Publicly Disclosed Elevation of Privilege Vulnerability in Windows Collaborative Translation Framework
An attacker could exploit this vulnerability by sending specially crafted network requests to a Windows Server system with the WDS role enabled that is listening for TFTP traffic. By triggering an error in how the server handles simultaneous requests, an unauthenticated remote attacker could cause the service to use invalid memory, potentially allowing code execution on the affected server.
CVE-2026-45461, CVE-2026-45463, CVE-2026-45472, and CVE-2026-45474 are Critical RCE vulnerabilities in Microsoft Office, all with a CVSS score of 8.4. These vulnerabilities allow unauthorized attackers to execute arbitrary code locally through use-after-free flaws (CVE-2026-45461, CVE-2026-45472, CVE-2026-45474) and an integer underflow flaw (CVE-2026-45463).
| Severity | CVSS Score | CVE | Description | Action Required? |
| Important | 7.8 | CVE-2026-45586 | Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability | Yes |
Publicly Disclosed Security Feature Bypass Vulnerability in Windows BitLocker
Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
CVE-2026-44803 and CVE-2026-44812 are Critical RCE vulnerabilities affecting the Windows Graphics Component, both with a CVSS score of 7.8. Both stem from integer overflow flaws (CWE-190) in Windows Win32K – GRFX and require user interaction to exploit. An attacker could trigger code execution by convincing a user to view a specially crafted file in the Windows File Explorer Preview Pane or by opening the file directly. Despite the RCE classification, the attack vector is local, meaning the attacker must rely on user interaction rather than reaching the target directly over a network.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Important | 6.8 | CVE-2026-50507 | Windows BitLocker Security Feature Bypass Vulnerability | Yes |
Publicly Disclosed and Critical Vulnerabilities in HTTP.sys
Microsoft has proactively remediated these vulnerabilities within its cloud infrastructure without requiring any customer intervention.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
CVE-2026-50507 is an Important security feature bypass vulnerability affecting Windows BitLocker and has a CVSS score of 6.8. A missing authentication for a critical function flaw (CWE-306) allows an unauthenticated attacker with physical access to bypass BitLocker Device Encryption and gain access to encrypted data on the system storage device. While physical access is required, the attack requires no privileges or user interaction and has low attack complexity.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-47291 | HTTP.sys Remote Code Execution Vulnerability | Yes |
| Important | 7.5 | CVE-2026-49160 | HTTP.sys Denial of Service Vulnerability | Yes |
Critical Vulnerability in Windows Kernel
This vulnerability was publicly disclosed and proof-of-concept exploit code exists, though there is no evidence of exploitation in the wild. Microsoft assesses exploitation as more likely.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-45657 | Windows Kernel Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in Nuance PowerScribe
Seven Critical RCE vulnerabilities affecting the Remote Desktop Client were patched this month, with CVSS scores ranging from 7.5 to 8.8. All seven share a common exploitation theme: An attacker with control of a malicious Remote Desktop server could execute code on a victim’s machine when the victim connects using a vulnerable Remote Desktop Client.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-26142 | Nuance PowerScribe Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in DHCP Client Service
CVE-2026-47644 is a Critical information disclosure vulnerability affecting Copilot Chat in Microsoft Edge and has a CVSS score of 6.5. An injection flaw (CWE-74) allows unauthenticated remote attackers to disclose sensitive information over a network. User interaction is required for exploitation.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-44815 | DHCP Client Service Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in Windows Active Directory Domain Services
Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.8 | CVE-2026-45648 | Windows Active Directory Domain Services Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in Azure Kubernetes Service
CVE-2026-44810 is a Critical elevation of privilege vulnerability affecting Microsoft Cryptographic Services and has a CVSS score of 8.4. This improper authentication flaw (CWE-287) allows an unauthenticated local attacker to elevate privileges with no user interaction and low attack complexity. An attacker could exploit this either by logging on to the system and running a specially crafted application, or by convincing a local user to open a malicious file. Successful exploitation could grant an attacker SYSTEM privileges.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.8 | CVE-2026-32193 | Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability | Yes |
Critical Remote Code Execution Vulnerabilities in Remote Desktop Client
CVE-2026-48579 is a Critical information disclosure vulnerability affecting Microsoft Exchange Online and has a CVSS score of 9.1. An improper authorization flaw (CWE-285) allows unauthenticated remote attackers to disclose sensitive information over a network with no user interaction and low attack complexity, with high confidentiality and integrity impact.
CVE-2026-48574 is a Critical RCE vulnerability affecting Windows Media and has a CVSS score of 7.8. This heap-based buffer overflow flaw (CWE-122) allows an attacker to execute arbitrary code on a target system by convincing a user to interact with a specially crafted file. Despite the RCE classification, the attack vector is local, meaning the attacker must rely on user interaction to trigger the vulnerability rather than reaching the target directly over a network.
CVE-2026-45657 is a Critical RCE vulnerability affecting the Windows kernel and has a CVSS score of 9.8. Use-after-free and heap-based buffer overflow flaws (CWE-416, CWE-122) allow unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send specially crafted network traffic to trigger a flaw in how the Windows kernel processes TCP/IP data, potentially enabling code execution with SYSTEM-level privileges without requiring authentication or user interaction.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.8 | CVE-2026-42985 | Remote Desktop Client Remote Code Execution Vulnerability | Yes |
| Critical | 8.8 | CVE-2026-47289 | Remote Desktop Client Remote Code Execution Vulnerability | Yes |
| Critical | 7.5 | CVE-2026-42992 | Remote Desktop Client Remote Code Execution Vulnerability | Yes |
| Critical | 7.5 | CVE-2026-44799 | Remote Desktop Client Remote Code Execution Vulnerability | Yes |
| Critical | 7.5 | CVE-2026-44801 | Remote Desktop Client Remote Code Execution Vulnerability | Yes |
| Critical | 7.5 | CVE-2026-47654 | Remote Desktop Client Remote Code Execution Vulnerability | Yes |
| Critical | 7.5 | CVE-2026-48563 | Remote Desktop Client Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in Microsoft Cryptographic Services
CVE-2026-49160 is a publicly disclosed Important denial of service vulnerability affecting HTTP.sys and has a CVSS score of 7.5. An uncontrolled resource consumption flaw (CWE-400) in HTTP/2 allows unauthenticated remote attackers to deny service with no user interaction and low attack complexity. As part of the available fix, Microsoft has introduced a new MaxHeadersCount registry setting that allows administrators to limit the number of headers accepted in HTTP/2 and HTTP/3 requests. There is no evidence of exploitation in the wild, though Microsoft assesses exploitation as more likely.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.4 | CVE-2026-44810 | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | Yes |
Critical Vulnerabilities in Microsoft Office
CVE-2026-42985, CVE-2026-44801, CVE-2026-47654, and CVE-2026-48563 stem from use-after-free flaws (CWE-416). In all four cases, an attacker with control of a Remote Desktop server could trigger RCE on a victim’s machine upon connection. CVE-2026-47654 and CVE-2026-48563 additionally require an attacker to win a race condition, while CVE-2026-44801 requires additional preparatory actions prior to exploitation.
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.4 | CVE-2026-45461 | Microsoft Office Remote Code Execution Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-45463 | Microsoft Office Remote Code Execution Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-45472 | Microsoft Office Remote Code Execution Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-45474 | Microsoft Office Remote Code Execution Vulnerability | Yes |
| Critical | 4.7 | CVE-2026-45460 | Microsoft Office Information Disclosure Vulnerability | Yes |
Critical Vulnerabilities in Windows Hyper-V
CVE-2026-45497 and CVE-2026-42824 are Critical vulnerabilities affecting Microsoft M365 Copilot, with CVSS scores of 7.7 and 6.5, respectively. Both stem from command injection flaws (CWE-77).
With CrowdStrike Falcon® Exposure Management, you can automatically classify and prioritize assets, show attack paths targeting client-side exploitation of devices, and integrate with CrowdStrike Falcon® Next-Gen SIEM. Learn more in this blog post:
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.4 | CVE-2026-45607 | Windows Hyper-V Remote Code Execution Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-45641 | Windows Hyper-V Remote Code Execution Vulnerability | Yes |
| Critical | 8.2 | CVE-2026-47652 | Windows Hyper-V Remote Code Execution Vulnerability | Yes |
Critical Vulnerabilities in Microsoft Outlook and Word
CVE-2026-47288 is a Critical RCE vulnerability affecting the Windows Kerberos Key Distribution Center (KDC) and has a CVSS score of 7.1. The KDC is the authentication service that runs on every Active Directory domain controller; it’s responsible for issuing Kerberos tickets across the domain. A vulnerability here could allow attackers to target the most sensitive servers in an enterprise environment. This integer overflow or wraparound flaw (CWE-190) in Windows Kerberos could allow an authorized attacker to execute code over an adjacent network. Successful exploitation requires an attacker to prepare the target environment to improve exploit reliability.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.4 | CVE-2026-45456 | Microsoft Outlook and Word Remote Code Execution Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-45458 | Microsoft Outlook and Word Remote Code Execution Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-47635 | Microsoft Outlook and Word Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in Windows Deployment Services
CVE-2026-45460 is a Critical information disclosure vulnerability affecting Microsoft Office and has a CVSS score of 4.7. A buffer over-read flaw (CWE-126) could allow an unauthorized attacker to disclose information locally. An attacker that successfully exploited this vulnerability could potentially read small portions of heap memory.
CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635 are Critical RCE vulnerabilities affecting Microsoft Outlook and Word, all with a CVSS score of 8.4. These vulnerabilities allow unauthorized attackers to execute arbitrary code locally through a type confusion flaw (CVE-2026-45456), a use-after-free flaw (CVE-2026-45458), and a heap-based buffer overflow flaw (CVE-2026-47635). The Preview Pane is an attack vector for all three vulnerabilities.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.1 | CVE-2026-42987 | Windows Deployment Services (WDS) Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in Windows Device Health Attestation
The Preview Pane is an attack vector for all five vulnerabilities.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.8 | CVE-2026-33828 | Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability | Yes |
Critical Vulnerability in Windows Media
CVE-2026-33828 is a Critical elevation of privilege vulnerability affecting Windows Device Health Attestation (DHA) and has a CVSS score of 7.8. DHA is a Windows security feature that verifies the integrity of a device’s boot process and security configuration. This trust boundary violation flaw (CWE-501) allows a low-privileged local attacker to undermine the trustworthiness of attestation reports and elevate privileges to gain SYSTEM-level control with no user interaction and low attack complexity.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.8 | CVE-2026-48574 | Windows Media Remote Code Execution Vulnerability | Yes |
Critical Vulnerabilities in Windows Graphics Component
CVE-2026-45607 and CVE-2026-45641 are Critical RCE vulnerabilities affecting Windows Hyper-V, both with a CVSS score of 8.4. Both share a common exploitation path: An authenticated attacker on a guest VM could send specially crafted file operation requests to hardware resources on the VM, resulting in RCE on the host server. CVE-2026-45607 stems from an out-of-bounds read flaw (CWE-125), while CVE-2026-45641 stems from a type confusion flaw (CWE-843). Both require no user interaction and have low attack complexity.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.8 | CVE-2026-44803 | Windows Graphics Component Remote Code Execution Vulnerability | Yes |
| Critical | 7.8 | CVE-2026-44812 | Windows Graphics Component Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in Windows Kerberos Key Distribution Center
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
CVE-2026-47289, CVE-2026-42992, and CVE-2026-44799 stem from heap-based buffer overflow flaws (CWE-122). CVE-2026-47289 has low attack complexity and exploits the connection process by presenting a specially crafted RDP certificate; when the client processes the malformed certificate, the attacker could execute code on the user’s device with the same privileges as the connecting user. CVE-2026-42992 and CVE-2026-44799 have high attack complexity, requiring an attacker to take additional preparatory actions before exploitation.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.1 | CVE-2026-47288 | Windows Kerberos Key Distribution Center (KDC) Remote Code Execution Vulnerability | Yes |
