惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Cyberwarzone
Cyberwarzone
The GitHub Blog
The GitHub Blog
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed
小众软件
小众软件
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
Security Archives - TechRepublic
Security Archives - TechRepublic
W
WeLiveSecurity
Cloudbric
Cloudbric
博客园 - 司徒正美
美团技术团队
N
News and Events Feed by Topic
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
PCI Perspectives
PCI Perspectives
宝玉的分享
宝玉的分享
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Google DeepMind News
Google DeepMind News
Help Net Security
Help Net Security
Last Week in AI
Last Week in AI
S
Schneier on Security
N
News | PayPal Newsroom
B
Blog RSS Feed
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
S
Secure Thoughts
雷峰网
雷峰网
aimingoo的专栏
aimingoo的专栏
L
Lohrmann on Cybersecurity
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tenable Blog
S
Securelist
L
LangChain Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
I
InfoQ
H
Heimdal Security Blog
Cisco Talos Blog
Cisco Talos Blog
F
Full Disclosure
Y
Y Combinator Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
K
Kaspersky official blog
T
Tailwind CSS Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs

Google adds end-to-end Gmail encryption to Android, iOS devices for enterprises – Computerworld

Microsoft 365: A guide to the updates Windows 11 Insider Previews: What’s in the latest build? Windows 11: A guide to the updates Ask Jeeves bites the dust Apple can't make chips fast enough, but that's only part of the story AI-led job cuts don’t always mean stronger ROI — Gartner Microsoft, Google push AI agent governance into enterprise IT mainstream Microsoft now has more than 20M paying Copilot users AI is more accurate than doctors in emergency diagnoses — study Start small, but start now: How to bring AI into your small business Apple is preparing to spend, but not necessarily on AI 10 quick productivity tips for Microsoft 365 mobile apps Relying on LLMs is nearly impossible when AI vendors keep changing things Apple breaks records, admits it can’t make Macs fast enough Spotlight report: Transforming software development with AI - Whitepaper Repository - 25 great uses for an old Android device AI chatbots need ‘deception mode’ Friendlier chatbots can be less reliable, study says Gartner sees untamed growth in agentic AI Apple reportedly abandons Vision Pro AI venture funding to shoot up this year as bubble looms Scaling up a tech startup in Europe is hard — 'EU Inc.' aims to help Apple will be behind on AI — until it isn’t EU lawmakers fail to agree on watered-down AI Act, talks pushed to May Android reminders, reinvented Who’s the better CEO, Apple’s Tim Cook or Microsoft’s Satya Nadella? AWS unveils trio of key AI strategy announcements SAS makes AI governance the centerpiece of its agent strategy Can Apple’s new CEO turn things around? Enterprises need to think beyond GPUs for agentic AI, analysts say Fleet hopes to be the MDM provider for the AI Era Why simplicity is the silent driver of hybrid workplace success Why security matters in the meeting room Can everyday IT decisions turn sustainability from intent into impact? Why the meeting room has become the true test of hybrid work Why smart meeting rooms are becoming strategic IT assets How collaboration technology defines the next phase of hybrid work Microsoft, OpenAI change contract terms–again OpenAI plans its own ‘iPhone killer’ Your AI strategy is all wrong Agent Mode is now available in Microsoft Word, Excel, and PowerPoint Adobe bets on AI agents to stay at the center of marketing workflows Microsoft to offer voluntary retirement buyouts to about 7% of the US workforce Google Keep cheat sheet: How to get started The AI workplace paradox: Higher productivity, higher anxiety Gartner: Global IT spending to grow by 13.5% this year Apple may be the only laptop vendor to grow in 2026 Tim Cook’s legacy: a successful CEO who stumbled over AI Google Chat becomes an agent interface for Workspace Gemini Enterprise update brings AI agents into collaborative workflows Meta to track employee keystrokes, screen activity to train AI agents The smartest ways to sync your Android and computer clipboards Microsoft trims cloud desktop pricing, even as it boosts AI costs Adobe builds an ‘agentic content supply chain’ for the AI era You can now test and compare AI models on LinkedIn With John Ternus as CEO, expect Apple’s platforms to proliferate Apple CEO Tim Cook stepping down, to be replaced by John Ternus Global RAM shortage appears set to continue through 2027 Is this where Apple Silicon will be in 5 years? AI-ready skills are not what you think World ID expands its ‘proof of human’ vision for the AI era Microsoft's Patch Tuesday updates: Keeping up with the latest fixes Robot Zuckerberg shows how IT can free up CEOs’ time UK wants to build sovereign AI — with just 0.08% of OpenAI’s market cap 20 tricks for more efficient Android messaging AI is finally delivering productivity — for remote employees Google should share search data to break its monopoly, European Commission suggests How to think about Apple Business Microsoft Teams cheat sheet: How to get started Reporter’s notebook: In Nepal and Sri Lanka, AI boom brings hope How to create your own custom Android air gesture Can Microsoft really meet its carbon-negative goal by 2030? About the Best Places to Work in IT Microsoft to cut Windows 365 price for SMBs Blancco confirms Mac adoption is accelerating Apple devices’ satellite link is under new ownership IBM’s government DEI settlement could increase pressure to avoid tech hiring diversity Microsoft is developing Copilot features inspired by Openclaw Global RAM shortage prompts Microsoft to hike Surface prices Apple Business rolls out to 200+ countries today Windows 10: A guide to the updates Nvidia’s Stephen Jones on the toolkit powering GPUs: ‘A wild ride’ The French government eyes alternatives to Windows Apple preps for the face race How to build your own AI agents with Google Workspace Studio Adobe Summit 2026: How Adobe hopes to redesign marketing and creativity with AI DARPA wants to help AI agents to talk to one another Apple unveiled a new high-end market opportunity this week Microsoft adds hidden feature flags to Windows Insider builds Meta moves fast toward a world where AI builds the software PC sales rise in Q1 despite memory shortage — IDC Agentic AI – Ongoing coverage of its impact on the enterprise Google’s new AI app is a glimpse of the future This problem might not need a solution: customer-service bots that code for free Chrome, Vivaldi, and the challenge of changing browsers The new M5-based MacBook Air is built to last — and perform Apple worst, Asus best for laptop repairability US court refuses to stay Pentagon’s ‘supply-chain risk’ blacklisting of Anthropic The top priority for Adobe’s next CEO? Prepping for the ‘age of agents’ It's iPhone speculation time: flips, flaps — and Fold
Microsoft’s Patch Tuesday release for April is a whopper
2026-04-18 · via Google adds end-to-end Gmail encryption to Android, iOS devices for enterprises – Computerworld

