Microsoft on Tuesday announced patching 137 vulnerabilities across its products, none of which have been flagged as exploited in the wild.
Roughly a dozen of the bugs addressed with the latest Patch Tuesday updates have an exploitability rating of ‘exploitation more likely’, indicating that threat actors could start abusing them in attacks.
The most severe of these is CVE-2026-41103, a critical-severity flaw in the Microsoft SSO Plugin for Jira & Confluence that could lead to elevation of privilege. The issue is rooted in the incorrect implementation of the authentication algorithm.
High-severity privilege escalation issues in Windows Remote Desktop, Windows Common Log File System Driver, Windows Kernel, Azure AI Foundry, Windows Win32k, Windows Ancillary Function Driver for WinSock, Windows TCP/IP, and Windows Cloud Files Mini Filter Driver are also prone to exploitation, Microsoft says.
The company also draws attention to two high-severity remote code execution defects in Microsoft Word (CVE-2026-40364 and CVE-2026-40361, CVSS score of 8.4) that are more likely to be exploited. The first is a type confusion issue, while the second is a use-after-free bug.
“These flaws could be exploited by an attacker who sends a malicious document to a target,” Tenable senior staff research engineer Satnam Narang said.
“The other common thread across these vulnerabilities is that a target doesn’t need to even open the document to trigger the exploit. Exploitation is possible just by viewing a malicious document in the Preview Pane. Therefore, patching is the most reliable way to protect against flaws like these,” Narang added.
Two other high-severity Word weaknesses were also resolved this month, but they are less likely or unlikely to be exploited, Microsoft says. More than two dozen vulnerabilities were resolved in the Office suite.
On Tuesday, Microsoft also rolled out fixes for critical-severity bugs in Dynamics 365 (on-premises), Azure Logic Apps, Windows DNS, Windows Netlogon, Windows Hyper-V, and Azure SDK.
The security updates also address high-severity flaws in Copilot, .NET, Azure services, Windows kernel and kernel mode drivers, Win32K, LDAP, SQL Server, Edge, Visual Studio Code, and various Windows components and services.
Adobe on Tuesday released patches for 52 vulnerabilities across 10 products, including a couple of critical-severity code execution flaws.
Related: SAP Patches Critical S/4HANA, Commerce Vulnerabilities
Related: Cisco Patches High-Severity Vulnerabilities in Enterprise Products
Related: Oracle Patches 450 Vulnerabilities With April 2026 CPU
Related: Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster
