Patch Tuesday
Microsoft Patch Tuesday – December 2025
9 min. read
09/12/2025
By Esben Dochy
Contents
⚡ TL;DR | Go Straight to the December 2025 Patch Tuesday Audit Report
Patch Tuesday is once again upon us. As always, our team has put together the monthly Patch Tuesday Report to help you manage your update progress. The audit report gives you a quick and clear overview of your Windows machines and their patching status. The December 2025 edition of Patch Tuesday brings us 132 fixes, with 2 rated as critical, 1 of which is actively exploited. However, most of the fixes are part of Microsoft’s own Linux distribution. We’ve listed the most important changes below.
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
The only exploited vulnerability this month is CVE-2025-62221. This vulnerability is a use-after-free bug in the Windows Cloud Files Mini Filter Driver that allows a local, already-authenticated attacker with low privileges to elevate to full SYSTEM rights.
Microsoft Office Remote Code Execution Vulnerabilities
CVE-2025-62557 and CVE-2025-62554 are the two critically rated vulnerabilities this month. In both cases, an unauthenticated attacker can send a malicious link (for example via email or instant messaging) and potentially achieve code execution on the victim’s machine without user interaction, with the Preview Pane also acting as an attack vector.
Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2025-64666 is an elevation of privilege vulnerability in Microsoft Exchange Server caused by improper input validation, allowing an authenticated low-privilege user to gain administrator rights over the network. It’s rated Important with high impact on confidentiality, integrity, and availability, but Microsoft currently assesses exploitation as “less likely,” with no public disclosure or known in-the-wild attacks. An official fix is available; for Exchange 2016/2019 this is only provided through the Extended Security Update (ESU) program, so non-ESU customers should migrate to Exchange Server Subscription Edition to remain protected.
Run the Patch Tuesday December 2025 Audit
To help manage your update progress, we’ve created the Patch Tuesday Audit that checks if the assets in your network are on the latest patch updates. The report has been color-coded to see which machines are up-to-date and which ones still need to be updated. As always, system administrators are urged to update their environment as soon as possible to ensure all endpoints are secured.
The Lansweeper Patch Tuesday report is automatically added to your Lansweeper Site. Lansweeper Sites is included in all our licenses without any additional cost and allows you to federate all your installations into one single view so all you need to do is look at one report, automatically added every patch Tuesday!
Patch Tuesday December 2025 CVE Codes & Titles
| CVE Number | CVE Title |
| CVE-2025-66476 | Vim for Windows Uncontrolled Search Path Element Remote Code Execution Vulnerability |
| CVE-2025-66293 | LIBPNG has an out-of-bounds read in png_image_read_composite |
| CVE-2025-66221 | Werkzeug safe_join() allows Windows special device names |
| CVE-2025-66200 | Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo |
| CVE-2025-65637 | A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. |
| CVE-2025-65082 | Apache HTTP Server: CGI environment variable override |
| CVE-2025-64680 | Windows DWM Core Library Elevation of Privilege Vulnerability |
| CVE-2025-64679 | Windows DWM Core Library Elevation of Privilege Vulnerability |
| CVE-2025-64678 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-64673 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-64672 | Microsoft SharePoint Server Spoofing Vulnerability |
| CVE-2025-64671 | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability |
| CVE-2025-64670 | Windows DirectX Information Disclosure Vulnerability |
| CVE-2025-64667 | Microsoft Exchange Server Spoofing Vulnerability |
| CVE-2025-64666 | Microsoft Exchange Server Elevation of Privilege Vulnerability |
| CVE-2025-64661 | Windows Shell Elevation of Privilege Vulnerability |
| CVE-2025-64658 | Windows File Explorer Elevation of Privilege Vulnerability |
| CVE-2025-62573 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| CVE-2025-62572 | Application Information Service Elevation of Privilege Vulnerability |
| CVE-2025-62571 | Windows Installer Elevation of Privilege Vulnerability |
| CVE-2025-62570 | Windows Camera Frame Server Monitor Information Disclosure Vulnerability |
| CVE-2025-62569 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-62567 | Windows Hyper-V Denial of Service Vulnerability |
| CVE-2025-62565 | Windows File Explorer Elevation of Privilege Vulnerability |
| CVE-2025-62564 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-62563 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-62562 | Microsoft Outlook Remote Code Execution Vulnerability |
| CVE-2025-62561 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-62560 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-62559 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2025-62558 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2025-62557 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-62556 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-62555 | Microsoft Word Remote Code Execution Vulnerability |
| CVE-2025-62554 | Microsoft Office Remote Code Execution Vulnerability |
| CVE-2025-62553 | Microsoft Excel Remote Code Execution Vulnerability |
| CVE-2025-62552 | Microsoft Access Remote Code Execution Vulnerability |
| CVE-2025-62550 | Azure Monitor Agent Remote Code Execution Vulnerability |
| CVE-2025-62549 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| CVE-2025-62474 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
| CVE-2025-62473 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability |
| CVE-2025-62472 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
| CVE-2025-62470 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| CVE-2025-62469 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| CVE-2025-62468 | Windows Defender Firewall Service Information Disclosure Vulnerability |
| CVE-2025-62467 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62466 | Windows Client-Side Caching Elevation of Privilege Vulnerability |
| CVE-2025-62465 | DirectX Graphics Kernel Denial of Service Vulnerability |
| CVE-2025-62464 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62463 | DirectX Graphics Kernel Denial of Service Vulnerability |
| CVE-2025-62462 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62461 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-62458 | Win32k Elevation of Privilege Vulnerability |
| CVE-2025-62457 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62456 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability |
| CVE-2025-62455 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability |
| CVE-2025-62454 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| CVE-2025-61729 | Excessive resource consumption when printing error string for host certificate validation in crypto/x509 |
| CVE-2025-61727 | Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 |
| CVE-2025-61724 | Excessive CPU consumption in Reader.ReadResponse in net/textproto |
| CVE-2025-59775 | Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF |
| CVE-2025-59517 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-59516 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| CVE-2025-58188 | Panic when validating certificates with DSA public keys in crypto/x509 |
| CVE-2025-55233 | Windows Projected File System Elevation of Privilege Vulnerability |
| CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability |
| CVE-2025-40324 | NFSD: Fix crash in nfsd4_read_release() |
| CVE-2025-40323 | fbcon: Set fb_display[i]->mode to NULL when the mode is released |
| CVE-2025-40322 | fbdev: bitblit: bound-check glyph index in bit_putcs* |
| CVE-2025-40321 | wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode |
| CVE-2025-40319 | bpf: Sync pending IRQ work before freeing ring buffer |
| CVE-2025-40317 | regmap: slimbus: fix bus_context pointer in regmap init calls |
| CVE-2025-40315 | usb: gadget: f_fs: Fix epfile null pointer access after ep enable. |
| CVE-2025-40314 | usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget |
| CVE-2025-40313 | ntfs3: pretend $Extend records as regular files |
| CVE-2025-40312 | jfs: Verify inode mode when loading from disk |
| CVE-2025-40311 | accel/habanalabs: support mapping cb with vmalloc-backed coherent memory |