Windows admins are going to be busy this month, dealing with the largest Patch Tuesday cycle we can recall. The April release involves 165 updates and roughly 340 unique CVEs from Microsoft — including two zero-days, one of which is already being actively exploited in the wild. 

The Readiness team is recommending “Patch Now” schedules for nearly every major product family this month: Windows, Office (with a zero-day), Microsoft Edge (Chromium), SQL Server, and Microsoft Developer Tools (.NET). April also brings Phase 2 of Microsoft’s Kerberos RC4 hardening with full enforcement set for July. There is a lot to cover, so the Readiness team built an infographic mapping the deployment risk for each platform.

(More information about recent Patch Tuesday releases is available here.)

Known issues

Microsoft reports a single Windows 11 25H2 issue. It affects a narrow enterprise deployment group, but matters to anyone affected.

  • KB5083769 – BitLocker recovery prompt on first restart (Windows 11 25H2/24H2). Devices with BitLocker enabled on the OS drive and the Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” set with PCR7 in the validation profile may be prompted for the BitLocker recovery key on the first restart after installing this update. Recommendation: Remove the PCR7 Group Policy configuration and run gpupdate /force before installing.

Issues resolved

April’s KB5083769 closes four issues, three quality-of-life and one multi-cycle reset failure:

  • KB5083769 – Reset this PC (Windows 11 25H2/24H2). Resolves a defect that broke device reset on certain hardware and configuration combinations, taking the last-resort recovery path with it.
  • KB5083769 – Secure Boot certificate rollout. The ongoing Secure Boot CA refresh picks up two improvements: the Windows Security app now displays certificate update status directly (Settings → Privacy & Security → Windows Security), and the quality update widens the device-targeting data for the staged rollout.
  • KB5083769 – SMB compression over QUIC. SMB compression requests over QUIC now complete more consistently; the update addresses prior timeouts.
  • KB5083769 – Remote Desktop anti-phishing. Opening a .RDP file now triggers a confirmation dialog listing every requested connection setting, each disabled by default. Users must explicitly opt in to local resource sharing before the connection is made; a one-time security warning appears the first time a .RDP file is opened after installing the update.

