Microsoft on Tuesday introduced patching 137 vulnerabilities throughout its merchandise, none of which have been flagged as exploited within the wild.
Roughly a dozen of the bugs addressed with the most recent Patch Tuesday updates have an exploitability score of ‘exploitation extra possible’, indicating that risk actors may begin abusing them in assaults.
Probably the most extreme of those is CVE-2026-41103, a critical-severity flaw within the Microsoft SSO Plugin for Jira & Confluence that might result in elevation of privilege. The problem is rooted within the incorrect implementation of the authentication algorithm.
Excessive-severity privilege escalation points in Home windows Distant Desktop, Home windows Widespread Log File System Driver, Home windows Kernel, Azure AI Foundry, Home windows Win32k, Home windows Ancillary Perform Driver for WinSock, Home windows TCP/IP, and Home windows Cloud Recordsdata Mini Filter Driver are additionally vulnerable to exploitation, Microsoft says.
The corporate additionally attracts consideration to 2 high-severity distant code execution defects in Microsoft Phrase (CVE-2026-40364 and CVE-2026-40361, CVSS rating of 8.4) which can be extra more likely to be exploited. The primary is a kind confusion concern, whereas the second is a use-after-free bug.
“These flaws could possibly be exploited by an attacker who sends a malicious doc to a goal,” Tenable senior employees analysis engineer Satnam Narang stated.
“The opposite widespread thread throughout these vulnerabilities is {that a} goal doesn’t must even open the doc to set off the exploit. Exploitation is feasible simply by viewing a malicious doc within the Preview Pane. Due to this fact, patching is essentially the most dependable method to shield in opposition to flaws like these,” Narang added.
Two different high-severity Phrase weaknesses had been additionally resolved this month, however they’re much less possible or unlikely to be exploited, Microsoft says. Greater than two dozen vulnerabilities had been resolved within the Workplace suite.
On Tuesday, Microsoft additionally rolled out fixes for critical-severity bugs in Dynamics 365 (on-premises), Azure Logic Apps, Home windows DNS, Home windows Netlogon, Home windows Hyper-V, and Azure SDK.
The security updates additionally handle high-severity flaws in Copilot, .NET, Azure providers, Home windows kernel and kernel mode drivers, Win32K, LDAP, SQL Server, Edge, Visible Studio Code, and numerous Home windows parts and providers.
Adobe on Tuesday launched patches for 52 vulnerabilities throughout 10 merchandise, together with a few critical-severity code execution flaws.
