| CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler XXE Elevation of Privilege Vulnerability |
Link |
Updated CVE title. This is an informational change only. |
| CVE-2023-38156 Azure HDInsight Apache Ambari JDBC Injection Elevation of Privilege Vulnerability |
Link |
Updated CVE title. This is an informational change only. |
| Chromium: CVE-2023-6345 Integer overflow in Skia |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. Google is aware that an exploit for CVE-2023-6345 exists in the wild. |
| Chromium: CVE-2023-6346 Use after free in WebAudio |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-6347 Use after free in Mojo |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-6348 Type Confusion in Spellcheck |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-6350 Out of bounds memory access in libavif |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-6351 Use after free in libavif |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-36558 ASP.NET Core - Security Feature Bypass Vulnerability |
Link |
Updated acknowledgment. This is an informational change only. |
| CVE-2023-38175 Microsoft Windows Defender Elevation of Privilege Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2023-36025 Windows SmartScreen Security Feature Bypass Vulnerability |
Link |
For informational accuracy, updated the Publicly Disclosed information. |
| CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table: 1) Corrected the Build Number for Microsoft Visual Studio 2022 version 17.7 to 17.7.6. 2) Corrected the Download and Article links for Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016. These are informational changes only. Customers who have installed the latest versions do not need to take any further action. |
| Chromium: CVE-2023-5997 Use after free in Garbage Collection |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-6112 Use after free in Navigation |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-36423 Microsoft Remote Registry Service Remote Code Execution Vulnerability |
Link |
Updated one or more CVSS scores for the affected products. This is an informational change only. |
| CVE-2023-36049 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability |
Link |
Revised the Security Updates table to include PowerShell 7.2, PowerShell 7.3, and PowerShell 7.4 because these versions of PowerShell 7 are affected by this vulnerability. See [https://github.com/PowerShell/Announcements/issues/54](https://github.com/PowerShell/Announcements/issues/54) for more information. |
| CVE-2023-36026 Microsoft Edge (Chromium-based) Spoofing Vulnerability |
Link |
Information published. |
| CVE-2023-36008 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability |
Link |
Information published. |
| ADV990001 Latest Servicing Stack Updates |
Link |
Advisory updated to announce new versions of Servicing Stack Updates are available. Please see the FAQ for details. |
| CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability |
Link |
Updated links to security updates. This is an informational change only. |
| CVE-2023-38545 Hackerone: CVE-2023-38545 SOCKS5 heap buffer overflow |
Link |
Microsoft is announcing that the Windows security updates released on November 14, 2023 include curl 8.4.0, which addresses this vulnerability. Microsoft recommends that customers install the November 14, 2023 updates to ensure they have the most up-to-date version of curl. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-38039 Hackerone: CVE-2023-38039 HTTP headers eat all memory |
Link |
Microsoft is announcing that the Windows security updates released on November 14, 2023 include curl 8.4.0, which addresses this vulnerability. Microsoft recommends that customers install the November 14, 2023 updates to ensure they have the most up-to-date version of curl. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-38151 Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36719 Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36705 Windows Installer Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36560 ASP.NET Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36437 Azure DevOps Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36428 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36427 Windows Hyper-V Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36425 Windows Distributed File System (DFS) Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36424 Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36423 Microsoft Remote Registry Service Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36422 Microsoft Windows Defender Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36413 Microsoft Office Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36410 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Link |
Information published. |
| CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36043 Open Management Infrastructure Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36017 Windows Scripting Engine Memory Corruption Vulnerability |
Link |
Information published. |
| CVE-2023-36007 Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability |
Link |
Information published. |
| CVE-2023-38177 Microsoft SharePoint Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36558 ASP.NET Core - Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36439 Microsoft Exchange Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36408 Windows Hyper-V Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36407 Windows Hyper-V Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36406 Windows Hyper-V Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36405 Windows Kernel Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36404 Windows Kernel Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36403 Windows Kernel Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36402 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36401 Microsoft Remote Registry Service Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36400 Windows HMAC Key Derivation Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36399 Windows Storage Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36398 Windows NTFS Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36397 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36395 Windows Deployment Services Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36394 Windows Search Service Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36393 Windows User Interface Application Core Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36392 DHCP Server Service Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36046 Windows Authentication Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36047 Windows Authentication Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36049 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-24023 Mitre: CVE-2023-24023 Bluetooth Vulnerability |
Link |
Information published. |
| CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability |
Link |
Information published. |
| CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability |
Link |
Information published. |
| CVE-2023-36041 Microsoft Excel Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36042 Visual Studio Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36045 Microsoft Office Graphics Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36037 Microsoft Excel Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36038 ASP.NET Core Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability |
Link |
Information published. |
| CVE-2023-36028 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36030 Microsoft Dynamics 365 Sales Spoofing Vulnerability |
Link |
Information published. |
| CVE-2023-36031 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Link |
Information published. |
| CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36021 Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36025 Windows SmartScreen Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36016 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Link |
Information published. |
| CVE-2023-36018 Visual Studio Code Jupyter Extension Spoofing Vulnerability |
Link |
Information published. |
| Chromium: CVE-2023-4863 Heap buffer overflow in WebP |
Link |
Updated CVE detail with information regarding other Microsoft products affected by this vulnerability. Microsoft recommends updating to the latest version of the products listed in the CVE. |
| CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability |
Link |
Microsoft is rereleasing KB5029366 to address the following known issue: Customers who are using Microsoft Visual Studio 2015 Update 3 might receive a "C2471" error after attempting to compile a build that has precompiled headers (PCH) that use the /Gm and /ZI (Edit and Continue) switches. Microsoft recommends that customers install the update and remove any workarounds that were applied. For more information see [KB5029366](https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-the-remote-code-execution-vulnerability-in-microsoft-visual-studio-2015-update-3-october-10-2023-kb5029366-7b4ac004-f805-4799-a06b-cebc20348a79). |
| CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability |
Link |
Microsoft is rereleasing KB5029366 to address the following known issue: Customers who are using Microsoft Visual Studio 2015 Update 3 might receive a "C2471" error after attempting to compile a build that has precompiled headers (PCH) that use the /Gm and /ZI (Edit and Continue) switches. Microsoft recommends that customers install the update and remove any workarounds that were applied. For more information see [KB5029366](https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-the-remote-code-execution-vulnerability-in-microsoft-visual-studio-2015-update-3-october-10-2023-kb5029366-7b4ac004-f805-4799-a06b-cebc20348a79). |
| CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability |
Link |
Microsoft is rereleasing KB5029366 to address the following known issue: Customers who are using Microsoft Visual Studio 2015 Update 3 might receive a "C2471" error after attempting to compile a build that has precompiled headers (PCH) that use the /Gm and /ZI (Edit and Continue) switches. Microsoft recommends that customers install the update and remove any workarounds that were applied. For more information see [KB5029366](https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-the-remote-code-execution-vulnerability-in-microsoft-visual-studio-2015-update-3-october-10-2023-kb5029366-7b4ac004-f805-4799-a06b-cebc20348a79). |
| CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability |
Link |
Microsoft is rereleasing KB5029366 to address the following known issue: Customers who are using Microsoft Visual Studio 2015 Update 3 might receive a "C2471" error after attempting to compile a build that has precompiled headers (PCH) that use the /Gm and /ZI (Edit and Continue) switches. Microsoft recommends that customers install the update and remove any workarounds that were applied. For more information see [KB5029366](https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-the-remote-code-execution-vulnerability-in-microsoft-visual-studio-2015-update-3-october-10-2023-kb5029366-7b4ac004-f805-4799-a06b-cebc20348a79). |
| CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2023-36027 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
Link |
Information published. |
| Chromium: CVE-2023-5996 Use after free in WebAudio |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-36024 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36014 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2022-44687 Raw Image Extension Remote Code Execution Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability |
Link |
Updated one or more CVSS scores for the affected products. This is an informational change only. |
| CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability |
Link |
Updated one or more CVSS scores for the affected products. This is an informational change only. |
| CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability |
Link |
Added FAQ information. This is an informational change only. |
| CVE-2023-36906 Windows Cryptographic Services Information Disclosure Vulnerability |
Link |
Added an FAQ. This is an information change only. |
| CVE-2023-36907 Windows Cryptographic Services Information Disclosure Vulnerability |
Link |
Added an FAQ. This is an information change only. |
| Chromium: CVE-2023-5472: Use after free in Profiles |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-44323 Adobe: CVE-2023-44323 Adobe PDF Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability |
Link |
Revised the Security Updates table to include PowerShell 7.3 because this version of PowerShell 7 is affected by this vulnerability. See [https://github.com/PowerShell/Announcements/issues/53](https://github.com/PowerShell/Announcements/issues/53) for more information. |
| CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability |
Link |
Revised the Security Updates table to include PowerShell 7.3 because this version of PowerShell 7 is affected by this vulnerability. See [https://github.com/PowerShell/Announcements/issues/52](https://github.com/PowerShell/Announcements/issues/52) for more information. |
| CVE-2023-36420 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Link |
Updated one or more CVSS scores for the affected products. This is an informational change only. |
| CVE-2023-36899 ASP.NET Elevation of Privilege Vulnerability |
Link |
Updated one or more CVSS scores for the affected products. This is an informational change only. |
| CVE-2021-31192 Windows Media Foundation Core Remote Code Execution Vulnerability |
Link |
Updated one or more CVSS scores for the affected products. This is an informational change only. |
| CVE-2021-31205 Windows SMB Client Security Feature Bypass Vulnerability |
Link |
Updated one or more CVSS scores for the affected products. This is an informational change only. |
| CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability |
Link |
Added an FAQ. This is an information change only. |
| CVE-2023-36799 .NET Core and Visual Studio Denial of Service Vulnerability |
Link |
To comprehensively address this vulnerability, Microsoft has released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. Microsoft recommends that customers install the updates to be fully protected from the vulnerability. |
| CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit systems and Windows 10 for x64-based systems; added .NET Framework 3.5 and 4.6.2/4.7./4.7.1/4.7.2 installed on all supported editions of Windows 10 version 1607 and Windows Server 2016 as these versions of .NET Framework are affected by this vulnerability. Microsoft recommends that customers install the September 2023 updates to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit systems and Windows 10 for x64-based systems; added .NET Framework 3.5 and 4.6.2/4.7./4.7.1/4.7.2 installed on all supported editions of Windows 10 version 1607 and Windows Server 2016 as these versions of .NET Framework are affected by this vulnerability. Microsoft recommends that customers install the September 2023 updates to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit systems and Windows 10 for x64-based systems; added .NET Framework 3.5 and 4.6.2/4.7./4.7.1/4.7.2 installed on all supported editions of Windows 10 version 1607 and Windows Server 2016 as these versions of .NET Framework are affected by this vulnerability. Microsoft recommends that customers install the September 2023 updates to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit systems and Windows 10 for x64-based systems; added .NET Framework 3.5 and 4.6.2/4.7./4.7.1/4.7.2 installed on all supported editions of Windows 10 version 1607 and Windows Server 2016 as these versions of .NET Framework are affected by this vulnerability. Microsoft recommends that customers install the September 2023 updates to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit systems and Windows 10 for x64-based systems; added .NET Framework 3.5 and 4.6.2/4.7./4.7.1/4.7.2 installed on all supported editions of Windows 10 version 1607 and Windows Server 2016 as these versions of .NET Framework are affected by this vulnerability. Microsoft recommends that customers install the September 2023 updates to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-36873 .NET Framework Spoofing Vulnerability |
Link |
In the Security Updates table, added .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit systems and Windows 10 for x64-based systems; added .NET Framework 3.5 and 4.6.2/4.7./4.7.1/4.7.2 installed on all supported editions of Windows 10 version 1607 and Windows Server 2016 as these versions of .NET Framework are affected by this vulnerability. Microsoft recommends that customers install the August 2023 updates to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-36899 ASP.NET Elevation of Privilege Vulnerability |
Link |
In the Security Updates table, added .NET Framework 3.5 and 4.6.2 installed on Windows 10 for 32-bit systems and Windows 10 for x64-based systems; added .NET Framework 3.5 and 4.6.2/4.7./4.7.1/4.7.2 installed on all supported editions of Windows 10 version 1607 and Windows Server 2016 as these versions of .NET Framework are affected by this vulnerability. Microsoft recommends that customers install the August 2023 updates to be fully protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing |
Link |
On October 17, 2023, Microsoft released Windows Server 2022, 23H2 Edition (Server Core installation). This version includes the options for administrators to audit client machines that cannot utilize LDAP channel binding tokens via events on Active Directory domain controllers, and includes the capability to enable CBT events 3074 & 3075 with event source **Microsoft-Windows-ActiveDirectory_DomainService** in the Directory Service event log. |
| CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability |
Link |
To comprehensively address this vulnerability, Microsoft has released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. Microsoft recommends that customers install the updates to be fully protected from the vulnerability. |
| CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability |
Link |
To comprehensively address this vulnerability, Microsoft has released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. Microsoft recommends that customers install the updates to be fully protected from the vulnerability. |
| CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability |
Link |
To comprehensively address this vulnerability, Microsoft has released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. Microsoft recommends that customers install the updates to be fully protected from the vulnerability. |
| CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability |
Link |
To comprehensively address CVE-2023-36792, Microsoft has released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio. In addition, the following corrections have been made in the Security Updates table: 1) Added Visual Studio 2022 version 17.6 as it is also affected by this vulnerability. 2) Corrected the Impact to Critical for Visual Studio 2022 version 17.7. |
| CVE-2023-36409 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability |
Link |
Added an FAQ. This is an information change only. |
| CVE-2023-38545 MITRE: CVE-2023-38545 SOCKS5 heap buffer overflow |
Link |
Updated FAQ #4 information. This is an informational change only. |
| CVE-2023-38039 Hackerone: CVE-2023-38039 HTTP headers eat all memory |
Link |
Updated FAQ #4 and corrected one or more links in the FAQs. These are informational changes only. |
| CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Added mitigation. This is an informational change only. |
| CVE-2023-36417 Microsoft SQL OLE DB Remote Code Execution Vulnerability |
Link |
Updated product information in the Software Update table. This is an informational change only. |
| Chromium: CVE-2023-5218 Use after free in Site Isolation |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5473 Use after free in Cast |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5474 Heap buffer overflow in PDF |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5475 Inappropriate implementation in DevTools |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5476 Use after free in Blink History |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5477 Inappropriate implementation in Installer |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5478 Inappropriate implementation in Autofill |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5479 Inappropriate implementation in Extensions API |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5481 Inappropriate implementation in Downloads |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5483 Inappropriate implementation in Intents |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5484 Inappropriate implementation in Navigation |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5485 Inappropriate implementation in Autofill |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5486 Inappropriate implementation in Input |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5487 Inappropriate implementation in Fullscreen |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-36559 Microsoft Edge (Chromium-based) Spoofing Vulnerability |
Link |
Information published. |
| CVE-2023-44487 MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack |
Link |
In the Workarounds section, corrected the font for the DWORD values "EnableHttp2Tls" (TLS as in Transport Layer Security) and EnableHttp2Cleartext for readability. Note that the "I" should be interpreted as "L" and not an "i". |
| CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability |
Link |
Added an FAQ. This is an information change only. |
| CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability |
Link |
Added an FAQ. This is an information change only. |
| CVE-2022-41113 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
Link |
In the Security Updates table corrected the Article and Download links for Windows Server 2022 and Windows Server 2022 (Server Core installation). This is an informational change only. |
| CVE-2023-36730 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2023-36420 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2023-36785 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2022-41127 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability |
Link |
Corrected security updates table. This is an informational change only. |
| ADV990001 Latest Servicing Stack Updates |
Link |
Advisory updated to announce new versions of Servicing Stack Updates are available. Please see the FAQ for details. |
| CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-41772 Win32k Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36732 Win32k Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36731 Win32k Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36730 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36585 Active Template Library Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
Link |
Information published. This CVE was addressed by updates that were released in September 2023, but the CVE was inadvertently omitted from the September 2023 Security Updates. Microsoft strongly recommends that customers running affected versions of Microsoft Dynamics 365 (on-premises) install the September 2023 updates to be protected from this vulnerability. |
| CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36429 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36420 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36417 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-44487 MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack |
Link |
Information published. |
| CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36789 Skype for Business Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36785 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36776 Win32k Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36743 Win32k Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Link |
Information published. This CVE was addressed by updates that were released in July 2023, but the CVE was inadvertently omitted from the July 2023 Security Updates. Microsoft strongly recommends that customers running affected versions of Microsoft Dynamics 365 (on-premises) install the July 2023 updates to be protected from this vulnerability. |
| CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability |
Link |
Added FAQ information. This is an informational change only. |
| CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added Microsoft Visual Studio 2013 Update 5 and Visual Studio 2015 Update 3 as these versions of Visual Studio are also affected by the vulnerability. Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. |
| CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added Microsoft Visual Studio 2013 Update 5 and Visual Studio 2015 Update 3 as these versions of Visual Studio are also affected by the vulnerability. Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. |
| CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added Microsoft Visual Studio 2013 Update 5 and Visual Studio 2015 Update 3 as these versions of Visual Studio are also affected by the vulnerability. Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. |
| CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Updates table, added Microsoft Visual Studio 2013 Update 5 and Visual Studio 2015 Update 3 as these versions of Visual Studio are also affected by the vulnerability. Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. |
| CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability |
Link |
Microsoft is announcing the release of the fifth phase of Windows security updates to address this vulnerability. These updates remove support for the registry subkey **KrbtgtFullPacSignature** and remove support for Audit mode. Further, all service tickets without the new PAC signatures will now be denied authentication. Microsoft strongly recommends that customers install the October 2023 updates to be fully protected from this vulnerability, and review [How to manage the Kerberos and Netlogon Protocol changes related to CVE-2022-37967](https://support.microsoft.com/help/5020805) for further information. Customers whose Windows devices are configured to receive automatic updates do not need to take any further action, but should review the article to fully understand the impact of these updates. |
| ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing |
Link |
Microsoft is announcing that the October 10, 2023 updates are available for Windows Server 2022 and Windows Server 2022 (Server Core installation) to enable administrators to audit client machines that cannot use events to utilize LDAP channel binding tokens on Active Directory domain controllers. The updates add the capability to enable CBT events 3074 & 3075 with event source **Microsoft-Windows-ActiveDirectory_DomainService** in the Directory Service event log. |
| Chromium: CVE-2023-5346 Type Confusion in V8 |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4863 Heap buffer overflow in WebP |
Link |
Updated FAQ information. This is an informational change only. |
| Chromium: CVE-2023-4863 Heap buffer overflow in WebP |
Link |
Updated CVE detail with information regarding other Microsoft products affected by this vulnerability. Microsoft recommends updating to the latest version of the products listed in the CVE. |
| Chromium: CVE-2023-5217 Heap buffer overflow in vp8 encoding in libvpx |
Link |
Updated CVE detail with information regarding other Microsoft products affected by this vulnerability. This is an informational change only. |
| Chromium: CVE-2023-4863 Heap buffer overflow in WebP |
Link |
Updated CVE detail with information regarding other Microsoft products affected by this vulnerability. This is an informational change only. |
| Chromium: CVE-2023-1999 Use after free in libwebp |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5217 Heap buffer overflow in vp8 encoding in libvpx |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information.
Google is aware that an exploit for CVE-2023-5217 exists in the wild. |
| Chromium: CVE-2023-5186 Use after free in Passwords |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-5187 Use after free in Extensions |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-38148 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
Link |
Added an acknowledgement. This is an informational change only. |
| CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Update table, corrected Article links for Microsoft .NET Framework 3.5 AND 4.8.1 installed on Windows 11 Version 22H2 for x64-based Systems and Windows 11 Version 22H2 for ARM64-based Systems. This is an informational change only. |
| CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Update table, corrected Article links for Microsoft .NET Framework 3.5 AND 4.8.1 installed on Windows 11 Version 22H2 for x64-based Systems and Windows 11 Version 22H2 for ARM64-based Systems. This is an informational change only. |
| CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Update table, corrected Article links for Microsoft .NET Framework 3.5 AND 4.8.1 installed on Windows 11 Version 22H2 for x64-based Systems and Windows 11 Version 22H2 for ARM64-based Systems. This is an informational change only. |
| CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability |
Link |
In the Security Update table, corrected Article links for Microsoft .NET Framework 3.5 AND 4.8.1 installed on Windows 11 Version 22H2 for x64-based Systems and Windows 11 Version 22H2 for ARM64-based Systems. This is an informational change only. |
| CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability |
Link |
In the Security Update table, corrected Article links for Microsoft .NET Framework 3.5 AND 4.8.1 installed on Windows 11 Version 22H2 for x64-based Systems and Windows 11 Version 22H2 for ARM64-based Systems. This is an informational change only. |
| CVE-2023-29345 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
Link |
Acknowledgement added. This is an informational change only. |
| CVE-2023-36805 Windows MSHTML Platform Security Feature Bypass Vulnerability |
Link |
In the Security Updates table, added Windows Server 2008 R2 and Windows Server 2012 as these versions of Windows are affected by this vulnerability. Microsoft recommends that customers install the September 2023 updates to be fully protected from this vulnerability. Customers who install the Security Only updates for these versions of Windows Server should also install the IE Cumulative update to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. Also see FAQs for information about the IE Cumulative update. |
| CVE-2022-35825 Visual Studio Remote Code Execution Vulnerability |
Link |
Acknowledgement added. This is an informational change only. |
| CVE-2023-36876 Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability |
Link |
Acknowledgement added. This is an informational change only. |
| Chromium: CVE-2023-4900 Inappropriate implementation in Custom Tabs |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4901 Inappropriate implementation in Prompts |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4902 Inappropriate implementation in Input |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4903 Inappropriate implementation in Custom Mobile Tabs |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4904 Insufficient policy enforcement in Downloads |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4905 Inappropriate implementation in Prompts |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4906 Insufficient policy enforcement in Autofill |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4907 Inappropriate implementation in Intents |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4908 Inappropriate implementation in Picture in Picture |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4909 Inappropriate implementation in Interstitials |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-36735 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36727 Microsoft Edge (Chromium-based) Spoofing Vulnerability |
Link |
Information published. |
| CVE-2023-36562 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-27909 AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK 2020 or prior |
Link |
In the Security Updates table, added all supported versions of 3D Viewer, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft 365 Apps for Enterprise because these products are also affected by this vulnerability. Microsoft strongly recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-27911 AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior |
Link |
In the Security Updates table, added all supported versions of 3D Viewer, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft 365 Apps for Enterprise because these products are also affected by this vulnerability. Microsoft strongly recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. |
| CVE-2023-36736 Microsoft Identity Linux Broker Remote Code Execution Vulnerability |
Link |
Updated links to security updates. This is an informational change only. |
| CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability |
Link |
Added FAQ information. This is an informational change only. |
| CVE-2023-38156 Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability |
Link |
Updated FAQ information. This is an informational change only. |
| CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability |
Link |
Corrected one or more links in the FAQ. This is an informational change only. |
| CVE-2023-36800 Dynamics Finance and Operations Cross-site Scripting Vulnerability |
Link |
Updated links to security updates. This is an informational change only. |
| CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability |
Link |
Added FAQ information. This is an informational change only. |
| ADV990001 Latest Servicing Stack Updates |
Link |
Advisory updated to announce new versions of Servicing Stack Updates are available. Please see the FAQ for details. |
| CVE-2023-35355 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-38162 DHCP Server Service Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-38161 Windows GDI Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-38156 Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-38152 DHCP Server Service Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-38150 Windows Kernel Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-38149 Windows TCP/IP Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-38148 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-38147 Windows Miracast Wireless Display Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-38146 Windows Themes Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-38144 Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-38143 Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-38142 Windows Kernel Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-38141 Windows Kernel Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-38140 Windows Kernel Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-38139 Windows Kernel Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36805 Windows MSHTML Platform Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36804 Windows GDI Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36803 Windows Kernel Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36801 DHCP Server Service Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36767 Microsoft Office Security Feature Bypass Vulnerability |
Link |
Information published. |
| CVE-2023-36766 Microsoft Excel Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36765 Microsoft Office Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36759 Visual Studio Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36758 Visual Studio Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36757 Microsoft Exchange Server Spoofing Vulnerability |
Link |
Information published. This CVE was addressed by updates that were released in August 2023, but the CVE was inadvertently omitted from the August 2023 Security Updates. Microsoft strongly recommends that customers running affected versions of Microsoft Exchange Server install the August 2023 updates to be protected from this vulnerability. |
| CVE-2023-36756 Microsoft Exchange Server Remote Code Execution Vulnerability |
Link |
Information published. This CVE was addressed by updates that were released in August 2023, but the CVE was inadvertently omitted from the August 2023 Security Updates. Microsoft strongly recommends that customers running affected versions of Microsoft Exchange Server install the August 2023 updates to be protected from this vulnerability. |
| CVE-2023-36745 Microsoft Exchange Server Remote Code Execution Vulnerability |
Link |
Information published. This CVE was addressed by updates that were released in August 2023, but the CVE was inadvertently omitted from the August 2023 Security Updates. Microsoft strongly recommends that customers running affected versions of Microsoft Exchange Server install the August 2023 updates to be protected from this vulnerability. |
| CVE-2023-36744 Microsoft Exchange Server Remote Code Execution Vulnerability |
Link |
Information published. This CVE was addressed by updates that were released in August 2023, but the CVE was inadvertently omitted from the August 2023 Security Updates. Microsoft strongly recommends that customers running affected versions of Microsoft Exchange Server install the August 2023 updates to be protected from this vulnerability. |
| CVE-2023-36742 Visual Studio Code Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36736 Microsoft Identity Linux Broker Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-41764 Microsoft Office Spoofing Vulnerability |
Link |
Information published. |
| CVE-2022-41303 AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior |
Link |
Information published. |
| CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-33136 Azure DevOps Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36886 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Link |
Information published. |
| CVE-2023-38164 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Link |
Information published. |
| CVE-2023-38163 Windows Defender Attack Surface Reduction Security Feature Bypass |
Link |
Information published. |
| CVE-2023-38160 Windows TCP/IP Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-38155 Azure DevOps Server Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36800 Dynamics Finance and Operations Cross-site Scripting Vulnerability |
Link |
Information published. |
| CVE-2023-36799 .NET Core and Visual Studio Denial of Service Vulnerability |
Link |
Information published. |
| CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36777 Microsoft Exchange Server Information Disclosure Vulnerability |
Link |
Information published. This CVE was addressed by updates that were released in August 2023, but the CVE was inadvertently omitted from the August 2023 Security Updates. Microsoft strongly recommends that customers running affected versions of Microsoft Exchange Server install the August 2023 updates to be protected from this vulnerability. |
| CVE-2023-36773 3D Builder Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36772 3D Builder Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36771 3D Builder Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36770 3D Builder Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36764 Microsoft SharePoint Server Elevation of Privilege Vulnerability |
Link |
Information published. |
| CVE-2023-36763 Microsoft Outlook Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36762 Microsoft Word Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36761 Microsoft Word Information Disclosure Vulnerability |
Link |
Information published. |
| CVE-2023-36760 3D Viewer Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-39956 Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36740 3D Viewer Remote Code Execution Vulnerability |
Link |
Information published. |
| CVE-2023-36739 3D Viewer Remote Code Execution Vulnerability |
Link |
Information published. |
| Chromium: CVE-2023-4863 Heap buffer overflow in WebP |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-32051 Raw Image Extension Remote Code Execution Vulnerability |
Link |
Added acknowledgements. This is an informational change only. |
| CVE-2023-24936 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability |
Link |
Updated links to security updates. This is an informational change only. |
| Chromium: CVE-2023-4761 Out of bounds memory access in FedCM |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4762 Type Confusion in V8 |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4763 Use after free in Networks |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| Chromium: CVE-2023-4764 Incorrect security UI in BFCache |
Link |
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2023) for more information. |
| CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability |
Link |
Updated product information in the Software Update table. This is an informational change only. |
| CVE-2022-26928 Windows Photo Import API Elevation of Privilege Vulnerability |
Link |
Updated the links to the Windows Update Catalog. This is an informational change only. |
| CVE-2022-29900 AMD: CVE-2022-29900 AMD CPU Branch Type Confusion |
Link |
Updated the links to the Windows Update Catalog. This is an informational change only. |
| CVE-2023-24872 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability |
Link |
Updated the links to the Windows Update Catalog. This is an informational change only. |