Major revisions and mitigations

Microsoft released no major revisions to Windows or Office. But Azure and Chromium/Edge have picked up several updates since the last month:

  • Microsoft documented four critical Azure CVEs; no user action required.
  • Microsoft re-published 141 Chrome/V8/WebGL/WebML/WebRTC fixes from the weekly upstream cadence; Edge picks them up through its own auto-update channel.

So Microsoft published 145 CVEs that affected Edge over the past 30 days. That averages out to around five reported security vulnerabilities per (working) day. Does anybody remember the good old days when we just had 10 critical-rated memory-related issues with IE — each month?

Windows lifecycle and enforcement updates

The saying that “April is the cruelest month” seems apropos, as we have three rather strict enforcements from Microsoft:

  • Kernel driver cross-signed trust — evaluation mode begins April. Microsoft is dropping trust for legacy kernel drivers signed under the deprecated cross-signed root program, audit-only on Windows 11 24H2/25H2/26H1 and Server 2025.
  • Kerberos RC4 hardening Phase 2 — April. Following November 2025’s Phase 1, domain controllers now default to AES-SHA1 encrypted tickets for accounts without an explicit Kerberos encryption type configured (CVE-2026-20833). The enforcement phase begins in July.
  • Windows Deployment Services hands-free deployment — disabled by default from April. Hardening for CVE-2026-0386 (Unattend.xml over unauthenticated RPC) disables hands-free WDS deployment by default, beginning with the April update. Admins can override, but Microsoft does not recommend doing so.

Testing guidance

Each month, the Readiness team analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. April’s release covers 56 component updates across Windows. Microsoft flagged two as High Risk — Kerberos authentication and the Remote Desktop client — and delivered five patches to the Projected File System driver affecting cloud sync scenarios. Secure Boot and BitLocker validation expands to seven scenarios this cycle, including a new Windows Hello PIN persistence check. Prioritize Kerberos infrastructure, Remote Desktop stability, and cloud sync before broad deployment.

Kerberos and KDC

The Kerberos Key Distribution Center (kdcsvc.dll) and client library (kerb3961.dll) carry a High Risk flag this month. Microsoft’s guidance targets environments using keytab-based authentication with RC4 encryption — a legacy configuration common in mixed Windows and non-Windows service environments. The client-side update affects only Windows 10 1607, but server-side changes apply to all editions from Windows Server 2022 through 2025.

  • After installing the update on domain controllers, open Event Viewer and review the System and Security logs for events with IDs 201–209.
  • Capture full event details for any new events in that range: text, timestamp, and affected account or service.
  • Focus testing on long-running services authenticating via RC4 keytabs, as these are most likely to surface failures after the update.

Remote Desktop client

Microsoft also flags the Remote Desktop ActiveX control (mstscax.dll) as High Risk. The update affects clipboard redirection, printer redirection, and session reconnection stability across all supported Windows versions. A separate update to mstsc.exe covers SmartScreen behavior for .RDP file handling, RemoteApp, and Hyper-V Enhanced Session mode.

  • Connect to a remote device using mstsc.exe and check that the session establishes and remains stable.
  • Copy and paste between local and remote sessions, both text and files, and expect correct transfer in both directions.
  • Redirect a local printer into the remote session, print a test page, and confirm the job completes.
  • Disconnect, reconnect, and verify clipboard and printer redirection survive the reconnection.
  • Expect RemoteApp resources to launch normally and Hyper-V Enhanced Session mode to connect without error.

Secure Boot and BitLocker (continuing)

Secure Boot and BitLocker testing now expands to seven scenarios, including a new Windows Hello PIN persistence test. These validate Secure Boot state, BitLocker encryption, and key rolling related to the ongoing CVE-2023-24932 mitigation. Perform only on dedicated test devices with recovery keys backed up.

  • Enable BitLocker on the OS drive, verify TPM protectors are present using manage-bde -protectors -get c:, then disable and verify the drive is fully decrypted.
  • Enable BitLocker on a data drive, verify protectors, then disable and verify decryption completes.
  • With Secure Boot enabled, enable BitLocker, trigger the recovery screen using reagentc /boottore, and verify the recovery key unlocks the drive.
  • With Secure Boot disabled, enable BitLocker, force recovery via BCD test signing changes, unlock with recovery key, suspend BitLocker, and verify normal boot resumes.
  • With both enabled, apply the Secure Boot key update (CVE-2023-24932) and verify the system boots without triggering recovery.
  • Test hibernation with Secure Boot and BitLocker both enabled and verify clean resume without recovery prompts.
  • On a device running March 2026, enable Windows Hello PIN and BitLocker, install the April update, and confirm the PIN still works.

Networking

April patches the Ancillary Function Driver for WinSock (afd.sys) twice — once paired with the TDX transport driver, once standalone — making it the most-patched network component this month. A separate patch to HTTP.sys affects HTTP/3 on Windows 11 23H2 and 22H2.

  • Browse websites, download and upload files (including large files), and test VPN and Remote Desktop connections over both IPv4 and IPv6.
  • Check that Teams, Outlook, and other messaging applications sign in, send messages, and reconnect after network blips.
  • Test sandboxed and low-privilege processes — Edge, Store apps, and Electron apps — to confirm their network requests succeed.
  • Generate sustained network load and confirm no BSODs, no new errors in Event Viewer, and no throughput degradation.

VPN and IPsec

April patches two VPN components: the Windows Filtering Platform driver (wfplwfs.sys) and the IKE Extensions service (ikeext.dll). The WFP update targets UWP VPN plug-in stability, sleep/wake recovery, and Always On VPN. The IKE update covers IKEv2 tunnels, IPsec security associations, and Connection Security Rules.

  • Connect and disconnect your UWP VPN plug-in client repeatedly (10+ cycles) and confirm the client remains usable and the system stays stable.
  • Keep the VPN connected for 30+ minutes during active use; verify it survives network changes (Wi-Fi to Ethernet) and sleep/wake cycles.
  • If using Always On VPN, confirm it connects at sign-in and reconnects after network loss.
  • Establish IKEv2 VPN connections and verify the tunnel is stable and internal resources are reachable.
  • Validate that Connection Security Rules negotiate IPsec correctly and that protected traffic remains protected.

Authentication and security

Patches to the SSPI kernel drivers (ksecdd.sys, ksecpkg.sys) span NTLM, Kerberos, CredSSP, and TLS/SSL. The Windows Hello for Business stack also picks up updates for Enhanced Sign-in Security.

  • Exercise end-to-end sign-in and resource-access flows for applications that use NTLM, Kerberos, CredSSP, or TLS/SSL authentication.
  • Test both success and failure cases: correct versus incorrect credentials, allowed versus denied accounts, and expired certificates.
  • Verify Windows Hello for Business authentication with Enhanced Sign-in Security across sign-in, lock, unlock, and reboot cycles.

Graphics, Shell and desktop

April updates span Direct3D, the Desktop Window Manager, and the graphics kernel (win32kbase.sys, win32kfull.sys). The Windows Shell (shell32.dll) picks up a patch affecting Mark-of-the-Web preservation for downloaded shortcuts, and COM Automation (oleaut32.dll) gets an update.

  • Run stress tests with sustained UI activity: rapid open/close of windows, snap layouts, virtual desktop switching, and multi-monitor connect/disconnect.
  • Test GPU-accelerated workloads — video playback, 3D applications, browser hardware acceleration — and check for visual artifacts or flickering.
  • Download a .lnk shortcut file from the internet and confirm SmartScreen displays a warning when the shortcut is opened — verifying Mark-of-the-Web is preserved.
  • Run COM Automation workflows — VBA, PowerShell, and Office automation — and confirm they execute correctly.

Hyper-V and virtualization

April patches both Hyper-V compute layers (computecore.dll, vmcompute.dll, vmwp.exe), along with the hypervisor binary (hvax64.exe) for Windows 11 25H2 and 24H2.

  • Start, save, resume, and stop a VM using Hyper-V Manager or PowerShell and repeat the cycle multiple times.
  • Export a VM, import it, and confirm the imported VM boots and runs normally.
  • Launch Windows Sandbox and confirm it starts without error.

Windows Installer, Cloud Sync and MDM

April updates to Windows Installer (msi.dll), the Cloud Files filter (cldflt.sys), and the MDM management layer affect installation workflows, cloud sync, and device management.

  • Install, uninstall, and repair MSI packages to verify Windows Installer functions correctly.
  • Connect and disconnect your cloud sync provider (e.g. OneDrive) multiple times and confirm sync functions after restarts.
  • Enroll a device in Intune or your MDM solution, verify compliance status, and trigger a policy sync.

Common Log File System and storage

The Common Log File System driver (clfs.sys) — subject of March’s major hardening change — picks up a follow-up patch. Storage Spaces (spaceport.sys) and app isolation file system drivers (bfs.sys, wcifs.sys) also receive updates this cycle.

  • Run Windows Update install and rollback cycles, then power-cycle the machine multiple times to confirm the system boots normally each time.
  • Install and uninstall a set of representative applications through multiple cycles and confirm each completes without error.
  • Perform a backup using your normal solution, restore from it, and verify data integrity.
  • If using Storage Spaces, create a pool with mirrored and thin virtual disks, write data, and verify clean deletion.

Office and SharePoint

April’s Office updates target MSI editions: Excel 2016 (KB5002860), PowerPoint 2016 (KB5002808), Office 2016 shared libraries (KB5002859), and SharePoint Server 2016, 2019, and Subscription editions. These will not install on Click-to-Run deployments such as Microsoft 365 Apps.

  • Open and edit complex Excel workbooks with formulas, macros, and external data connections; save and reopen to verify integrity.
  • Create and edit PowerPoint presentations with embedded media and transitions.
  • Across all patched server editions, validate SharePoint document library operations, co-authoring, and workflow execution.
  • Verify that Office add-ins and line-of-business applications integrating with Office continue to operate correctly.

April’s two High Risk components should top every testing queue. Kerberos changes could disrupt long-running services using RC4 keytabs; monitor event IDs 201–209 and keep rollback plans ready. The Remote Desktop client update warrants thorough validation of clipboard, printer redirection, and session reconnection, particularly in RDP-dependent environments. Secure Boot and BitLocker validation remains essential as CVE-2023-24932 key rolling continues. Five patches to the Projected File System driver elevate cloud sync testing this cycle. The dual afd.sys updates and VPN/IPsec patches warrant regression testing across remote-access infrastructure. Office updates are confined to MSI editions.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge)
  • Microsoft Windows (both desktop and server)
  • Microsoft Office
  • Microsoft Exchange and SQL Server
  • Microsoft Developer Tools (Visual Studio and .NET)
  • Adobe (if you get this far)

Browsers

Microsoft’s browsers look quiet this month. Two Microsoft-authored Edge spoofing fixes both ride the standard Edge update channel: CVE-2026-33119 (Edge for Android, CVSS 5.4, moderate) and CVE-2026-33118 (CVSS 4.3, low).

The real story is upstream: 140+ Chromium fixes in the past month, including CVE-2026-5281 — a use-after-free in Dawn that Google has confirmed is actively exploited in the wild. We  recommend you patch now for all Chromium endpoints (here’s looking at you, Edge).

Microsoft Windows

Microsoft delivers 134 Windows CVEs across desktop and server — four critical, the rest important or moderate, with no zero-days or publicly disclosed flaws this cycle. Headline by raw CVSS is a 9.8 IKE/IPsec RCE; priority by exploitability is the Active Directory RCE — the only Windows critical Microsoft rates “Exploitation More Likely.” The four critical-rated issues are concentrated in three Windows areas: Active Directory, networking (two flaws), and Remote Desktop Client.

  • Active Directory / Identity — CVE-2026-33826, RCE in Active Directory via improper input validation (CVSS 8.0, critical; Exploitation More Likely). An authenticated low-privilege attacker on an adjacent network can execute code on a domain controller – your entire directory service is the surface. This is a priority for anyone running AD on-prem.
  • Networking (IKE/IPsec) — CVE-2026-33824, RCE in IKE Service Extensions via double-free (CVSS 9.8, critical; Less Likely). Highest CVSS in the cycle: unauthenticated, network-callable, no UI. Patch VPN concentrators and IPsec gateways first.
  • Networking (TCP/IP) — CVE-2026-33827, RCE via race condition in the TCP/IP stack (CVSS 8.1, critical; Less Likely). Network-callable, but the race lifts attack complexity (AC:H).
  • Remote Desktop Client — CVE-2026-32157, RCE via use-after-free (CVSS 8.8, critical; Less Likely). Triggered when a user connects to a malicious RDP server (UI:R) — the threat model is reverse RDP, not inbound. Flag for jump-host operators.

Beyond the criticals, the standout Windows flaw is CVE-2026-27912 — Kerberos elevation of privilege via improper authorization (CVSS 8.0, important). Authorized attackers on an adjacent network can elevate through the Kerberos handler. Coordinate domain-controller deployment with the Kerberos RC4 Phase 2 hardening covered in the lifecycle section; both touch domain controllers. The Kerberos flaw (CVE-2026-27912) pushes April’s Windows updates to Patch Now.

