
Microsoft addresses 117 CVEs in its April 2022 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild and reported to Microsoft by the NSA. 9 patches were rated as critical, and 108 patches were rated as important.
This month’s update includes patches for:
- .NET Framework
- Active Directory Domain Services
- Azure SDK
- Azure Site Recovery
- LDAP – Lightweight Directory Access Protocol
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Windows ALPC
- Microsoft Windows Codecs Library
- Microsoft Windows Media Foundation
- Power BI
- Role: DNS Server
- Role: Windows Hyper-V
- Skype for Business
- Visual Studio
- Visual Studio Code
- Windows Ancillary Function Driver for WinSock
- Windows App Store
- Windows AppX Package Manager
- Windows Cluster Client Failover
- Windows Cluster Shared Volume (CSV)
- Windows Common Log File System Driver
- Windows Defender
- Windows DWM Core Library
- Windows Endpoint Configuration Manager
- Windows Fax Compose Form
- Windows Feedback Hub
- Windows File Explorer
- Windows File Server
- Windows Installer
- Windows iSCSI Target Service
- Windows Kerberos
- Windows Kernel
- Windows Local Security Authority Subsystem Service
- Windows Media
- Windows Network File System
- Windows PowerShell
- Windows Print Spooler Components
- Windows RDP
- Windows Remote Procedure Call Runtime
- Windows schannel
- Windows SMB
- Windows Telephony Server
- Windows Upgrade Assistant
- Windows User Profile Service
- Windows Win32K
- Windows Work Folder Service
- YARP reverse proxy

Windows Common Log File System Driver EoP Vulnerabilities
CVE-2022-24521 is an EoP vulnerability in the Windows Common Log File System (CLFS) driver for Microsoft Windows. EoP flaws like this one are leveraged post-authentication after an attacker has successfully accessed a vulnerable system, to gain higher permissions. According to Microsoft, this flaw has been exploited in the wild as a zero-day, though we do not have any additional details about its exploitation. CVE-2022-24481 is another EoP in the CLFS driver that received the same CVSSv3 score of 7.8 and Exploitation is More Likely. However, it is not a zero-day.
Windows User Profile Service EoP Vulnerability
CVE-2022-26904 is an EoP vulnerability in the Windows User Profile service with a risk score of 7.0, which rates its severity as important. The attack complexity for this flaw is considered high because it requires an attacker to win a race condition and the level of exploitation is More Likely. This is the second of two zero-days addressed this month, as details about this vulnerability were publicly disclosed prior to a patch being made available.
Windows Network File System RCE Vulnerability
CVE-2022-24491 is a critical RCE vulnerability in the Windows Network File System (NFS) that received a risk score of 9.8 and a rating of More Likely. An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. Only systems with the NFS role enabled are at risk for exploitation; however, organizations should still apply the patch to all systems to ensure they are protected.
Remote Procedure Call Runtime RCE Vulnerability
CVE-2022-26809 is a critical RCE vulnerability in the Remote Procedure Call (RPC) runtime. It received a risk score of 9.8. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted RPC call to an RPC host. Patching is the best approach to fully address this vulnerability; however, if patching is not feasible, Microsoft recommends blocking TCP port 445 on the perimeter firewall to mitigate attempts to exploit this flaw.
Windows DNS Server RCE Vulnerabilities
CVE-2022-26817 and CVE-2022-26814 are RCE vulnerabilities in Windows DNS Server affecting Active Directory Domain Services that both received a risk score of 6.6 and exploitation is Less Likely which may be tied to the higher attack complexity and required permissions. To successfully exploit this flaw, an attacker on the target network with permissions to query the domain name service must win a race condition. Only if they perfectly time exploitation of this vulnerability, can they achieve RCE. Patches have been released for supported versions for Windows Server and Windows Server Core installations.
15 EoP Vulnerabilities in Windows Print Spooler
Microsoft patched 15 EoP vulnerabilities in Print Spooler components all of which received a 7.8 risk score. Microsoft rates these vulnerabilities as Exploitation Less Likely, attackers have exploited EoP flaws in Print Spooler in the past.
- CVE-2022-26803
- CVE-2022-26786
- CVE-2022-26787
- CVE-2022-26789
- CVE-2022-26790
- CVE-2022-26791
- CVE-2022-26802
- CVE-2022-26792
- CVE-2022-26797
- CVE-2022-26795
- CVE-2022-26796
- CVE-2022-26798
- CVE-2022-26801
- CVE-2022-26793
- CVE-2022-26794
In the coming weeks, versions of the.NET Framework and Windows 10 will stop receiving updates and support. On April 26, .NET Framework 4.5.2, 4.6, or 4.6.1 will reach the end of support due to their use of the less secure (SHA-1). On May 10, Windows 10 version 20H2 will reach the end of service. Users are urged to update to more recent versions to ensure they continue receiving important security updates.
Microsoft is planning a change that could mean an end to Patch Tuesday. Windows Autopatch, as mentioned by Microsoft the automatic Windows and Office software update service will be rolled out to enterprise clients to make sure they have access to security fixes more quickly, rather than waiting for one monthly update, except for emergency out-of-schedule releases. We could see the development in Q3 2022.
Chromium Edge Browser Updates
CVE Number | Name of Vulnerability |
CVE-2022-1125 | Chromium: CVE-2022-1125 Use after free in Portals |
CVE-2022-1127 | Chromium: CVE-2022-1127 Use after free in QR Code Generator |
CVE-2022-1128 | Chromium: CVE-2022-1128 Inappropriate implementation in Web Share API |
CVE-2022-1129 | Chromium: CVE-2022-1129 Inappropriate implementation in Full-Screen Mode |
CVE-2022-1130 | Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTP |
CVE-2022-1131 | Chromium: CVE-2022-1131 Use after free in Cast UI |
CVE-2022-1133 | Chromium: CVE-2022-1133 Use after free in WebRTC |
CVE-2022-1134 | Chromium: CVE-2022-1134 Type Confusion in V8 |
CVE-2022-1135 | Chromium: CVE-2022-1135 Use after free in Shopping Cart |
CVE-2022-1136 | Chromium: CVE-2022-1136 Use after free in Tab Strip |
CVE-2022-1137 | Chromium: CVE-2022-1137 Inappropriate implementation in Extensions |
CVE-2022-1138 | Chromium: CVE-2022-1138 Inappropriate implementation in Web Cursor |
CVE-2022-1139 | Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch API |
CVE-2022-1143 | Chromium: CVE-2022-1143 Heap buffer overflow in WebUI |
CVE-2022-1145 | Chromium: CVE-2022-1145 Use after free in Extensions |
CVE-2022-1146 | Chromium: CVE-2022-1146 Inappropriate implementation in Resource Timing |
CVE-2022-1232 | Chromium: CVE-2022-1232 Type Confusion in V8 |
CVE-2022-24475 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE-2022-24523 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
CVE-2022-26891 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE-2022-26894 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE-2022-26895 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE-2022-26900 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE-2022-26908 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE-2022-26909 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
CVE-2022-26912 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |