Patch Tuesday October 2022: 85 patches released by Microsoft

Reading time icon 8 min. read


Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

Key notes

  • Check out the entire list of updates released via this month's Patch Tuesday event.
  • October 2022 comes with a whopping 64 new updates for various Windows CVEs.
  • Out of all the CVEs, 15 are rated Critical, 69 are Important, and one is  Moderate.
patch tuesday

It’s almost the end of 2022 and we’ve already reached October, which means the temperatures are slowly but surely starting to drop, so we can get our winter coats out.

Furthermore, it’s the second Tuesday of the month, which means that Windows users are looking towards Microsoft in hopes that some of the flaws they’ve been struggling with will finally get fixed.

We’ve already provided the direct download links for the cumulative updates released today for Windows 7, 8.1, 10, and 11, but now it’s time to talk about Critical Vulnerabilities and Exposures again.

For October, Microsoft released 85 new patches, which is a lot more than some people were expecting in the middle of autumn.

These software updates address CVEs in:

  • Microsoft Windows and Windows Components
  • Azure, Azure Arc, and Azure DevOps
  • Microsoft Edge (Chromium-based)
  • Office and Office Components
  • Visual Studio Code
  • Active Directory Domain Services and Active Directory Certificate Services
  • Nu Get Client
  • Hyper-V
  • Windows Resilient File System (ReFS)

The month of October comes with 85 new security updates

It’s pretty much safe to say that this wasn’t either the busiest or the lightest month for Redmond-based security experts and developers.

You might like to know that, out of the 85 new CVEs released, 15 are rated as Critical, 69 are rated Important, and only one is rated Moderate in severity.

Looking back, we can say that this volume is somewhat in line with what we’ve seen in previous October releases, however, it sets Microsoft on track to exceed its 2021 total.

And, if that were to happen, 2022 would the second busiest year for Microsoft CVEs, so keep that in mind if you want to compare it to other periods.

Know that one of the new CVEs released this month is listed as publicly known and one other is listed as being in the wild at the time of release.

We are going to take a closer look at the patches released in October 2022 and rank them by severity, type, and active exploitation status.

CVETitleSeverityCVSSPublicExploitedType
CVE-2022-41033Windows COM+ Event System Service Elevation of Privilege VulnerabilityImportant7.8NoYesEoP
CVE-2022-41043Microsoft Office Information Disclosure VulnerabilityImportant4YesNoInfo
CVE-2022-37976Active Directory Certificate Services Elevation of Privilege VulnerabilityCritical8.8NoNoEoP
CVE-2022-37968Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege VulnerabilityCritical10NoNoEoP
CVE-2022-38049Microsoft Office Graphics Remote Code Execution VulnerabilityCritical7.8NoNoRCE
CVE-2022-38048Microsoft Office Remote Code Execution VulnerabilityCritical7.8NoNoRCE
CVE-2022-41038Microsoft SharePoint Server Remote Code Execution VulnerabilityCritical8.8NoNoRCE
CVE-2022-34689Windows CryptoAPI Spoofing VulnerabilityCritical7.5NoNoSpoofing
CVE-2022-41031Microsoft Word Remote Code Execution VulnerabilityCritical7.8NoNoRCE
CVE-2022-37979Windows Hyper-V Elevation of Privilege VulnerabilityCritical7.8NoNoEoP
CVE-2022-30198Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2022-24504Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2022-33634Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2022-22035Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2022-38047Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2022-38000Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2022-41081Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical8.1NoNoRCE
CVE-2022-38042Active Directory Domain Services Elevation of Privilege VulnerabilityImportant7.1NoNoEoP
CVE-2022-38021Connected User Experiences and Telemetry Elevation of Privilege VulnerabilityImportant7NoNoEoP
CVE-2022-38036Internet Key Exchange (IKE) Protocol Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2022-37977Local Security Authority Subsystem Service (LSASS) Denial of Service VulnerabilityImportant6.5NoNoDoS
CVE-2022-37983Microsoft DWM Core Library Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38040Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2022-38001Microsoft Office Spoofing VulnerabilityImportant6.5NoNoSpoofing
CVE-2022-41036Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2022-41037Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2022-38053Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2022-37982Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2022-38031Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant8.8NoNoRCE
CVE-2022-37971Microsoft Windows Defender Elevation of Privilege VulnerabilityImportant7.1NoNoEoP
CVE-2022-41032NuGet Client Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38045Server Service Remote Protocol Elevation of Privilege VulnerabilityImportant8.8NoNoEoP
CVE-2022-35829Service Fabric Explorer Spoofing VulnerabilityImportant6.2NoNoSpoofing
CVE-2022-38017StorSimple 8000 Series Elevation of Privilege VulnerabilityImportant6.8NoNoEoP
CVE-2022-41083Visual Studio Code Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-41042Visual Studio Code Information Disclosure VulnerabilityImportant7.4NoNoInfo
CVE-2022-41034Visual Studio Code Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2022-38046Web Account Manager Information Disclosure VulnerabilityImportant6.2NoNoInfo
CVE-2022-38050Win32k Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37978Windows Active Directory Certificate Services Security Feature BypassImportant7.5NoNoSFB
CVE-2022-38029Windows ALPC Elevation of Privilege VulnerabilityImportant7NoNoEoP
CVE-2022-38044Windows CD-ROM File System Driver Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2022-37989Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37987Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37980Windows DHCP Client Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38026Windows DHCP Client Information Disclosure VulnerabilityImportant5.5NoNoInfo
CVE-2022-38025Windows Distributed File System (DFS) Information Disclosure VulnerabilityImportant5.5NoNoInfo
CVE-2022-37970Windows DWM Core Library Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37981Windows Event Logging Service Denial of Service VulnerabilityImportant4.3NoNoDoS
CVE-2022-33635Windows GDI+ Remote Code Execution VulnerabilityImportant7.8NoNoRCE
CVE-2022-38051Windows Graphics Component Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37997Windows Graphics Component Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37985Windows Graphics Component Information Disclosure VulnerabilityImportant5.5NoNoInfo
CVE-2022-37975Windows Group Policy Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37999Windows Group Policy Preference Client Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37993Windows Group Policy Preference Client Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37994Windows Group Policy Preference Client Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37995Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37988Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38037Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38038Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37990Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38039Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37991Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38022Windows Kernel Elevation of Privilege VulnerabilityImportant2.5NoNoEoP
CVE-2022-37996Windows Kernel Memory Information Disclosure VulnerabilityImportant5.5NoNoInfo
CVE-2022-38016Windows Local Security Authority (LSA) Elevation of Privilege VulnerabilityImportant8.8NoNoEoP
CVE-2022-37998Windows Local Session Manager (LSM) Denial of Service VulnerabilityImportant7.7NoNoDoS
CVE-2022-37973Windows Local Session Manager (LSM) Denial of Service VulnerabilityImportant7.7NoNoDoS
CVE-2022-37974Windows Mixed Reality Developer Tools Information Disclosure VulnerabilityImportant6.5NoNoInfo
CVE-2022-35770Windows NTLM Spoofing VulnerabilityImportant6.5NoNoSpoofing
CVE-2022-37965Windows Point-to-Point Tunneling Protocol Denial of Service VulnerabilityImportant5.9NoNoDoS
CVE-2022-38032Windows Portable Device Enumerator Service Security Feature Bypass VulnerabilityImportant5.9NoNoSFB
CVE-2022-38028Windows Print Spooler Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38003Windows Resilient File System Elevation of PrivilegeImportant7.8NoNoEoP
CVE-2022-38041Windows Secure Channel Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2022-38043Windows Security Support Provider Interface Information Disclosure VulnerabilityImportant5.5NoNoInfo
CVE-2022-38033Windows Server Remotely Accessible Registry Keys Information Disclosure VulnerabilityImportant6.5NoNoInfo
CVE-2022-38027Windows Storage Elevation of Privilege VulnerabilityImportant7NoNoEoP
CVE-2022-33645Windows TCP/IP Driver Denial of Service VulnerabilityImportant7.5NoNoDoS
CVE-2022-38030Windows USB Serial Driver Information Disclosure VulnerabilityImportant4.3NoNoInfo
CVE-2022-37986Windows Win32k Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-37984Windows WLAN Service Elevation of Privilege VulnerabilityImportant7.8NoNoEoP
CVE-2022-38034Windows Workstation Service Elevation of Privilege VulnerabilityImportant4.3NoNoEoP
CVE-2022-41035Microsoft Edge (Chromium-based) Spoofing VulnerabilityModerate8.3NoNoSpoofing
CVE-2022-3304Chromium: CVE-2022-3304 Use after free in CSSHighN/ANoNoRCE
CVE-2022-3307Chromium: CVE-2022-3307 Use after free in MediaHighN/ANoNoRCE
CVE-2022-3370Chromium: CVE-2022-3370 Use after free in Custom ElementsHighN/ANoNoRCE
CVE-2022-3373Chromium: CVE-2022-3373 Out of bounds write in V8HighN/ANoNoRCE
CVE-2022-3308Chromium: CVE-2022-3308 Insufficient policy enforcement in Developer ToolsMediumN/ANoNoSFB
CVE-2022-3310Chromium: CVE-2022-3310 Insufficient policy enforcement in Custom TabsMediumN/ANoNoSFB
CVE-2022-3311Chromium: CVE-2022-3311 Use after free in ImportMediumN/ANoNoRCE
CVE-2022-3313Chromium: CVE-2022-3313 Incorrect security UI in Full ScreenMediumN/ANoNoSFB
CVE-2022-3315Chromium: CVE-2022-3315 Type confusion in BlinkMediumN/ANoNoRCE
CVE-2022-3316Chromium: CVE-2022-3316 Insufficient validation of untrusted input in Safe BrowsingLowN/ANoNoSpoofing
CVE-2022-3317Chromium: CVE-2022-3317 Insufficient validation of untrusted input in IntentsLowN/ANoNoSpoofing

This October 2022 patch release also includes fixes for 11 information disclosure bugs, including one in Office that’s listed as publicly known.

The rest of the info disclosure vulnerabilities only result in leaks consisting of unspecified memory contents, according to experts.

However, the bug in the Web Account Manager could allow an attacker to view unbound refresh tokens issued by one cloud on a different cloud.

Also, the patches for Visual Studio Code and the Mixed Reality Developer Tools fix disclosure bugs that could allow reading from the file system.

That being said, know that the final info disclosure bug fixed this month could allow reading from the HKLM hive of the registry which you normally would not have access to.

Furthermore, eight different DoS vulnerabilities were patched this month, the most interesting being the DoS in TCP/IP, which could be exploited by remote, unauthenticated attackers and does not require user interaction.

This update rollout is rounded out by five spoofing bugs, including the lone Moderate-rated fix, which addresses a spoofing vulnerability in Microsoft Edge (Chromium-based).

Looking forward, the next Patch Tuesday security update rollout will be on the 8th of November, which is a bit sooner than some expected it.

Have you found any other issues after installing this month’s security updates? Share your opinion in the comments section below.

More about the topics: patch tuesday