www.belgium.be Logo of the federal government

Microsoft Patch Tuesday April 2022

Advisory #2022-008
Affected software: 
Windows Client 7, 8.1, 10 and 11
Windows Server 2008, 2012, 2012 R2 and 2022
.NET Framework
Azure SDK
Microsoft Office (Excel, Sharepoint)
Microsoft Edge (Chromium-based)
Windows Kernel
Windows Hyper-V
Windows Defender
Windows RDP
Windows SMB
Windows Powershell
For more exhaustive information consult the release notes on: https://msrc.microsoft.com/update-guide/releaseNote/2022-Apr
Several types, ranging from spoofing to privilege escalation and remote code execution.

9 vulnerabilities are rated as critical and 108 vulnerabilities are rated as important.

Elevation of privilege (EoP) vulnerabilities accounted for 39.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 39.3%. In the minor categories, we have information disclosure (11,1%) followed by denial of service 7,7% and finally spoofing (2,6%).




This month’s Patch Tuesday includes 9 critical and 108 important vulnerabilities for a wide range of Microsoft products, impacting Microsoft Server and Workstations.




Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday”, and contain security fixes for Microsoft devices and software.

This month’s release covers 117 vulnerabilities. Nine vulnerabilities are marked as critical and 108 as important (see below for a quick selection of the most concerning ones, critical vulnerabilities should always be considered as concerning). Some are more likely to be exploited in the near future and urgent patching is advised.

CVE-2022-24521 and CVE-2022-24481 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

CVE-2022-24521 is an EoP vulnerability in the Windows Common Log File System (CLFS) driver for Microsoft Windows. EoP flaws like this one are leveraged post-authentication, after an attacker has successfully accessed a vulnerable system, to gain higher permissions. According to Microsoft, this flaw has been exploited in the wild as a zero-day. CVE-2022-24481 is another EoP in the CLFS driver that received the same CVSSv3 score of 7.8 and was rated «  Exploitation More Likely »  according to Microsoft’s Exploitability Index. However, it is not a zero-day.


CVE-2022-26904 | Windows User Profile Service Elevation of Privilege Vulnerability

CVE-2022-26904 is an EoP vulnerability in the Windows User Profile service. It received a CVSSv3 score of 7.0, which rates its severity as important. The attack complexity for this flaw is considered high because it « requires an attacker to win a race condition ». Despite the higher complexity, it is still considered as « Exploitation More Likely ». This is the second of two zero-days addressed this month.

CVE-2022-24491 | Windows Network File System Remote Code Execution Vulnerability

CVE-2022-24491 is a critical RCE vulnerability in the Windows Network File System (NFS) that received a CVSSv3 score of 9.8 and a rating of « Exploitation More Likely ». An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. Only systems with the NFS role enabled are at risk for exploitation.

CVE-2022-26809 | Remote Procedure Call Runtime Remote Code Execution Vulnerability

CVE-2022-26809 is a critical RCE vulnerability in the Remote Procedure Call (RPC) runtime. It received a CVSSv3 score of 9.8. An unauthenticated, remote attacker could exploit this vulnerability by sending « a specially crafted RPC call to an RPC host ». Patching is the best approach to fully address this vulnerability; however, if patching is not feasible, Microsoft recommends blocking TCP port 445 on the perimeter firewall to mitigate attempts to exploit this flaw. Despite applying this mitigation, systems could “still be vulnerable to attacks from within their enterprise perimeter.”

CVE-2022-26817 and CVE-2022-26814 | Windows DNS Server Remote Code Execution Vulnerabilities

CVE-2022-26817 and CVE-2022-26814 are RCE vulnerabilities in Windows DNS Server affecting Active Directory Domain Services that both received a CVSSv3 score of 6.6 and were discovered by Yuki Chen with Cyber KunLun. Exploitation of this vulnerability is rated « Less Likely » which may be tied to the higher attack complexity and required permissions. To successfully exploit this flaw, an attacker on the target network with permissions to query the domain name service must win a race condition. Only if they perfectly time exploitation of this vulnerability, can they achieve RCE.

Recommended Actions

The CCB recommends installing updates for vulnerable devices with the highest priority, after thorough testing.