

CVE-2026-32223

Windows USB Printing Stack (usbprint.sys) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-32165

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-27911

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32163

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-32164

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-23670

Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability

Exploitation Less Likely

No

5.7

CVE-2026-32080

Windows WalletService Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-27917

Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-32222

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

Zero-Day Vulnerabilities: Known Exploited

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-32201

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Detected

No

6.5

Zero-Day Vulnerabilities: Publicly Disclosed (No known exploitation)

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-33825

Microsoft Defender Elevation of Privilege Vulnerability

Exploitation More Likely

Yes

7.8

Critical RCEs and EoPs

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-33824

Windows Internet Key Exchange (IKE) Service Extensions Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

Patch Tuesday - March 2026

✇Rapid7 Cybersecurity Blog
By: Adam Barnett
10 March 2026 at 16:30

Microsoft is publishing 77 vulnerabilities this March 2026 Patch Tuesday. Microsoft is aware of public disclosure of two of today’s vulnerabilities, but without evidence of exploitation in the wild for any (yet), so there are no Microsoft additions to CISA KEV today. Earlier in the month, Microsoft provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above.

SQL Server: zero-day remote EoP

SQL Server often goes several months in a row without any mention on Patch Tuesday. Today, however, all versions from the latest and greatest SQL Server 2025 back as far as SQL Server 2016 SP3 receive patches for CVE-2026-21262, a SQL Server elevation of privilege vulnerability. This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network. The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required.

Microsoft is aware of public disclosure, so while they assess the likelihood of exploitation as less likely, it would be a courageous defender who shrugged and deferred the patches for this one. Most SQL Server admins and security teams concluded many years ago that exposing SQL Server directly to the internet was not a good idea. Then again, popular search engines for internet-connected devices describe tens of thousands of SQL Server instances, and they can’t all be honeypots.

What could an attacker do as SQL Server sysadmin? Beyond exfiltrating or interfering with the database itself, the obvious target is xp_cmdshell, which allows direct callouts to the underlying OS. The good news is that xp_cmdshell is disabled by default as far back as SQL Server 2005; the bad news is that anyone acting as SQL Server sysadmin can enable it in seconds. At that point, the attacker is acting with the full privileges of the security context under which SQL Server runs, which is ideally a purpose-built account designed with least privilege in mind. If you want to hear some hair-raising stories, you have only to ask any incident response veteran if they’ve ever seen it set up differently.

Anyone paying for Extended Security Updates (ESU) for SQL Server 2014 or SQL Server 2012 may be forgiven for wondering why there’s no security update for those venerable versions of the world’s most widely deployed closed-source database product. We can hope that the vulnerability described by CVE-2026-21262 was introduced in newer codebases only.

.NET: zero-day DoS

Attackers fond of low-effort denial of service attacks against .NET applications will be checking out CVE-2026-26127 today. Microsoft is aware of public disclosure. While the immediate impact of exploitation is likely contained to denial of service by triggering a crash, opportunities for other types of attacks might emerge during a service reboot. Alternatively, if a log forwarder or security agent is impacted, even for a brief period of time, an attacker might carry out an attack in that moment hoping to evade detection under cover of this artificial darkness. Even if a low-skilled attacker simply causes downtime, in some contexts that could be enough to cause an SLA breach or loss of revenue, or at the very least cause a bleary-eyed defender to get paged in the middle of the night.

Authenticator: QR code impersonation

Microsoft Authenticator mobile app users on both iOS and Android should update to the latest version to prevent exploitation of CVE-2026-26123, which involves a malicious app disguising itself as Microsoft Authenticator. Exploitation succeeds when the malicious app receives enough information to impersonate the user.

Authenticator-type apps are often installed on a personal device, but it's not unusual for them to provide multi-factor authentication (MFA) codes for production services in a bring-your-own-device context. This is as good a time as any for defenders to consider how well their mobile device management policy covers app choice enforcement and patching for MFA apps.

The CVSS v3 base score of 5.5 might appear unremarkable, and exploitation requires user interaction, since the user must install the malicious app in the first place. However, exploitation could begin via an attacker-controlled link, or even a malicious QR code that drives users to the malicious app, and a motivated attacker with a physical presence near the user base might well consider this option.

According to Khaled Mohamed, the researcher who discovered this vulnerability, the legitimate Microsoft Authenticator app did not previously register itself as the handler for deep links into its own custom URL scheme. A malicious app could exploit this gap by simply registering itself as the default handler. He further notes that in this scenario, a user of a mobile device with a malicious app installed only needs to click a generic “Open link” dialog, rather than expressly selecting the malicious app each time. This means that the Microsoft advisory is perhaps too optimistic about how much user interaction is required to trigger exploitation.

Microsoft ranks this vulnerability as important on their proprietary severity scale. The advisory also provides a brief peek behind the curtain, since the executive summary notes that “Cwe is not in rca”. The weakness listed on the advisory is CWE-939: Improper Authorization in Handler for Custom URL Scheme.

Microsoft lifecycle update

There are no significant Microsoft product lifecycle changes this month, unless you are responsible for a Microsoft SQL Server 2012 Parallel Data Warehouse instance, which moves beyond extended support as of March 31st. It would be wise not to count on a last-minute extension, since Microsoft has already granted a six month reprieve.

Summary charts

A bar chart showing vulnerability count by component for Microsoft Patch Tuesday 2026-Mar

A bar chart showing vulnerability count by impact for Microsoft Patch Tuesday 2026-Feb

A bar chart showing distribution of impact type by component for Microsoft Patch Tuesday 2026-Mar

Summary tables

Apps vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-26123

Microsoft Authenticator Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

Azure vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-26117

Arc Enabled Servers - Azure Connected Machine Agent Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-23664

Azure IoT Explorer Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-23661

Azure IoT Explorer Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-23662

Azure IoT Explorer Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-26121

Azure IOT Explorer Spoofing Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-26118

Azure MCP Server Tools Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-26141

Hybrid Worker Extension (Arc‑enabled Windows VMs) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-23665

Linux Azure Diagnostic extension (LAD) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26148

Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-23660

Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

Developer Tools vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-26127

.NET Denial of Service Vulnerability

Exploitation Unlikely

Yes

7.5

CVE-2026-26131

.NET Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26130

ASP.NET Core Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

ESU vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-25177

Active Directory Domain Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-23667

Broadcast DVR Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-25190

GDI Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25181

GDI+ Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-23674

MapUrlToZone Security Feature Bypass Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-25165

Performance Counters for Windows Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-24282

Push message Routing Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-24285

Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-24291

Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-25186

Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-24293

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25176

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25178

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-25179

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-25171

Windows Authentication Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-23671

Windows Bluetooth RFCOM Protocol Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-24292

Windows Connected Devices Platform Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-24295

Windows Device Association Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-24296

Windows Device Association Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-25189

Windows DWM Core Library Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25174

Windows Extensible File Allocation Table Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-25168

Windows Graphics Component Denial of Service Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-25169

Windows Graphics Component Denial of Service Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-23668

Windows Graphics Component Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-25180

Windows Graphics Component Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-24297

Windows Kerberos Security Feature Bypass Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-24287

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-24289

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-26132

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-24288

Windows Mobile Broadband Driver Remote Code Execution Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-25175

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-23669

Windows Print Spooler Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-24290

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-23673

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-25172

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-25173

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-26111

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-25185

Windows Shell Link Processing Spoofing Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-24294

Windows SMB Server Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-26128

Windows SMB Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25166

Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-25188

Windows Telephony Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-23672

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-25187

Winlogon Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

Microsoft Office vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-26144

Microsoft Excel Information Disclosure Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-26112

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26107

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26108

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26109

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.4

CVE-2026-26134

Microsoft Office Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-26113

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-26110

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-26114

Microsoft SharePoint Server Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-26106

Microsoft SharePoint Server Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-26105

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-24285

Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-25180

Windows Graphics Component Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

Open Source Software vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-26030

GitHub: CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable

Exploitation Unlikely

No

9.9

CVE-2026-23654

GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.8

SQL Server vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21262

SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

Yes

8.8

CVE-2026-26115

SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-26116

SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

System Center vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-20967

System Center Operations Manager (SCOM) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

Windows vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-25177

Active Directory Domain Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-23667

Broadcast DVR Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-25190

GDI Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25181

GDI+ Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-23674

MapUrlToZone Security Feature Bypass Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-25167

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.4

CVE-2026-24283

Multiple UNC Provider Kernel Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-25165

Performance Counters for Windows Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-24282

Push message Routing Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-24285

Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-24291

Windows Accessibility Infrastructure (ATBroker.exe) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-25186

Windows Accessibility Infrastructure (ATBroker.exe) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-24293

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25176

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25178

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-25179

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-23656

Windows App Installer Spoofing Vulnerability

Exploitation Unlikely

No

CVE-2026-25171

Windows Authentication Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-23671

Windows Bluetooth RFCOM Protocol Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-24292

Windows Connected Devices Platform Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-24295

Windows Device Association Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-24296

Windows Device Association Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-25189

Windows DWM Core Library Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25174

Windows Extensible File Allocation Table Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-25168

Windows Graphics Component Denial of Service Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-25169

Windows Graphics Component Denial of Service Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-23668

Windows Graphics Component Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-25180

Windows Graphics Component Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-25170

Windows Hyper-V Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-24297

Windows Kerberos Security Feature Bypass Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-24287

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-24289

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-26132

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-24288

Windows Mobile Broadband Driver Remote Code Execution Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-25175

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-23669

Windows Print Spooler Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-24290

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-23673

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-25172

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-25173

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-26111

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-25185

Windows Shell Link Processing Spoofing Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-24294

Windows SMB Server Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-26128

Windows SMB Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-25166

Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-25188

Windows Telephony Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-23672

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-25187

Winlogon Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

Zero-Day Vulnerabilities: Publicly Disclosed (No known exploitation)

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-26127

.NET Denial of Service Vulnerability

Exploitation Unlikely

Yes

7.5

CVE-2026-21262

SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

Yes

8.8

Update history

  • 2026-03-16: updated section on CVE-2026-26123 to include researcher commentary.

Patch Tuesday - February 2026

✇Rapid7 Cybersecurity Blog
By: Adam Barnett
10 February 2026 at 20:58

Microsoft is publishing 55 vulnerabilities this February 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for six of today’s vulnerabilities, and notes public disclosure for three of those. Earlier in the month, Microsoft provided patches to address three browser vulnerabilities, which are not included in the Patch Tuesday count above.

Windows/Office triple trouble: zero-day security feature bypass vulns

All three of the publicly disclosed zero-day vulnerabilities published today are security feature bypasses, and Microsoft acknowledges the same cast of reporters in each case.

CVE-2026-21510 describes a zero-day Windows Shell security feature bypass vulnerability which is already exploited in the wild. Not to be confused with PowerShell, most people will use the Windows Shell without ever learning its name or even really contemplating its existence. The Windows Shell is Microsoft’s term for the GUI interaction logic for the entire OS provided by explorer.exe and associated libraries and APIs.

CVE-2026-21510 provides an attacker with a way to dodge those pesky Smart Screen or other “are you sure?” prompts. The advisory sets out that “an attacker must convince a user to open a malicious link or shortcut file”. We could parse this wording more than one way, and while shortcut files with a .lnk extension are certainly a prime suspect here, it’s possible that .url files might also be a vector.

The venerable MSHTML/Trident web rendering engine is still present in Windows as a daily driver for Office and Explorer, many years after most people stopped using Internet Explorer.  Accordingly, every so often Microsoft has to patch another zero-day vulnerability in the browser it can’t quite bring itself to rip out of its flagship operating system. Today’s example is CVE-2026-21513, a security feature bypass which starts with the attacker convincing a user to open a malicious HTML file or shortcut file.

If good things come in threes, then perhaps CVE-2026-21514 makes security bypass zero-day vulnerabilities a good thing. Exploitation involves bypassing Object Linking & Embedding (OLE) mitigations by convincing the user to open a malicious Word document. The advisory only lists remediations for LTSC versions of Office and on-prem Microsoft 365 Apps for Enterprise, without mentioning the standard Microsoft 365 suite.

It’s curious that Microsoft has evaluated the attack vector for CVE-2026-21514 as local, because MSRC typically assesses any vulnerability which boils down to “remote attacker tricks user into opening malicious payload” as a remote attack, based on the location of the attacker. However, the advisory specifically calls out that “reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.” It’s not clear whether this is a deviation from prior practice by MSRC, an inadvertent mis-assessment, or an unusual-but-correct assessment of an attack vector that relies on details which Microsoft has not made public. Happily, the Preview Pane is not a vector, which raises the bar slightly for an attacker, since the user must explicitly open the malicious file or web page.

Ultimately, although none of the advisories for CVE-2026-21510, CVE-2026-21513, or CVE-2026-21514 explicitly come out and say it, it’s likely that exploitation in each case involves tricking Windows into participating in another Mark-of the Web laundering scheme using flaws in old components.

Windows DWM: zero-day elevation of privilege

For the second month in a row, the Windows Desktop Windows Manager (DWM) is the site of an exploited-in-the-wild zero-day vulnerability. Last month’s CVE-2026-20805 was an information disclosure vulnerability, effectively a treasure map for threat actors seeking the otherwise obfuscated in-memory address of the kernel-space DWM process. The publication of zero-day elevation of privilege (EoP) vulnerability CVE-2026-21519 today very likely reflects MSTIC and MSRC working to thwart the same threat actor in both cases. As Rapid7 has noted in the past, initial access coupled with local elevation of privilege vulnerabilities is the staple diet of many successful attackers, so the lower CVSS v3 base score of 7.8 seen here versus a broadly equivalent remote code execution is not a sign to delay patching.

Remote Desktop Services: zero-day elevation of privilege

Remote Desktop Services (RDP) are designed to allow a duly authorized remote user to interact with the server, but CVE-2026-21533 allows an unauthorized local user to elevate privileges to SYSTEM. Every Windows Server product back as far as Server 2012 receives patches, so this one has been present for a while. It’s possible that today’s patches close off a long-running exploitation story for at least one threat actor.

RasMan: zero-day denial of service

Exploited in the wild, but perhaps of less concern is CVE-2026-21525, a local denial of service vulnerability in the Windows Remote Access Connection Manager (RasMan). Somewhat unusually for a local vulnerability, the advisory sets out that no privileges are required at all, so even a guest account can exploit this one. You have disabled those guest accounts, right?

Microsoft lifecycle update

There are no significant Microsoft product lifecycle changes this month.

Summary Charts

A bar chart showing vulnerability count by component for Microsoft Patch Tuesday 2026-Feb
A bar chart showing vulnerability count by impact for Microsoft Patch Tuesday 2026-Feb
A bar chart showing distribution of impact type by component for Microsoft Patch Tuesday 2026-Feb

Summary Tables

Apps vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-20841

Windows Notepad App Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

Azure vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21512

Azure DevOps Server Cross-Site Scripting Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-21529

Azure HDInsight Spoofing Vulnerability

Exploitation Unlikely

No

5.7

CVE-2026-21528

Azure IoT Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-21228

Azure Local Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-21531

Azure SDK for Python Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-21522

Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.7

CVE-2026-23655

Microsoft ACI Confidential Containers Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

Developer Tools vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21218

.NET Spoofing Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-21523

GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-21518

GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-21257

GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-21256

GitHub Copilot and Visual Studio Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

ESU vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21519

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-20846

GDI+ Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-21253

Mailslot File System Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-21527

Microsoft Exchange Server Spoofing Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-21513

MSHTML Framework Security Feature Bypass Vulnerability

Exploitation Detected

Yes

8.8

CVE-2026-21236

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-21238

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-21234

Windows Connected Devices Platform Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-21246

Windows Graphics Component Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-21235

Windows Graphics Component Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-21240

Windows HTTP.sys Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-21248

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-21247

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-21244

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-21255

Windows Hyper-V Security Feature Bypass Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-21239

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-21231

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-21222

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-21249

Windows NTLM Spoofing Vulnerability

Exploitation Less Likely

No

3.3

CVE-2026-21525

Windows Remote Access Connection Manager Denial of Service Vulnerability

Exploitation Detected

No

6.2

CVE-2026-21533

Windows Remote Desktop Services Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-21510

Windows Shell Security Feature Bypass Vulnerability

Exploitation Detected

Yes

8.8

CVE-2026-21508

Windows Storage Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-21242

Windows Subsystem for Linux Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-21237

Windows Subsystem for Linux Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

Microsoft Office vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21259

Microsoft Excel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-21258

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-21261

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-21260

Microsoft Outlook Spoofing Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-21511

Microsoft Outlook Spoofing Vulnerability

Exploitation More Likely

No

7.5

CVE-2026-21514

Microsoft Word Security Feature Bypass Vulnerability

Exploitation Detected

Yes

7.8

Other vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21516

GitHub Copilot for Jetbrains Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

Server Software vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21527

Microsoft Exchange Server Spoofing Vulnerability

Exploitation Less Likely

No

6.5

SQL Server vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21229

Power BI Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.0

System Center vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21537

Microsoft Defender for Endpoint Linux Extension Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

Windows vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21251

Cluster Client Failover (CCF) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-21519

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-20846

GDI+ Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-21253

Mailslot File System Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-21513

MSHTML Framework Security Feature Bypass Vulnerability

Exploitation Detected

Yes

8.8

CVE-2023-2804

Red Hat, Inc. CVE-2023-2804: Heap Based Overflow libjpeg-turbo

Exploitation Less Likely

No

6.5

CVE-2026-21236

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-21241

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-21238

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-21517

Windows App for Mac Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-21234

Windows Connected Devices Platform Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-21246

Windows Graphics Component Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-21235

Windows Graphics Component Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-21250

Windows HTTP.sys Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-21240

Windows HTTP.sys Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-21232

Windows HTTP.sys Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-21248

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-21247

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-21244

Windows Hyper-V Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-21255

Windows Hyper-V Security Feature Bypass Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-21245

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-21239

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-21231

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-21222

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-21243

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-21249

Windows NTLM Spoofing Vulnerability

Exploitation Less Likely

No

3.3

CVE-2026-21525

Windows Remote Access Connection Manager Denial of Service Vulnerability

Exploitation Detected

No

6.2

CVE-2026-21533

Windows Remote Desktop Services Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-21510

Windows Shell Security Feature Bypass Vulnerability

Exploitation Detected

Yes

8.8

CVE-2026-21508

Windows Storage Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-21242

Windows Subsystem for Linux Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-21237

Windows Subsystem for Linux Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

Zero-Day Vulnerabilities: Known Exploited

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21519

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-21514

Microsoft Word Security Feature Bypass Vulnerability

Exploitation Detected

Yes

7.8

CVE-2026-21513

MSHTML Framework Security Feature Bypass Vulnerability

Exploitation Detected

Yes

8.8

CVE-2026-21525

Windows Remote Access Connection Manager Denial of Service Vulnerability

Exploitation Detected

No

6.2

CVE-2026-21533

Windows Remote Desktop Services Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-21510

Windows Shell Security Feature Bypass Vulnerability

Exploitation Detected

Yes

8.8

Critical Remote Code Execution/Elevation of Privilege

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-21531

Azure SDK for Python Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

Patch Tuesday and the Enduring Challenge of Windows’ Backwards Compatibility

✇Rapid7 Cybersecurity Blog
By: Adam Barnett
28 January 2026 at 12:04

Introduction

If you received an email with the subject “I LOVE YOU” and an attachment called “LOVE-LETTER-FOR-YOU.TXT”, would you open it? Probably not, but back in the year 2000, plenty of people did exactly that. The internet learned a hard lesson about the disproportionate power available to a university dropout with some VBScript skills, and millions of ordinary people suffered the anguish of deleted family photos or even reputational damage as the worm propagated itself across their entire Outlook address book.

In the quarter century since ILOVEYOU rampaged across global networks, cybersecurity has moved from a niche topic to an “everyone” problem, and many users are wary of all sorts of threats. In recent years, the increasing ubiquity and urgency of AI adoption across the business landscape has attracted the attention of both security researchers and threat actors.

Of course, recency bias and shiny object fixation are real. Even as AI and automation continue to drive down time to known exploitation (TTKE), an attacker who abuses a traditional exploit chain to achieve SYSTEM privileges on a sensitive server still has the keys to the kingdom.

Wormable remote code execution (RCE) vulnerabilities remain rare, but well over half of the 25 exploited-in-the-wild zero-day vulnerabilities published by Microsoft during 2025 provided attackers with elevation of privilege opportunities on Windows assets. Some of those flaws are older than the iPhone, let alone ChatGPT.

Microsoft's decades-long commitment to backwards compatibility creates a conveyor belt supply of déjà vu vulnerabilities. Ultimately, the most pressing threats faced by defenders managing Microsoft estates remain essentially unchanged. Rather than a new wave of AI-related flaws, the chief danger stems from the towering tech debt within core Windows components.

A whirlwind tour of exploited-in-the-wild Microsoft vulnerabilities (2025 edition)

If we really want to know which Microsoft vulnerabilities will provide the most value to attackers in 2026, we should ask a threat actor. Since that might prove difficult to arrange, we’ll do the next best thing: review vulnerabilities exploited in the wild during 2025.

Chart-exploited-in-the-wild-eitw-microsoft-by-vulnerable-component-rapid7.png
Chart 1: Exploited-in-the-wild Microsoft vulnerabilities, by vulnerable component

January: The great escape

The vast Microsoft ecosystem has something for everyone, whether customer or threat actor. Patch Tuesday January 2025 brought us a trio of exploited-in-the-wild Hyper-V kernel vulnerabilities. By September 2025, at least one plausible public proof-of-concept (PoC) for CVE-2025-21333 was published by a vulnerability researcher who apparently shares a name with a Kazakhstani Olympic gymnast. The only safe assumption is that a well-resourced threat actor could develop a private exploit far in advance of that.

Starting from a child VM or Windows Sandbox, exploitation first requires setting out a banquet of benign requests for the hypervisor, delivered via the Hyper-V Virtualization Service Provider (VSP). The goal: mass-allocating objects to arrange large swathes of hypervisor memory in a predictable pattern (aka “heap feng shui”). Next, the attacker sends a malicious request with an oversized buffer, which an unpatched VSP merrily copies into kernel memory, overwriting the header of the adjacent object, whose relative position is now easily surmised. Once the kernel subsequently references the artfully corrupted sibling object, execution as SYSTEM jumps to a portion of memory where the attacker has planted shellcode to exfiltrate a token. The compromised hypervisor could be anything from a developer laptop running a malicious container all the way up to enterprise private cloud infrastructure.

So far, January 2025 is the only time that Microsoft has ever published vulnerabilities in the Hyper-V VSP. Generally speaking, a significant degree of sophistication is required to develop successful exploits of this nature. This goes double if the name of the game is stealth and stability, since a wave of unexplained BSOD events on critical production infrastructure tends to attract blue team attention. Still, once a viable proof of concept hits the public internet, ransomware crews will fold it into their toolkits, and someone, somewhere, is either sitting on an unknown Hyper-V VSP exploit, or hard at work creating the next one.

February: Socket to me

It’s hard to imagine a modern computer without storage or networking capabilities. In fact, it’s hard to imagine a computer from several decades ago without storage or networking. Microsoft is now middle-aged, and that means that buried deep within your shiny new PC are a variety of architectural decisions and logic paths born in the 1980s. If this sounds far-fetched, take a minute to find yourself a fully-patched Windows 11 25H2 machine, and then try to rename any file or directory CON, NUL or PRN. I’ll wait.

Generally speaking, user-mode applications are prevented from wreaking havoc on the kernel through a careful separation of concerns. On Windows, when a user mode application wants to communicate over the network, it talks to WinSock, which in turn talks to the ancillary function driver (AFD), which sits on the kernel side, and coordinates with the kernel network drivers which handle the actual traffic. The AFD is a security boundary between user space and kernel space, and it must be universally accessible to local processes, because even a browser tab in a sandbox needs to make network calls. Any defect in the way AFD parses input from user space can thus provide a way to influence the kernel in unexpected ways. A number of advanced exploit development courses, including offerings from SANS and OffSec, cover AFD in detail.

chart-Windows-AFD-vulnerabilities-timeline-rapid7.png
Chart 2: Windows AFD vulnerabilities timeline, 2021-2025

Patch Tuesday February 2025 brought us CVE-2025-21418, which Microsoft credited to Anonymous. We don’t know whether the unnamed tipster provided evidence of exploitation in the wild, or whether Microsoft threat hunters subsequently tracked down their own trail of suspicious bread crumbs, but notorious threat actors such as North Korea’s Lazarus are known to be enthusiastic students of AFD exploits. With several high-profile zero-day vulnerabilities emerging from AFD from late 2024 onwards, it tracks that Microsoft subsequently published and patched a cluster of AFD vulnerabilities in the latter half of 2025.

March: File system shenanigans

Any defenders who had enjoyed a quieter start to the year were rudely awakened by Patch Tuesday March 2025, when six exploited-in-the-wild vulnerabilities all dropped at once. Exploitation of most of the zero-day vulnerabilities published in March starts with the user mounting a malicious Virtual Hard Disk (VHD) image or plugging in a malicious USB stick so that the attacker can exploit a weakness in a filesystem driver, including NTFS and FastFAT.

Remember that information security training which asked you to imagine finding a USB stick with an “IMPORTANT (CONFIDENTIAL)” label on the floor outside the office? The one which asked if you would A) plug the mystery stick into your work PC B) use your boss’ personal laptop in case the files are business critical C) try it in all the PCs in the office until someone asks you to stop or D) report it immediately to the security officer? This is why.

Meanwhile, the true villain of the month was almost certainly CVE-2025-24983, a no-user-interaction-required elevation of privilege vulnerability in the Win32 kernel subsystem. At the time, we pondered why Windows 11 and Server 2019 onwards didn’t receive patches for what looks like a fairly severe vulnerability, but since Microsoft is gradually reimplementing portions of the kernel in memory-safe Rust, we can hope that the vulnerability simply doesn’t exist in modern Windows.

April: Common Log File System driver vulns are quite common

If anyone ever corners you at a party and talks at length about the Ancillary Function Driver as a bounteous source of elevation of privilege vulnerabilities, you will probably have to concede that they are technically correct. While your options include “doing a lap” and then climbing out of the bathroom window, the power move here is to hold your ground, and point to the Common Log File System driver as a far richer vein of exploitable goodness.

As of Patch Tuesday April 2025, CLFS boasts almost twice the number of total vulnerabilities over the past five years vs. AFD, and more than double the number of known-exploited zero-day vulnerabilities. It really is the gift which keeps on giving.

chart-windows-CLFS-vulnerabilities-timeline-rapid7.png
Windows CLFS vulnerabilities timeline, 2021-2025

It makes sense that something like the Ancillary Function Driver lives in kernel space. After all, something has to sit inside the perimeter to marshall all those network requests from dozens of Chrome tabs. What about the Common Log File System driver though?

It would be tempting to imagine that anything which simply handles log files shouldn’t need direct kernel access at all. When exploring this concept, it’s useful to understand that not only was CLFS designed a long time ago, when high performance in user mode was harder to achieve than it is today, but also that CLFS is much more than simply a means to interact with log files. CLFS is the home of still-essential building blocks like Transactional NTFS (TxF), first introduced almost 25 years ago in Windows Vista, which provides a means for applications to guarantee the integrity of data on disk.

