The first Patch Tuesday of 2022 sees Microsoft publishing fixes for over 120 CVEs across the bulk of their product line, including 29 previously patched CVEs affecting their Edge browser via Chromium. None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today. This includes two Remote Code Execution (RCE) vulnerabilities in open source libraries that are bundled with more recent versions of Windows: CVE-2021-22947, which affects the curl library, and CVE-2021-36976 which affects libarchive.

The majority of this month’s patched vulnerabilities, such as CVE-2022-21857 (affecting Active Directory Domain Services), allow attackers to elevate their privileges on systems or networks they already have a foothold in.

Critical RCEs

Besides CVE-2021-22947 (libcurl), several other Critical RCE vulnerabilities were also fixed. Most of these have caveats that reduce their scariness to some degree. The worst of these is CVE-2021-21907, affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially “wormable” by Microsoft, similar vulnerabilities have not proven to be rampantly exploited (see the AttackerKB analysis for CVE-2021-31166).

Not quite as bad is CVE-2022-21840, which affects all supported versions of Office, as well as Sharepoint Server. Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website – thankfully the Windows preview pane is not a vector for this attack.

CVE-2022-21846 affects Exchange Server, but cannot be exploited directly over the public internet (attackers need to be “adjacent” to the target system in terms of network topology). This restriction also applies to CVE-2022-21855 and CVE-2022-21969, two less severe RCEs in Exchange this month.

CVE-2022-21912 and CVE-2022-21898 both affect DirectX Graphics and require local access. CVE-2022-21917 is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched; however, some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates.

Defenders should prioritize patching servers (Exchange, Sharepoint, Hyper-V, and IIS) followed by web browsers and other client software.

Summary charts

Summary tables

Browser vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21930 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 4.2 Yes
CVE-2022-21931 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 4.2 Yes
CVE-2022-21929 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 2.5 Yes
CVE-2022-21954 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 6.1 Yes
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 6.1 Yes
CVE-2022-0120 Chromium: CVE-2022-0120 Inappropriate implementation in Passwords No No nan Yes
CVE-2022-0118 Chromium: CVE-2022-0118 Inappropriate implementation in WebShare No No nan Yes
CVE-2022-0117 Chromium: CVE-2022-0117 Policy bypass in Service Workers No No nan Yes
CVE-2022-0116 Chromium: CVE-2022-0116 Inappropriate implementation in Compositing No No nan Yes
CVE-2022-0115 Chromium: CVE-2022-0115 Uninitialized Use in File API No No nan Yes
CVE-2022-0114 Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial No No nan Yes
CVE-2022-0113 Chromium: CVE-2022-0113 Inappropriate implementation in Blink No No nan Yes
CVE-2022-0112 Chromium: CVE-2022-0112 Incorrect security UI in Browser UI No No nan Yes
CVE-2022-0111 Chromium: CVE-2022-0111 Inappropriate implementation in Navigation No No nan Yes
CVE-2022-0110 Chromium: CVE-2022-0110 Incorrect security UI in Autofill No No nan Yes
CVE-2022-0109 Chromium: CVE-2022-0109 Inappropriate implementation in Autofill No No nan Yes
CVE-2022-0108 Chromium: CVE-2022-0108 Inappropriate implementation in Navigation No No nan Yes
CVE-2022-0107 Chromium: CVE-2022-0107 Use after free in File Manager API No No nan Yes
CVE-2022-0106 Chromium: CVE-2022-0106 Use after free in Autofill No No nan Yes
CVE-2022-0105 Chromium: CVE-2022-0105 Use after free in PDF No No nan Yes
CVE-2022-0104 Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE No No nan Yes
CVE-2022-0103 Chromium: CVE-2022-0103 Use after free in SwiftShader No No nan Yes
CVE-2022-0102 Chromium: CVE-2022-0102 Type Confusion in V8 No No nan Yes
CVE-2022-0101 Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks No No nan Yes
CVE-2022-0100 Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API No No nan Yes
CVE-2022-0099 Chromium: CVE-2022-0099 Use after free in Sign-in No No nan Yes
CVE-2022-0098 Chromium: CVE-2022-0098 Use after free in Screen Capture No No nan Yes
CVE-2022-0097 Chromium: CVE-2022-0097 Inappropriate implementation in DevTools No No nan Yes
CVE-2022-0096 Chromium: CVE-2022-0096 Use after free in Storage No No nan Yes

Developer Tools vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21911 .NET Framework Denial of Service Vulnerability No No 7.5 No

ESU Windows vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability No No 5.3 No
CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability No Yes 7 No
CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability No No 4.6 Yes
CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability No No 4.6 Yes
CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-21904 Windows GDI Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability No No 5.5 No
CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21838 Windows Cleanup Manager Elevation of Privilege Vulnerability No No 5.5 Yes
CVE-2022-21836 Windows Certificate Spoofing Vulnerability No Yes 7.8 Yes
CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability No No 5.3 No
CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass No No 5.3 No
CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability No No 8.8 Yes

Exchange Server vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9 Yes
CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9 Yes
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9 Yes

Microsoft Dynamics vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability No No 7.6 No
CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability No No 7.6 No

Microsoft Office vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.3 Yes
CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

Windows vulnerabilities

CVE Title Exploited Publicly disclosed CVSSv3 base Additional FAQ
CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21863 Windows StateRepository API Server file Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability No Yes 7.8 No
CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.4 Yes
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability No No 6.3 Yes
CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability No No 7 No
CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability No No 7.8 No
CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability No No 5.5 No
CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability No No 9 Yes
CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability No No 6.5 No
CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability No No 7.8 No
CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability No Yes 6.1 No
CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability No No 4.4 No
CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability No No 5.5 No
CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2022-21860 Windows AppContracts API Server Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21876 Win32k Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-21882 Win32k Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-21887 Win32k Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability No No 4.4 No
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-22947 Open Source Curl Remote Code Execution Vulnerability No Yes nan Yes
CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-36976 Libarchive Remote Code Execution Vulnerability No Yes nan Yes
CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability No No 7.8 No
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability No No 6.5 No
CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability No No 7 No
CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability No No 7 No