But are things getting worse? According to Register readers, and the company's own release health dashboard, the answer has to be yes. It isn't just you. The frequency of emergency out-of-band releases for the company's operating systems has been rapidly increasing to the point where, for every Patch Tuesday update, there'll likely be at least one out-of-band patch to fix whatever got broken.
"Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page."
This month, over half (55%) of all Patch Tuesday CVEs were privilege escalation bugs, and of those, six were rated exploitation more likely across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server, and Winlogon. We know these bugs are typically used by threat actors as part of post-compromise activity, once they get onto systems through other means (social engineering, exploitation of another vulnerability).
Microsoft has released emergency out-of-band security updates to fix an actively exploited zero-day vulnerability in Microsoft Office. The flaw allows threat actors to bypass built-in Office security protections after tricking users into opening malicious files, typically delivered through phishing or social engineering. The vulnerability "... in Microsoft Office allows an unauthorized attacker to bypass a security feature locally," Microsoft said in its advisory.
Uncle Sam's cyber defenders have given federal agencies just three days to patch a maximum-severity Dell bug that's been under active exploitation since at least mid-2024. CISA this week added the flaw, tracked as CVE-2026-22769, to its Known Exploited Vulnerabilities catalog, ordering civilian agencies to secure affected systems by February 21 - giving them just three days to get fixes in place.