For the past several years, Microsoft has strongly recommended that developers avoid the use of TxF, and while Microsoft is gradually providing modern alternatives to TxF functionality, essential Windows functions such as Windows Update still rely on it to manage critical file integrity. Moreover, CLFS is more than just TxF, and is so tightly integrated into Windows that it’s here to stay for the foreseeable future.

May: The month of expectation, wishes, hope, and classic Windows zero-days [1]

A few days after Patch Tuesday May 2025, Satya Nadella took to the stage at Microsoft Build 2025 to pitch his vision of the open agentic web, although exactly who this version of the future would be open to remains an open question, like: What if a cloud email service was vulnerable to a zero-click prompt injection attack, but could also now buy things with your credit card?

While critical reception for the open agentic web has been mixed, threat actors will be glad of the new attack surface. Meanwhile, defenders worried about in-the-wild exploitation were hard at work patching some more frequent fliers, including another pair of CLFS vulnerabilities and an MSHTML/Trident arbitrary code execution bug. That last one will be familiar to regular Patch Tuesday watchers, but it might come as a surprise to anyone who thought Internet Explorer had gone to live on a nice farm upstate years ago.

The Ancillary Function Driver made another appearance, although it couldn’t quite summon the same main character energy this time around. The May 2025 episode of “AFD vulns exploited in the wild” offered elevation to Administrator, rather than SYSTEM, and a lower exploit code maturity rating. We can always be grateful for small mercies.

[1]: With apologies to Emily Brontë.

June: I’m afraid I can’t let you do that, WebDAV

Windows archeologists and internet users of a certain age may remember WebDAV, a standard originally dreamed up to support interactivity on the web. It was employed by versions of Microsoft Exchange up to and including 2010 to handle interactions with mailboxes and public folders.

Surprising no-one, Windows still more or less supports WebDAV, and it was only a matter of time before that turned out to be a bit of a problem, in the form of CVE-2025-33053 published as part of Patch Tuesday June 2025. Microsoft acknowledged Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation to an APT (Advanced Persistent Threat), which they track as the objectively cool-sounding Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and beyond.

June 2025 also saw the publication of CVE-2025-32711, a critical information disclosure vulnerability in Microsoft 365 Copilot. Microsoft is not aware of exploitation in the wild. The researchers named it EchoLeak, describing it as “the first real-world zero-click prompt injection exploit in a production LLM system,” although other researchers arguably got there first.

EchoLeak relies on hidden white-text-on-white-background instructions in an email, which are then ingested into the LLM via RAG (Retrieval-Augmented Generation) when the user asks an entirely pedestrian question (e.g. “Summarize my emails from the past two days”) which requires Copilot to scan the inbox. The malicious instructions have two parts: First, dig up some juicy info, and then retrieve an image from an attacker-controlled server with the sensitive data exfiltrated as a URL parameter.

EchoLeak circumvented Copilot’s Content Security Policy by making the request via a trusted Microsoft service: a now-patched Teams image preview proxy. History suggests that attackers will find other ways out of the walled garden. The Microsoft advisory makes a virtue of minimalism by providing almost no information about the nature of the vulnerability, although Microsoft is surely to be commended for assigning CVEs for cloud service vulnerabilities.

July: The call is coming from inside the intranet

When Patch Tuesday July 2025 came and went without a single exploited-in-the-wild vulnerability published, many people may have breathed a sigh of relief. Possibly this was a valid move, at least for anyone not responsible for a SharePoint instance.

SharePoint defenders will remember July as the month of ToolShell, an actively-exploited vulnerability chain in SharePoint which Microsoft published out of band ten days after Patch Tuesday. Out of band patches for Microsoft flagship products are rare, since they inevitably cause downstream disruption. Once MSTIC publicly attributes exploitation to two Chinese nation-state actors, that line has been crossed.

The vulnerability described by the out-of-band CVE-2025-53770 turned out to be a bypass for the patch introduced by CVE-2025-49704 earlier in the month, which was itself a response to a successful Pwn2Own Berlin entry from May.

August: It’s almost too quiet

Microsoft was not aware of exploitation in the wild for any of the vulnerabilities published as part of Patch Tuesday August 2025. SharePoint admins may have been dealing with the fallout from last month’s ToolShell and bracing for a possible repeat, but August might otherwise have made for an eerily quiet month. Still, the Windows implementation of Kerberos managed to cough up a publicly-disclosed elevate-to-domain-admin vulnerability.

