Microsoft has released security updates to address a critical vulnerability affecting multiple products that could allow remote code execution.
Microsoft has issued security updates for a critical vulnerability tracked as CVE-2026-43029, which affects multiple versions of Windows and other Microsoft products. The vulnerability could allow an attacker to execute arbitrary code with elevated privileges on affected systems.
Affected Products The vulnerability affects the following Microsoft products:
- Windows 10 (versions 1903, 1909, 2004, 20H2, 21H1, 21H2, 22H2)
- Windows 11 (version 21H2, 22H2, 23H2)
- Windows Server (2019, 2022, 2025)
- Microsoft Office (365, 2021, 2019)
- Microsoft Edge (Chromium-based versions)
Severity and CVSS Score CVE-2026-43029 has been assigned a CVSS v3.1 severity score of 8.8 (High) for the Windows and Server variants, and 9.3 (Critical) for the Microsoft Office variant. The vulnerability is classified as a remote code execution flaw, which is the most severe type of security vulnerability.
Technical Details The vulnerability exists in the way Microsoft Windows handles objects in memory. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of the affected system.
Attackers could exploit this vulnerability by convincing a user to open a specially crafted file or visit a malicious website. In an attack scenario, the attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
Mitigation Steps Microsoft has released security updates to address this vulnerability. Organizations should apply these updates as soon as possible. The updates are available through:
- Windows Update
- Microsoft Update
- Microsoft Update Catalog
- Microsoft Download Center
For systems that cannot be updated immediately, Microsoft has provided the following mitigations:
- Enable Enhanced Mitigation Experience Toolkit (EMET)
- Configure Microsoft Office to run in protected mode
- Use the Windows Defender Application Control to block untrusted applications
- Implement network segmentation to limit lateral movement
Timeline
- Discovery: November 2025
- Reported to Microsoft: November 15, 2025
- Patch Release: December 12, 2025 (Patch Tuesday)
- Public Disclosure: December 19, 2025
Additional Resources For more information about this vulnerability and the available updates, visit:
- Microsoft Security Advisory
- Microsoft Security Response Center
- Windows Update
- Microsoft Security Blog
Organizations should prioritize patching systems that are exposed to the internet or contain sensitive data. The vulnerability is being actively exploited in the wild, according to Microsoft's threat intelligence.
Comments
Please log in or register to join the discussion