Microsoft Office

Office receives 14 security fixes, three rated critical and one actively exploited in the wild. The active SharePoint exploit forces Office to Patch Now, with SharePoint servers taking priority over the client push.

  • CVE-2026-32201 – Microsoft SharePoint Server — Spoofing, actively exploited in the wild (CVSS 6.5, important). The score understates the urgency: exploitation has been confirmed, and a spoofing flaw inside SharePoint is a platform for credential theft and lateral movement regardless of internal-only posture. Patch immediately, ahead of the Office client push.
  • CVE-2026-32190 – Microsoft Office — Remote code execution (CVSS 8.4, critical). The Preview Pane remains the attack vector; previewing a crafted file in Outlook or File Explorer is sufficient to trigger execution without further user action. As we’ve noted before, this keeps recurring.
  • CVE-2026-33114, CVE-2026-33115 — Microsoft Word — Remote code execution (both CVSS 8.4, critical). Paired Word RCEs on the same release channel; affected surface matches CVE-2026-32190.

Excel carries the heaviest cluster — four additional RCEs: CVE-2026-32189, CVE-2026-32197, CVE-2026-32198, and CVE-2026-32199, plus an information-disclosure flaw in CVE-2026-32188. Microsoft Word picks up two fixes outside the critical pair: RCEs CVE-2026-33095 and CVE-2026-23657, and information disclosure CVE-2026-33822. This is a Patch Now release for Office, driven by the SharePoint zero-day. Organizations that cannot deploy Office clients quickly should consider disabling the Preview Pane in Outlook and File Explorer as a temporary mitigation against the critical RCE trio.

Microsoft Exchange and SQL Server

Exchange Server picks up zero CVEs this month, a rare quiet cycle, and the right window to clear any deferred CU work. SQL Server gets three, including a network RCE that grants SQL sysadmin on success:

  • CVE-2026-33120Microsoft SQL Server — Remote code execution via untrusted pointer dereference (CVSS 8.8, important; Exploitation Less Likely). Authenticated attackers get full SQL sysadmin on success. Scope is unusually narrow: only SQL Server 2022 for x64-based Systems on the GDR servicing branch — CU 24 and every other supported version (2016 SP3 through 2025) are not listed as affected.
  • CVE-2026-32167, CVE-2026-32176 — Microsoft SQL Server — Elevation of privilege via SQL injection (both CVSS 6.7, important). Paired flaws affecting SQL Server 2016 SP3 through 2025 on both GDR and CU branches. Local EoP, not remote — the concern is breadth, not blast radius.

The Readiness team recommends Patch Now for any SQL Server 2022 GDR operation. Schedule the wider SQL footprint with your normal database-maintenance window.

Developer tools

There are 10 CVEs in Developer Tools this month, headlined by a critical-rated .NET Framework DoS and two GitHub-attributed flaws that will affect developer workflows directly.

  • CVE-2026-23666 — .NET Framework — Denial of service via improper input validation (CVSS 7.5, critical; Exploitation Less Likely). The critical rating despite a DoS impact reflects exploit-code maturity; the CVSS vector includes E:P (proof-of-concept).
  • CVE-2026-32631 — Visual Studio — NTLM hash leak via git clone from manipulated repositories (CVSS 7.4, important). GitHub-attributed: cloning a malicious repo or checking out a branch that resolves to an attacker-controlled UNC path leaks the user’s NTLM hash. Affects Visual Studio 2017, 2019, and 2022 (17.12 and 17.14).
  • CVE-2026-26143 — PowerShell — Security feature bypass (CVSS 7.8, important). Highest CVSS in the set, and PowerShell SFBs always merit attention.

Five more developer-related updates round out the cycle: four .NET / Visual Studio DoS or spoofing fixes (CVE-2026-26171, CVE-2026-32178, CVE-2026-32203, CVE-2026-32226) and a moderate TLS PSK/ALPN bypass (CVE-2026-21637). None have been disclosed or exploited. The Readiness team recommends Patch Now for .NET Framework and PowerShell.

Adobe (and third-party updates)

Microsoft no longer ships Adobe updates as part of its bulletin. Adobe ships APSB26-44 separately for Acrobat and Reader — two listed as critical. They are worth your attention, given Reader’s prevalence on enterprise desktops. For anyone packaging, testing and deploying these recent and rapid Adobe releases: we hear you. The packages are big, and the management effort keeps growing.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.