Chromium: CVE-2025-11213 Inappropriate implementation in Omnibox
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11213
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11213
Chromium: CVE-2025-11205 Heap buffer overflow in WebGPU
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11205
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11205
Chromium: CVE-2025-11209 Inappropriate implementation in Omnibox
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11209
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11209
Chromium: CVE-2025-11211 Out of bounds read in Media
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11211
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11211
Chromium: CVE-2025-11216 Inappropriate implementation in Storage
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11216
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11216
Chromium: CVE-2025-11215 Off by one error in V8
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11215
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11215
CVE-2025-59489 MITRE: CVE-2025-59489 Unity Gaming Engine Editor vulnerability
[Unity](https://unity.com) announced a security vulnerability (CVE-2025-59489) that is affecting games or applications built with the Unity Gaming Engine Editor (version 2017.1 or later). You may be using a Microsoft app or playing a Microsoft game that should be uninstalled until an update is available. We are working to update games and applications that are potentially affected by this Unity vulnerability.In most cases, you can stay safe by ensuring your games and applications are up to date and Microsoft Defender is running on your device.If you have downloaded a vulnerable game or app (see list below) on one of the following platforms, you could be at risk:* Android* Windows* Linux (Desktop)* Linux (embedded)* MacOSWe have confirmed the following are not impacted:* Xbox consoles* Xbox Cloud Gaming* iOS* HoloLens **Recommended Next Steps:****For Developers**: Unity has made a fix available to developers. Organizations who believe that they have an app or game that might be impacted should reference Unity guidance and update their apps/games as soon as possible. You can learn more from Unity here.**For Players and Customers**: Microsoft security and game development teams are working to update any game or application that is potentially affected by this Unity vulnerability.If a Microsoft-owned game or application is not listed and you have installed all available updates, no further action is required. For customers who have automatic updates enabled, fixes will be deployed as they become available. If you have automatic updates turned off, please check to see if you have any updates available for your downloaded apps and games and install the latest update on your device.Customers who have an impacted app or game installed (see below list) are encouraged to take these steps:* Temporarily uninstall any impacted Microsoft apps or games until an update is available. For more guidance on how to uninstall, please see the FAQs below.* Use an up-to-date version of Microsoft Defender to detect and block attempts to exploit this vulnerability. * Follow guidance from Unity or your platform provider.* Microsoft-owned games and apps affected by this vulnerability and their requisite updates are documented in the Security Updates Table.**For Microsoft Mesh Apps Users**In response to this CVE that is affecting applications built with the Unity Gaming Engine Editor (version 2017.1 or later), Microsoft has released a required security update for the Microsoft Mesh PC applications. We strongly encourage all users with the Microsoft Mesh apps installed on their devices to promptly update to the latest version of these apps, version 5.2513.3.0 or greater. If you have automatic updates enabled for these apps on all devices, no further action is required. While we do not expect this to affect the functionality of any previously-scheduled events in Microsoft Mesh, use of the immersive spaces in Microsoft Teams meetings, or immersive events in Microsoft Teams, users will be required to update the Mesh PC apps before joining newly scheduled events in Mesh. We are informing you of this now so that you can mitigate any disruptions this may introduce to your events.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59489
[Unity](https://unity.com) announced a security vulnerability (CVE-2025-59489) that is affecting games or applications built with the Unity Gaming Engine Editor (version 2017.1 or later). You may be using a Microsoft app or playing a Microsoft game that should be uninstalled until an update is available. We are working to update games and applications that are potentially affected by this Unity vulnerability.In most cases, you can stay safe by ensuring your games and applications are up to date and Microsoft Defender is running on your device.If you have downloaded a vulnerable game or app (see list below) on one of the following platforms, you could be at risk:* Android* Windows* Linux (Desktop)* Linux (embedded)* MacOSWe have confirmed the following are not impacted:* Xbox consoles* Xbox Cloud Gaming* iOS* HoloLens **Recommended Next Steps:****For Developers**: Unity has made a fix available to developers. Organizations who believe that they have an app or game that might be impacted should reference Unity guidance and update their apps/games as soon as possible. You can learn more from Unity here.**For Players and Customers**: Microsoft security and game development teams are working to update any game or application that is potentially affected by this Unity vulnerability.If a Microsoft-owned game or application is not listed and you have installed all available updates, no further action is required. For customers who have automatic updates enabled, fixes will be deployed as they become available. If you have automatic updates turned off, please check to see if you have any updates available for your downloaded apps and games and install the latest update on your device.Customers who have an impacted app or game installed (see below list) are encouraged to take these steps:* Temporarily uninstall any impacted Microsoft apps or games until an update is available. For more guidance on how to uninstall, please see the FAQs below.* Use an up-to-date version of Microsoft Defender to detect and block attempts to exploit this vulnerability. * Follow guidance from Unity or your platform provider.* Microsoft-owned games and apps affected by this vulnerability and their requisite updates are documented in the Security Updates Table.**For Microsoft Mesh Apps Users**In response to this CVE that is affecting applications built with the Unity Gaming Engine Editor (version 2017.1 or later), Microsoft has released a required security update for the Microsoft Mesh PC applications. We strongly encourage all users with the Microsoft Mesh apps installed on their devices to promptly update to the latest version of these apps, version 5.2513.3.0 or greater. If you have automatic updates enabled for these apps on all devices, no further action is required. While we do not expect this to affect the functionality of any previously-scheduled events in Microsoft Mesh, use of the immersive spaces in Microsoft Teams meetings, or immersive events in Microsoft Teams, users will be required to update the Mesh PC apps before joining newly scheduled events in Mesh. We are informing you of this now so that you can mitigate any disruptions this may introduce to your events.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59489
CVE-2023-36038 ASP.NET Core Denial of Service Vulnerability
Corrected Article links in the Security Updates table. This is an informational change only.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36038
Corrected Article links in the Security Updates table. This is an informational change only.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36038
Chromium: CVE-2025-11458 Heap buffer overflow in Sync
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11458
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11458
Chromium: CVE-2025-11460 Use after free in Storage
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11460
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202[SS9.1]5) for more information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-11460
CVE-2025-59286 Copilot Spoofing Vulnerability
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59286
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59286
CVE-2025-59272 Copilot Spoofing Vulnerability
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59272
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59272
CVE-2025-59271 Redis Enterprise Elevation of Privilege Vulnerability
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59271
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59271
CVE-2025-59252 M365 Copilot Spoofing Vulnerability
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59252
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59252
CVE-2025-55321 Azure Monitor Log Analytics Spoofing Vulnerability
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an authorized attacker to perform spoofing over a network.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55321
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Monitor allows an authorized attacker to perform spoofing over a network.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55321
CVE-2025-59247 Azure PlayFab Elevation of Privilege Vulnerability
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59247
Information published.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59247
CVE-2025-59246 Azure Entra ID Elevation of Privilege Vulnerability
Azure Entra ID Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59246
Azure Entra ID Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59246
CVE-2025-59218 Azure Entra ID Elevation of Privilege Vulnerability
Azure Entra ID Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59218
Azure Entra ID Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59218
CVE-2025-0033 AMD CVE-2025-0033: RMP Corruption During SNP Initialization
Microsoft is aware of [AMD-SB-3020 | CVE-2025-0033](http://https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3020.html) disclosed by AMD on October 13, 2025. CVE-2025-0033 is a vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). It involves a race condition during Reverse Map Table (RMP) initialization that could allow a malicious or compromised hypervisor to modify RMP entries before they are locked, potentially impacting the integrity of SEV-SNP guest memory. This issue does not expose plaintext data or secrets and requires privileged control of the hypervisor to exploit. Across Azure Confidential Computing products, multiple security guardrails are in place to prevent host compromise, combining isolation, integrity verification and continuous monitoring. All host operations follow audited and approved management pathways, with administrative access strictly controlled, limited and logged. Together, these protections reduce the risk of host compromise or unauthorized memory manipulation, helping ensure that confidential workloads and customer VMs maintain their confidentiality and integrity on Azure hosts.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0033
Microsoft is aware of [AMD-SB-3020 | CVE-2025-0033](http://https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3020.html) disclosed by AMD on October 13, 2025. CVE-2025-0033 is a vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). It involves a race condition during Reverse Map Table (RMP) initialization that could allow a malicious or compromised hypervisor to modify RMP entries before they are locked, potentially impacting the integrity of SEV-SNP guest memory. This issue does not expose plaintext data or secrets and requires privileged control of the hypervisor to exploit. Across Azure Confidential Computing products, multiple security guardrails are in place to prevent host compromise, combining isolation, integrity verification and continuous monitoring. All host operations follow audited and approved management pathways, with administrative access strictly controlled, limited and logged. Together, these protections reduce the risk of host compromise or unauthorized memory manipulation, helping ensure that confidential workloads and customer VMs maintain their confidentiality and integrity on Azure hosts.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0033
CVE-2025-58724 Arc Enabled Servers - Azure Connected Machine Agent Elevation of Privilege Vulnerability
Affected software updated with new package information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58724
Affected software updated with new package information.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58724
CVE-2025-0033 AMD CVE-2025-0033: RMP Corruption During SNP Initialization
Corrected security updates table. This is an informational change only.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0033
Corrected security updates table. This is an informational change only.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0033