Critical Vulnerability in Azure HorizonDB
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
CVE-2026-45586 is an Important elevation of privilege vulnerability affecting Windows Collaborative Translation Framework (CTFMON) and has a CVSS score of 7.8. CTFMON is a core Windows component that manages text input, handwriting recognition, and language services. A link following flaw (CWE-59) allows a low-privileged local attacker to elevate privileges with no user interaction and low attack complexity. Successful exploitation could grant an attacker SYSTEM privileges.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 10.0 | CVE-2026-48567 | Azure HorizonDB Elevation of Privilege Vulnerability | No |
Critical Vulnerability in Microsoft Exchange Online
CVE-2026-45586 is an Important elevation of privilege vulnerability affecting Windows Collaborative Translation Framework (CTFMON) and has a CVSS score of 7.8. CTFMON is a core Windows component that manages text input, handwriting recognition, and language services. A link following flaw (CWE-59) allows a low-privileged local attacker to elevate privileges with no user interaction and low attack complexity. Successful exploitation could grant an attacker SYSTEM privileges.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.1 | CVE-2026-48579 | Microsoft Exchange Online Information Disclosure Vulnerability | No |
Critical Vulnerabilities in Microsoft M365 Copilot
CVE-2026-45586 is an Important elevation of privilege vulnerability affecting Windows Collaborative Translation Framework (CTFMON) and has a CVSS score of 7.8. CTFMON is a core Windows component that manages text input, handwriting recognition, and language services. A link following flaw (CWE-59) allows a low-privileged local attacker to elevate privileges with no user interaction and low attack complexity. Successful exploitation could grant an attacker SYSTEM privileges.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 6.5 | CVE-2026-47644 | Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability | No |
Critical Vulnerability in Microsoft Graph
CVE-2026-45586 is an Important elevation of privilege vulnerability affecting Windows Collaborative Translation Framework (CTFMON) and has a CVSS score of 7.8. CTFMON is a core Windows component that manages text input, handwriting recognition, and language services. A link following flaw (CWE-59) allows a low-privileged local attacker to elevate privileges with no user interaction and low attack complexity. Successful exploitation could grant an attacker SYSTEM privileges.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 6.5 | CVE-2026-47655 | Microsoft Graph Information Disclosure Vulnerability | No |
Patch Tuesday Dashboard in the Falcon Platform
CVE-2026-26142 is a Critical RCE vulnerability affecting Nuance PowerScribe and has a CVSS score of 9.8. Nuance PowerScribe is a radiology reporting and workflow platform widely used in healthcare environments. This deserialization of untrusted data flaw (CWE-502) allows unauthenticated remote attackers to execute code and compromise sensitive medical data and clinical infrastructure with no user interaction and low attack complexity.
New AI-Powered Capabilities in Falcon Exposure Management
Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
This vulnerability was publicly disclosed, though there is no evidence of exploitation in the wild. Microsoft assesses exploitation as more likely.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
Falcon Exposure Management’s AI-Powered Risk Prioritization Shows Organizations What to Fix First
CVE-2026-47652 is a Critical RCE vulnerability affecting Windows Hyper-V and has a CVSS score of 8.2, stemming from a heap-based buffer overflow flaw (CWE-122). An attacker could issue a specially crafted hypercall with a maliciously large or malformed payload size from within a virtualized environment, triggering a buffer overflow in the hypervisor during memory operations. Unlike the other two, this vulnerability requires high privileges to exploit.
Learn More
An attacker already authenticated to the domain could send specially crafted authentication-related data to a domain controller, causing the affected Windows component to incorrectly handle memory. This could allow the attacker to disrupt the service or gain higher privileges on the domain controller without any user interaction.
Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
About CVSS Scores
CVE-2026-47655 is a Critical information disclosure vulnerability affecting Microsoft Graph and has a CVSS score of 6.5. Microsoft Graph is the API platform that connects Microsoft 365 services and data; an information disclosure vulnerability here could expose sensitive organizational data across connected Microsoft cloud services. This exposure of sensitive information flaw (CWE-200) allows low-privileged remote attackers to disclose sensitive information over a network with no user interaction required.