Separately, we learned that simply saving a JPEG could be enough to hand an attacker RCE capabilities, because the internet never sleeps. If the vulnerable codepath had been within JPEG decoding, rather than encoding, this one could have been the biggest vuln of the year.

September: Almost too quiet, part 2

Patch Tuesday September 2025 was the second month in a row with no known-exploited vulnerabilities, but vuln spotters will appreciate that this month saw the publication of a fairly rare beast: a Microsoft vulnerability with a perfect(?) CVSS v3 base score of 10.0, albeit a cloud service vulnerability discovered by Microsoft and patched prior to publication. No customer action required, but also no customer verification possible, and since the impacted cloud service was Azure Networking, the blast radius could have been stupendous.

October: Dial M for exploitation

These days, there are plenty of seasoned IT professionals who don’t even know what a dialup modem negotiation song sounds like, simply because broadband has been around for that long. For younger readers, “broadband” is what we used to call “internet fast enough that you don’t have to wait to download a single email attachment”.

By this point, we all know where this is going: Windows still ships with modem capabilities well beyond their sell-by date, and someone found a good old elevation of privilege vulnerability. The vulnerable fax modem driver was developed almost 30 years ago by a long-defunct third party, and Microsoft has now taken uncharacteristically bold action by removing it from Windows altogether, perhaps recognizing that traditional landlines are no longer available at all in many places. Are there other fax modem drivers still lurking in Windows? You betcha.

Patch Tuesday October 2025 also marked the end of Windows 10, unless you count the cash-for-patches Extended Security Updates (ESU) program.

November: Kernel vuln? Popcorn time

Patch Tuesday November 2025 included an exploited-in-the-wild vulnerability in the Windows kernel itself. While the advisory was light with details, exploitation of CVE-2025-62215 led to elevation to SYSTEM, presumably via a complex bit of memory management three card monte. Those kernel Rust rewrites can’t come soon enough.

December: A cloud of suspicion

After a year filled with variations of the same old exploitable vulns, it might almost be refreshing to consider the altogether more modern-sounding exploited-in-the-wild vulnerability published on Patch Tuesday December 2025. CVE-2025-62221 describes an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.

On Windows, a file or directory can contain a reparse point, a collection of user-controlled metadata designed to be interpreted by a file filter driver. An example would be a file which appears present in a local folder, but where the actual contents of the file are stored remotely on OneDrive. The user double-clicks on the file, the file filter driver intercepts the request, reads the metadata, and calls out to OneDrive, while the user gets the experience of opening the file as though it had been stored locally. Of course, the file filter driver needs kernel access to perform its duties. Find an exploitable flaw in the way a file filter driver parses the metadata, and you can trick it into doing things like overwriting protected system files.

What’s next?

Everything gets faster, including bad things

As Rapid7 has observed repeatedly, time to known exploitation for widely-exploited vulnerabilities has been shrinking year-on-year. By 2022, the time to exploitation after public disclosure for some of the most notable security vulnerabilities was as low as 24 hours. With exploit development now widely augmented by automation and AI, there is every reason to suppose that the window will continue to shrink further.

Threat actors will stay best friends with elevation of privilege vulns

A wormable unauthenticated RCE vulnerability remains the scariest scenario, but mercifully these are historically rare. The one-two combo of minimally-privileged initial access and local privilege escalation presents a much more clear and present danger in most modern threat models. Sure, you could parachute in from a helicopter, abseil down from the roof, and crawl through an air vent to steal the diamond, but why bother when you could simply tailgate a delivery driver, and then distract a maintenance worker while you swipe their all-access keycard?

AI is here to stay, but tech debt is the real killer

In 2026, Microsoft will regularly publish AI-related vulnerabilities, and AI-wielding threat actors will hammer Microsoft’s cloud services. Blue teams managing significant Windows estates will still spend more time worrying about on-prem vulnerabilities where the root cause is a classic software engineering snafu.

Final thoughts

Arguably the biggest takeaway from 2025 is that the more things change, the more they stay the same. The scariest Microsoft vulnerabilities tend to emerge from the same few familiar places: core Windows components with codebases older than many of the humans who rely on them.

Microsoft’s wildly successful business model is founded on a decades-long insistence on ironclad backwards compatibility. Why? Enterprise customers with deep pockets and deeper catalogues of ancient business applications. These retro capabilities come at a high price: a supervolcano of tech debt potentially unmatched in all of human history, and a seemingly endless supply of sort-of-new but depressingly familiar vulnerabilities.

For anyone responsible for defending a significant Microsoft footprint in 2026, tomorrow’s biggest problem remains today’s secrets exposed by yesterday’s software design choices.

❌
❌