Skip to content

Microsoft patches 119 flaws and 2 zero-days in security update

  • by
  • 2 min read

Microsoft’s April patch Tuesday has around 119 security fixes across all Microsoft software. The patches include 10 critical vulnerabilities and two zero-days.

Products impacted this these security updates include Windows, Microsoft Office, Edge, Hyper-V, Dynamics, File Server, Windows SMB and Skype for Business. 

This latest round of patches, usually released every second Tuesday of each month (hence the name Patch Tuesday), addresses a number of issues, including remote code execution and elevation of privilege bugs in addition to denial-of-service, information leaks and spoofing issues. The number of bugs in each category is:

  • 47 Elevation of Privilege vulnerabilities.
  • 47 Remote Code Execution vulnerabilities.
  • 13 Information disclosure vulnerabilities.
  • 9 Denial of Service vulnerabilities. 
  • 3 Spoofing vulnerabilities.
  • 26 Edge (Chromium) vulnerabilities. 

The 26 Edge (Chromium) vulnerabilities aren’t included in Microsoft’s patch count. The two zero-day vulnerabilities are as follows.

VE-2022-24521This is a privilege escalation bug in the Windows Common Log File System Driver. Microsoft has stated that the vulnerability is actively being exploited despite the bug not being public until now. The issue has a CVSS score of 7.8.
CVE-2022-26904This is a known zero-day escalation of privilege flaw that affects the Windows User Profile Service. According to Microsoft, the attack complexity is high as it causes an attacker to win a race condition. The vulnerability has a CVSS score of 7.0.

Ten critical vulnerabilities have been patched in this round.

Impacted ProductVulnerabilityVulnerability type
LDAP – Lightweight Directory Access ProtocolCVE-2022-26919Remote Code Execution
Microsoft DynamicsCVE-2022-23259Remote Code Execution
Windows Hyper-VCVE-2022-22008Remote Code Execution
Windows Hyper-VCVE-2022-24537Remote Code Execution
Windows Hyper-V
Remote Code Execution
Windows Network File System
Remote Code Execution
Windows Network File System
Remote Code Execution
Windows Remote Procedure Call RuntimeCVE-2022-26809Remote Code Execution
Windows SMBCVE-2022-24541Remote Code Execution
Windows SMBCVE-2022-24500Remote Code Execution

 In the News: Russian cyberattack on Ukrainian energy provider disrupted

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: