38 CVEs addressed through the May 2023 Patch Tuesday Release

Reading time icon 6 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

  • Not such a busy month for a Microsoft Patch Tuesday release, with 38 CVEs.
  • Out of all the CVEs, seven are rated Critical and 31 are rated Important in severity.
  • We've included each and everyone in this article, with direct links as well.
pt may vulnerabilities

It’s May already and everyone is looking towards Microsoft, in hopes that some of the flaws they’ve been struggling with will finally get fixed.

We’ve already provided the direct download links for the cumulative updates released today for Windows 10 and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.

This month, the Redmond tech giant released 38 new patches, which is a lot less than some people were expecting right after Easter.

These software updates address CVEs in:

  • Microsoft Windows and Windows Components
  • .NET and Visual Studio
  • Microsoft Edge (Chromium-based)
  • Microsoft Exchange Server
  • Office and Office Components
  • Windows Hyper-V
  • Windows Authentication Methods
  • BitLocker
  • Windows Cluster Shared Volume (CSV)
  • Remote Desktop Client
  • Windows Network File System
  • NTFS
  • Windows Point-to-Point Tunneling Protocol

For May, Microsoft only released 38 new patches, which is still a lot less than some people were expecting for the fifth month of 2023.

One of Microsoft’s lightest months with only 38 updates

Not the busiest but also not the lightest month for Microsoft security experts, so we can relax a bit right before the summer.

You might like to know that, out of the 38 new CVEs released, seven are rated Critical and 31 are rated Important in severity.

As many of you probably already know, May is always a smaller month for fixes historically, but this month’s volume is the lowest since August 2021.

Know that one of the new CVEs is listed as under active attack and two are listed as publicly known at the time of release.

CVE-2023-29336Win32k Elevation of Privilege VulnerabilityImportant7.8NoYesEoP
CVE-2023-29325Windows OLE Remote Code Execution VulnerabilityCritical8.1YesNoRCE
CVE-2023-24932Secure Boot Security Feature Bypass VulnerabilityImportant6.7YesNoSFB
CVE-2023-24955Microsoft SharePoint Server Remote Code Execution VulnerabilityCritical7.2NoNoRCE
CVE-2023-28283Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2023-29324Windows MSHTML Platform Elevation of Privilege VulnerabilityCritical7.5NoNoEoP
CVE-2023-24941Windows Network File System Remote Code Execution VulnerabilityCritical9.8NoNoRCE
CVE-2023-24943Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical9.8NoNoRCE
CVE-2023-24903Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2023-29340AV1 Video Extension Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-29341AV1 Video Extension Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-29333Microsoft Access Denial of Service VulnerabilityImportant3.3NoNoDoS
CVE-2023-29350Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant7.5NoNoEoP
CVE-2023-24953Microsoft Excel Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-29344Microsoft Office Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-24954Microsoft SharePoint Server Information Disclosure VulnerabilityImportant6.5NoNoInfo
CVE-2023-24950Microsoft SharePoint Server Spoofing VulnerabilityImportant6.5NoNoSpoofing
CVE-2023-24881Microsoft Teams Information Disclosure VulnerabilityImportant6.5NoNoInfo
CVE-2023-29335Microsoft Word Security Feature Bypass VulnerabilityImportant7.5NoNoSFB
CVE-2023-24905Remote Desktop Client Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2023-28290Remote Desktop Protocol Client Information Disclosure VulnerabilityImportant5.5NoNoInfo
CVE-2023-24942Remote Procedure Call Runtime Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2023-24939Server for NFS Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2023-29343SysInternals Sysmon for Windows Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-29338Visual Studio Code Information Disclosure VulnerabilityImportant5NoNoInfo
CVE-2023-24902Win32k Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-24946Windows Backup Service Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-24948Windows Bluetooth Driver Elevation of Privilege VulnerabilityImportant7.4NoNoEoP
CVE-2023-24944Windows Bluetooth Driver Information Disclosure VulnerabilityImportant6.5NoNoInfo
CVE-2023-24947Windows Bluetooth Driver Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2023-28251Windows Driver Revocation List Security Feature Bypass VulnerabilityImportant5.5NoNoSFB
CVE-2023-24899Windows Graphics Component Elevation of Privilege VulnerabilityImportant7NoNoEoP
CVE-2023-24904Windows Installer Elevation of Privilege VulnerabilityImportant7.1NoNoEoP
CVE-2023-24945Windows iSCSI Target Service Information Disclosure VulnerabilityImportant5.5NoNoInfo
CVE-2023-24949Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2023-24901Windows NFS Portmapper Information Disclosure VulnerabilityImportant7.5NoNoInfo
CVE-2023-24900Windows NTLM Security Support Provider Information Disclosure VulnerabilityImportant5.9NoNoInfo
CVE-2023-24940Windows Pragmatic General Multicast (PGM) Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2023-24898Windows SMB Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2023-29354Microsoft Edge (Chromium-based) Security Feature Bypass VulnerabilityModerate4.7NoNoSFB
CVE-2023-2459 *Chromium: CVE-2023-2459 Inappropriate implementation in PromptsMediumN/ANoNoRCE
CVE-2023-2460 *Chromium: CVE-2023-2460 Insufficient validation of untrusted input in ExtensionsMediumN/ANoNoRCE
CVE-2023-2462 *Chromium: CVE-2023-2462 Inappropriate implementation in PromptsMediumN/ANoNoRCE
CVE-2023-2463 *Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen ModeMediumN/ANoNoRCE
CVE-2023-2464 *Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPictureMediumN/ANoNoRCE
CVE-2023-2465 *Chromium: CVE-2023-2465 Inappropriate implementation in CORSMediumN/ANoNoRCE
CVE-2023-2466 *Chromium: CVE-2023-2466 Inappropriate implementation in PromptsLowN/ANoNoRCE
CVE-2023-2467 *Chromium: CVE-2023-2467 Inappropriate implementation in PromptsLowN/ANoNoRCE
CVE-2023-2468 *Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPictureLowN/ANoNoRCE

Let’s take a closer look at CVE-2023-29336, as its the one bug listed as being under active attack at the time of release.

Thus, as a result, you must go all the way back to May of last year before you find a month where there wasn’t at least one Microsoft bug under active attack.

In fact, this type of privilege escalation is usually combined with a code execution bug to spread malware, so we advise caution.

Moving on to CVE-2023-29325, we learn that while the title says OLE when it comes to this bug, the real component to worry about is Outlook.

Please note that this vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF e-mail.

The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message, and while Outlook is the more likely exploit vector, other Office applications are also impacted.

Microsoft mentioned that this is one of the publicly known bugs patched this month and has been widely discussed on Twitter.

CVE-2023-24941 has been given a CVSS of 9.8 and allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges.

And, the worst part is that no user interaction is required. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0.

Rest assured that you can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have the CVE-2022-26937 patch from May 2022 installed.

Observing the remaining Critical-rated patches, there’s another CVSS 9.8 bug in Pragmatic General Multicast (PGM) that looks identical to PGM bug patched last month.

It’s important to know that this could indicate a failed patch or, more likely, a wide attack surface in PGM that is just starting to be explored.

There are also patches for Critical-rated bugs in the LDAP and SSTP protocols and an intriguing bug in MSHTML that could allow a remote attacker to escalate to administrator privileges.

The Redmond tech giant doesn’t provide details here, but they do note some level of privileges is required.

The next Patch Tuesday rollout will be on May 10th, so don’t get too comfortable with the current state of affairs, as it might change sooner than you think.

Was this article helpful to you? Share your opinion in the comments section below.

More about the topics: patch tuesday