Microsoft Patches 137 Vulnerabilities

Microsoft Patches 137 Vulnerabilities

Briefly

"Microsoft on Tuesday announced patching 137 vulnerabilities across its products, none of which have been flagged as exploited in the wild. Roughly a dozen of the bugs addressed with the latest Patch Tuesday updates have an exploitability rating of 'exploitation more likely', indicating that threat actors could start abusing them in attacks."

"The most severe of these is CVE-2026-41103, a critical-severity flaw in the Microsoft SSO Plugin for Jira & Confluence that could lead to elevation of privilege. The issue is rooted in the incorrect implementation of the authentication algorithm. High-severity privilege escalation issues in Windows Remote Desktop, Windows Common Log File System Driver, Windows Kernel, Azure AI Foundry, Windows Win32k, Windows Ancillary Function Driver for WinSock, Windows TCP/IP, and Windows Cloud Files Mini Filter Driver are also prone to exploitation, Microsoft says."

"The company also draws attention to two high-severity remote code execution defects in Microsoft Word (CVE-2026-40364 and CVE-2026-40361, CVSS score of 8.4) that are more likely to be exploited. The first is a type confusion issue, while the second is a use-after-free bug. "These flaws could be exploited by an attacker who sends a malicious document to a target," Tenable senior staff research engineer Satnam Narang said."

""The other common thread across these vulnerabilities is that a target doesn't need to even open the document to trigger the exploit. Exploitation is possible just by viewing a malicious document in the Preview Pane. Therefore, patching is the most reliable way to protect against flaws like these," Narang added. Two other high-severity Word weaknesses were also resolved this month, but they are less likely or unlikely to be exploited, Microsoft says."