Today’s patch Tuesday addresses 59 different vulnerabilities (plus two Chromium vulnerabilities affecting Microsoft Edge). While this is a lower-than-normal number, this includes six vulnerabilities that are already exploited. Three vulnerabilities have already been exploited and made public. In addition, five critical vulnerabilities are included in this patch Tuesday.
Vulnerabilities of Interest:
The three already exploited and public vulnerabilities are very similar, but they affect different Windows components. The issue is that the user is not properly warned when executing code they downloaded. Technologies like SmartScreen are supposed to prevent this from happening. The components affect:
CVE-2026-21510: Windows Shell.
CVE-2026-21513: This affects the (legacy) Internet Explorer HTML rendering engine. It is still used by some Windows components, but not by the Edge browser.
CVE-2026-21514: Microsoft Word.
In addition, we have three more already exploited vulnerabilities:
CVE-2026-21533: A privilege escalation in Remote Desktop
CVE-2026-21519: A type confusion vulnerability in Windows Manager
CVE-2026-21525: A Windows Remote Access Connection Manager Denial of Service.
Three of the critical vulnerabilities are related to Microsoft Azure and have already been patched by Microsoft.
CVE-2026-23655 This vulnerability only affects Windows Defender on Linux and may lead to remote code execution.
| Description | |||||||
|---|---|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
| .NET Spoofing Vulnerability | |||||||
| CVE-2026-21218 | No | No | – | – | Important | 7.5 | 6.5 |
| Azure Arc Elevation of Privilege Vulnerability | |||||||
| CVE-2026-24302 | No | No | – | – | Critical | 8.6 | 7.5 |
| Azure DevOps Server Cross-Site Scripting Vulnerability | |||||||
| CVE-2026-21512 | No | No | – | – | Important | 6.5 | 5.7 |
| Azure Front Door Elevation of Privilege Vulnerability | |||||||
| CVE-2026-24300 | No | No | – | – | Critical | 9.8 | 8.5 |
| Azure Function Information Disclosure Vulnerability | |||||||
| CVE-2026-21532 | No | No | – | – | Critical | 8.2 | 7.1 |
| Azure HDInsight Spoofing Vulnerability | |||||||
| CVE-2026-21529 | No | No | – | – | Important | 5.7 | 5.0 |
| Azure IoT Explorer Information Disclosure Vulnerability | |||||||
| CVE-2026-21528 | No | No | – | – | Important | 6.5 | 5.7 |
| Azure Local Remote Code Execution Vulnerability | |||||||
| CVE-2026-21228 | No | No | – | – | Important | 8.1 | 7.1 |
| Azure SDK for Python Remote Code Execution Vulnerability | |||||||
| CVE-2026-21531 | No | No | – | – | Important | 9.8 | 8.5 |
| Chromium: CVE-2026-1861 Heap buffer overflow in libvpx | |||||||
| CVE-2026-1861 | No | No | – | – | – | ||
| Chromium: CVE-2026-1862 Type Confusion in V8 | |||||||
| CVE-2026-1862 | No | No | – | – | – | ||
| Cluster Client Failover (CCF) Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21251 | No | No | – | – | Important | 7.8 | 6.8 |
| Desktop Window Manager Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21519 | No | Yes | – | – | Important | 7.8 | 6.8 |
| GDI+ Denial of Service Vulnerability | |||||||
| CVE-2026-20846 | No | No | – | – | Important | 7.5 | 6.5 |
| GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability | |||||||
| CVE-2026-21523 | No | No | – | – | Important | 8.0 | 7.0 |
| GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability | |||||||
| CVE-2026-21518 | No | No | – | – | Important | 6.5 | 5.7 |
| GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21257 | No | No | – | – | Important | 8.0 | 7.0 |
| GitHub Copilot and Visual Studio Remote Code Execution Vulnerability | |||||||
| CVE-2026-21256 | No | No | – | – | Important | 8.8 | 7.7 |
| GitHub Copilot for Jetbrains Remote Code Execution Vulnerability | |||||||
| CVE-2026-21516 | No | No | – | – | Important | 8.8 | 7.7 |
| MSHTML Framework Security Feature Bypass Vulnerability | |||||||
| CVE-2026-21513 | Yes | Yes | – | – | Important | 8.8 | 7.7 |
| Mailslot File System Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21253 | No | No | – | – | Important | 7.0 | 6.1 |
| Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21522 | No | No | – | – | Critical | 6.7 | 6.0 |
