patch tuesday 2025

Microsoft confirmed a Windows kernel elevation-of-privilege flaw tracked as CVE-2024-30099 on June 11, 2024 — a time-of-check/time-of-use (TOCTOU) race-condition in kernel code that Microsoft rated as an important local Elevation of Privilege (EoP) and patched in the June 11, 2024 cumulative...

Microsoft has confirmed that its December 9, 2025 Patch Tuesday cumulative updates introduced a regression that breaks Microsoft Message Queuing (MSMQ) in many enterprise environments, leaving queues inactive, IIS-hosted applications throwing “Insufficient resources to perform operation” errors...

Microsoft's December security update contains another reminder that old, system-level services can still be an attractive target for attackers: CVE-2025-62474 is an elevation of privilege vulnerability affecting the Windows Remote Access Connection Manager (RasMan) component, and system...

Microsoft’s November patch cycle exposed a widespread and urgent remote‑code execution risk in the Microsoft Graphics Component (GDI+) that national incident response teams have flagged as high severity — a heap‑based buffer overflow (tracked as CVE‑2025‑60724) that can be triggered by specially...

Microsoft’s November Patch Tuesday landed a high‑urgency security wake‑up call: a critical heap‑based buffer overflow in the Microsoft Graphics Component (GDI+) — tracked as CVE‑2025‑60724 — plus multiple browser and Office fixes that together widen the attack surface for both consumer PCs and...

Microsoft’s emergency patch drama on November Patch Tuesday turned a planned lifeline into a lesson in patch management: the first Extended Security Update for Windows 10 arrived alongside a registration bug that broke the ESU enrollment flow for many users, and Microsoft’s out‑of‑band fix only...

Microsoft has released KB5068781 — the first cumulative security rollup for Windows 10 distributed through the Extended Security Updates (ESU) program — advancing 22H2 systems to Build 19045.6575 and delivering a targeted set of security and servicing fixes for ESU‑enrolled devices. This update...

A wide-ranging October 2025 cumulative update for Windows 11 (KB5066835), and at least one related preview package, has broken many local IIS-hosted sites and developer workflows — causing ERR_CONNECTION_RESET, ERR_HTTP2_PROTOCOL_ERROR and outright failure of localhost-based services for...

Microsoft’s October Patch Tuesday landed as a watershed software-security event: the company shipped fixes for an extraordinarily large set of vulnerabilities — widely reported as between 167 and 175 CVEs in a single cycle — including multiple actively exploited zero‑day elevation‑of‑privilege...

Microsoft’s October security roll-up revealed a confirmed elevation‑of‑privilege flaw in the Windows Management Services: CVE‑2025‑59193 is a race‑condition (CWE‑362) in an elevated management component that allows an authorized local attacker to escalate to higher privileges on a...

Microsoft’s October 2025 Patch Tuesday delivered one of the largest and most consequential security refreshes of the year: Microsoft released fixes covering roughly 167 CVEs in a single update cycle, patched two zero-day elevation-of-privilege (EoP) bugs that were exploited in the wild, and...

Microsoft has confirmed a security flaw tracked as CVE-2025-58738 in the Inbox COM Objects (Global Memory) family that can lead to remote code execution in realistic attack chains when combined with local user interaction or a prior foothold; administrators are urged to reconcile CVE→KB mappings...

A use-after-free flaw in the Windows Bluetooth Service has been cataloged as CVE-2025-58728 and classified as a local elevation-of-privilege vulnerability that Microsoft patched as part of the October 2025 update cycle; the weakness can allow an authenticated, local user process to corrupt...

Microsoft confirmed a new local elevation-of-privilege vulnerability in the Xbox component chain—tracked as CVE-2025-53768—described as a use‑after‑free in the IStorageService implementation that can allow an authorized local user to escalate privileges on an affected host; administrators must...

Microsoft’s October Patch Tuesday fixed a newly assigned vulnerability, CVE‑2025‑54957, that resides in the Windows Codecs Library and stems from an integer overflow in the Dolby Digital Plus (E‑AC‑3) audio decoder — a parsing error that can produce memory‑corruption conditions and is rated...

Microsoft released a security update addressing CVE-2025-59201, a high‑impact elevation‑of‑privilege vulnerability in the Network Connection Status Indicator (NCSI) component that allows an authorized local user with low privileges to escalate to higher system privileges, and administrators must...

Windows 11’s September Patch Tuesday cumulative, KB5065426 (OS Build 26100.6584), has been linked to widespread file- and print-sharing failures on some machines, with multiple community threads and Microsoft Q&A posts reporting disabled sharing settings, networks switching from Private to...

Microsoft’s September 2025 Patch Tuesday delivers a heavy, operationally important security payload: this cycle addresses roughly 80 CVEs across Windows, Office, Azure, Hyper‑V and related components, including several critical remote‑code‑execution (RCE) and elevation‑of‑privilege (EoP) flaws...

Microsoft’s September Patch Tuesday has quietly closed two disruptive Windows regressions introduced in August — one that interfered with MSI-based app installs by unexpectedly surfacing User Account Control (UAC) prompts for standard users, and another that crippled NDI-based streaming...

Microsoft’s September Patch Tuesday arrived with a broad set of fixes and a matching set of detection updates from Cisco Talos — including a new Snort ruleset — aimed at the most likely-to-be-exploited flaws this month. The update package contains dozens of CVEs spanning Windows core components...