| CVE-2025-40310 | amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw |
| CVE-2025-40309 | Bluetooth: SCO: Fix UAF on sco_conn_free |
| CVE-2025-40308 | Bluetooth: bcsp: receive data only if registered |
| CVE-2025-40307 | exfat: validate cluster allocation bits of the allocation bitmap |
| CVE-2025-40306 | orangefs: fix xattr related buffer overflow… |
| CVE-2025-40305 | 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN |
| CVE-2025-40304 | fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds |
| CVE-2025-40303 | btrfs: ensure no dirty metadata is written back for an fs with errors |
| CVE-2025-40301 | Bluetooth: hci_event: validate skb length for unknown CC opcode |
| CVE-2025-40297 | net: bridge: fix use-after-free due to MST port state bypass |
| CVE-2025-40294 | Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() |
| CVE-2025-40293 | iommufd: Don’t overflow during division for dirty tracking |
| CVE-2025-40292 | virtio-net: fix received length check in big packets |
| CVE-2025-40289 | drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM |
| CVE-2025-40288 | drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices |
| CVE-2025-40287 | exfat: fix improper check of dentry.stream.valid_size |
| CVE-2025-40286 | smb/server: fix possible memory leak in smb2_read() |
| CVE-2025-40285 | smb/server: fix possible refcount leak in smb2_sess_setup() |
| CVE-2025-40284 | Bluetooth: MGMT: cancel mesh send timer when hdev removed |
| CVE-2025-40283 | Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF |
| CVE-2025-40282 | Bluetooth: 6lowpan: reset link-local header on ipv6 recv path |
| CVE-2025-40281 | sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto |
| CVE-2025-40280 | tipc: Fix use-after-free in tipc_mon_reinit_self(). |
| CVE-2025-40279 | net: sched: act_connmark: initialize struct tc_ife to fix kernel leak |
| CVE-2025-40278 | net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak |
| CVE-2025-40277 | drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE |
| CVE-2025-40275 | ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd |
| CVE-2025-40273 | NFSD: free copynotify stateid in nfs4_free_ol_stateid() |
| CVE-2025-40272 | mm/secretmem: fix use-after-free race in fault handler |
| CVE-2025-40269 | ALSA: usb-audio: Fix potential overflow of PCM transfer buffer |
| CVE-2025-40268 | cifs: client: fix memory leak in smb3_fs_context_parse_param |
| CVE-2025-40263 | Input: cros_ec_keyb – fix an invalid memory access |
| CVE-2025-40262 | Input: imx_sc_key – fix memory corruption on unload |
| CVE-2025-40253 | s390/ctcm: Fix double-kfree |
| CVE-2025-40245 | nios2: ensure that memblock.current_limit is set when setting pfn limits |
| CVE-2025-40244 | hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() |
| CVE-2025-40243 | hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() |
| CVE-2025-40242 | gfs2: Fix unlikely race in gdlm_put_lock |
| CVE-2025-40233 | ocfs2: clear extent cache after moving/defragmenting extents |
| CVE-2025-40223 | most: usb: Fix use-after-free in hdm_disconnect |
| CVE-2025-40218 | mm/damon/vaddr: do not repeat pte_offset_map_lock() until success |
| CVE-2025-40217 | pidfs: validate extensible ioctls |
| CVE-2025-34297 | KissFFT Integer Overflow Heap Buffer Overflow via kiss_fft_alloc |
| CVE-2025-13837 | Out-of-memory when loading Plist |
| CVE-2025-13836 | Excessive read buffering DoS in http.client |
| CVE-2025-12638 | Path Traversal Vulnerability in keras-team/keras via Tar Archive Extraction in keras.utils.get_file() |
| CVE-2025-12385 | Improper validation of <img> tag size in Text component parser |
| CVE-2025-12084 | Quadratic complexity in node ID cache clearing |
| CVE-2023-53749 | x86: fix clear_user_rep_good() exception handling annotation |
| CVE-2023-53261 | coresight: Fix memory leak in acpi_buffer->pointer |
| CVE-2023-53231 | erofs: Fix detection of atomic context |
| CVE-2022-50316 | orangefs: Fix kmemleak in orangefs_sysfs_init() |
| CVE-2022-24736 | A Malformed Lua script can crash Redis |
| CVE-2022-24735 | Lua scripts can be manipulated to overcome ACL rules in Redis |
NO CREDIT CARD REQUIRED
Ready to get started?
You’ll be up and running in no time.
Explore all our features, free for 14 days.