"Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild. Of the 63 flaws, four are rated Critical and 59 are rated Important in severity. Twenty-nine of these vulnerabilities are related to privilege escalation, followed by 16 remote code execution, 11 information disclosure, three denial-of-service (DoS), two security feature bypass, and two spoofing bugs."
""An attacker with low-privilege local access can run a specially crafted application that repeatedly attempts to trigger this race condition," Ben McCarthy, lead cybersecurity engineer at Immersive, said. "The goal is to get multiple threads to interact with a shared kernel resource in an unsynchronized way, confusing the kernel's memory management and causing it to free the same memory block twice. This successful 'double free' corrupts the kernel heap, allowing the attacker to overwrite memory and hijack the system's execution flow.""
Microsoft released patches addressing 63 new security vulnerabilities across its software, including one zero-day being actively exploited. Four flaws are rated Critical and 59 Important, with 29 privilege escalation, 16 remote code execution, 11 information disclosure, three denial-of-service, two security feature bypass, and two spoofing bugs. The exploited zero-day (CVE-2025-62215, CVSS 7.0) is a Windows Kernel race condition that can enable a low-privilege local attacker to elevate to SYSTEM if they already have a foothold. MSTIC and MSRC reported the issue. Exploitation requires repeatedly triggering a race that causes a double-free and kernel heap corruption. Microsoft also patched 27 Edge vulnerabilities since October 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]