| Microsoft ACI Confidential Containers Information Disclosure Vulnerability | |||||||
| CVE-2026-23655 | No | No | – | – | Critical | 6.5 | 5.7 |
| Microsoft Defender for Endpoint Linux Extension Remote Code Execution Vulnerability | |||||||
| CVE-2026-21537 | No | No | – | – | Important | 8.8 | 7.7 |
| Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability | |||||||
| CVE-2026-0391 | No | No | – | – | Moderate | 6.5 | 5.7 |
| Microsoft Excel Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21259 | No | No | – | – | Important | 7.8 | 6.8 |
| Microsoft Excel Information Disclosure Vulnerability | |||||||
| CVE-2026-21258 | No | No | – | – | Important | 5.5 | 4.8 |
| CVE-2026-21261 | No | No | – | – | Important | 5.5 | 4.8 |
| Microsoft Exchange Server Spoofing Vulnerability | |||||||
| CVE-2026-21527 | No | No | – | – | Important | 6.5 | 5.7 |
| Microsoft Outlook Spoofing Vulnerability | |||||||
| CVE-2026-21260 | No | No | – | – | Important | 7.5 | 6.5 |
| CVE-2026-21511 | No | No | – | – | Important | 7.5 | 6.5 |
| Microsoft Word Security Feature Bypass Vulnerability | |||||||
| CVE-2026-21514 | Yes | Yes | – | – | Important | 7.8 | 7.2 |
| Power BI Remote Code Execution Vulnerability | |||||||
| CVE-2026-21229 | No | No | – | – | Important | 8.0 | 7.0 |
| Red Hat, Inc. CVE-2023-2804: Heap Based Overflow libjpeg-turbo | |||||||
| CVE-2023-2804 | No | No | – | – | Important | 6.5 | 5.7 |
| Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21236 | No | No | – | – | Important | 7.8 | 6.8 |
| CVE-2026-21241 | No | No | – | – | Important | 7.0 | 6.1 |
| CVE-2026-21238 | No | No | – | – | Important | 7.8 | 6.8 |
| Windows App for Mac Installer Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21517 | No | No | – | – | Important | 7.0 | 6.1 |
| Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21234 | No | No | – | – | Important | 7.0 | 6.1 |
| Windows Graphics Component Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21246 | No | No | – | – | Important | 7.8 | 6.8 |
| CVE-2026-21235 | No | No | – | – | Important | 7.3 | 6.4 |
| Windows HTTP.sys Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21250 | No | No | – | – | Important | 7.8 | 6.8 |
| CVE-2026-21240 | No | No | – | – | Important | 7.8 | 6.8 |
| CVE-2026-21232 | No | No | – | – | Important | 7.8 | 6.8 |
| Windows Hyper-V Remote Code Execution Vulnerability | |||||||
| CVE-2026-21248 | No | No | – | – | Important | 7.3 | 6.4 |
| CVE-2026-21247 | No | No | – | – | Important | 7.3 | 6.4 |
| CVE-2026-21244 | No | No | – | – | Important | 7.3 | 6.4 |
| Windows Hyper-V Security Feature Bypass Vulnerability | |||||||
| CVE-2026-21255 | No | No | – | – | Important | 8.8 | 7.7 |
| Windows Kernel Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21245 | No | No | – | – | Important | 7.8 | 6.8 |
| CVE-2026-21239 | No | No | – | – | Important | 7.8 | 6.8 |
| CVE-2026-21231 | No | No | – | – | Important | 7.8 | 6.8 |
| Windows Kernel Information Disclosure Vulnerability | |||||||
| CVE-2026-21222 | No | No | – | – | Important | 5.5 | 4.8 |
| Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability | |||||||
| CVE-2026-21243 | No | No | – | – | Important | 7.5 | 6.5 |
| Windows NTLM Spoofing Vulnerability | |||||||
| CVE-2026-21249 | No | No | – | – | Important | 3.3 | 2.9 |
| Windows Notepad App Remote Code Execution Vulnerability | |||||||
| CVE-2026-20841 | No | No | – | – | Important | 8.8 | 7.7 |
| Windows Remote Access Connection Manager Denial of Service Vulnerability | |||||||
| CVE-2026-21525 | No | Yes | – | – | Moderate | 6.2 | 5.4 |
| Windows Remote Desktop Services Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21533 | No | Yes | – | – | Important | 7.8 | 7.2 |
| Windows Shell Security Feature Bypass Vulnerability | |||||||
| CVE-2026-21510 | Yes | Yes | – | – | Important | 8.8 | 8.2 |
| Windows Storage Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21508 | No | No | – | – | Important | 7.0 | 6.1 |
| Windows Subsystem for Linux Elevation of Privilege Vulnerability | |||||||
| CVE-2026-21242 | No | No | – | – | Important | 7.0 | 6.1 |
| CVE-2026-21237 | No | No | – | – | Important | 7.0 | 6.1 |
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Leave a Reply