Microsoft's Patch Tuesday updates: Keeping up with the latest fixes

At a glance:

• Microsoft's Patch Tuesday, a monthly security update tradition since 2003, remains a cornerstone of the cybersecurity industry.
• Recent months have seen significant updates, including April 2026's record 165 patches and 340 CVEs, with multiple zero-days under active exploitation.
• Organizations are urged to prioritize 'Patch Now' schedules for critical vulnerabilities, especially those flagged by CISA for immediate remediation.

The Patch Tuesday Tradition

Long before Taco Tuesday became part of the pop-culture vernacular, Tuesdays were synonymous with security in the tech world. Patch Tuesday, as it is known, refers to the day each month when Microsoft releases security updates and patches for its software products — everything from Windows to Office to SQL Server, developer tools to browsers. The practice, which happens on the second Tuesday of the month, was initiated to streamline the patch distribution process and make it easier for users and IT system administrators to manage updates. Like tacos, Patch Tuesday is here to stay.

In a blog post celebrating the 20th anniversary of Patch Tuesday, the Microsoft Security Response Center wrote: “The concept of Patch Tuesday was conceived and implemented in 2003. Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner.” Patch Tuesday will continue to be an “important part of our strategy to keep users secure,” Microsoft said, adding that it’s now an important part of the cybersecurity industry. As a case in point, Adobe, among others, follows a similar patch cadence.

April 2026: A Massive Update Cycle

Windows administrators are going to be busy this month, dealing with the largest Patch Tuesday cycle in memory. The April release involves 165 updates and roughly 340 unique CVEs from Microsoft — including two zero-days, one of which is already being actively exploited in the wild. The Readiness team is recommending “Patch Now” schedules for nearly every major product family this month: Windows, Office (with a zero-day), Microsoft Edge (Chromium), SQL Server, and Microsoft Developer Tools (.NET). April also brings Phase 2 of Microsoft’s Kerberos RC4 hardening with full enforcement set for July. There is a lot to cover, so the Readiness team built an infographic mapping the deployment risk for each platform. More info is available here on Microsoft Security updates for April 2026.

March 2026: Addressing Critical Vulnerabilities

Microsoft’s March Patch Tuesday release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — with two publicly disclosed zero-days affecting SQL Server and .NET (though neither is being actively exploited in the wild.) Six additional vulnerabilities spanning the Windows Kernel, Graphics Component, SMB Server, Accessibility Infrastructure, and Winlogon are flagged as “Exploitation More Likely.” The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification, which will affect how Windows handles log files across the operating system. More info on Microsoft Security updates for March 2026.

February 2026: Active Exploits Drive Urgency

The company’s Patch Tuesday release for February addresses 59 CVEs across the company’s product family — roughly half the volume of January’s 159 patches. Six vulnerabilities, affecting Windows Shell, MSHTML, Desktop Window Manager, Remote Desktop, Remote Access, and Microsoft Word, are already being actively exploited. (All five Critical-rated CVEs target Azure services rather than Windows, however.) Both Windows and Office get a “Patch Now” recommendation, with CISA setting a March 3 enforcement deadline for all six exploited vulnerabilities. Two new enforcement timelines also take effect in April: Kerberos RC4 deprecation (CVE-2026-20833) and Windows Deployment Services hardening (CVE-2026-0386). More info on Microsoft Security updates for February 2026.

January 2026: Starting the Year with Critical Fixes

The first Patch Tuesday release of 2026 addresses 112 CVEs across Microsoft’s product portfolio, including eight rated critical and three zero-day vulnerabilities. One zero-day (CVE-2026-20805), an information disclosure flaw in the Desktop Window Manager, is already under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog with a remediation deadline of Feb. 3, 2026. (Note: 95 of the vulnerabilities affect Windows.) More info on Microsoft Security updates for January 2026.

December 2025: Few Patches, Multiple Zero-Days

The December Patch Tuesday update addresses three zero-days (CVE-2025-64671, CVE-2025-54100, and CVE-2025-62221) but includes surprisingly few total patches (just 57). Notably, Microsoft has not published any critical updates for the Windows platform this month. That said, given the zero-days, we recommend a “Patch Now” release schedule for Windows and Microsoft Office. More info on Microsoft Security updates for December 2025.

November 2025: Reduced Workload, One Zero-Day

This November Patch Tuesday release offers a much reduced set of updates, with just 63 Microsoft patches and (only) one zero-day (CVE-2025-62215) affecting the Windows desktop platform. Windows desktops this month require a “Patch Now” plan, and while the severity of these security vulnerabilities is less than it was in October, the testing requirements are still extensive. More info on Microsoft Security updates for November 2025.

The Future of Patch Tuesday

Patch Tuesday coverage has long been a staple of providing critical information to the IT industry. As the cybersecurity landscape evolves, Microsoft continues to refine its patching strategy, including initiatives like Kerberos hardening and CLFS verification. Organizations must stay vigilant, testing updates in non-production environments and prioritizing vulnerabilities under active exploitation. With the increasing sophistication of attacks, Patch Tuesday remains an essential defense mechanism, but it is only one part of a comprehensive security posture. The tradition of the second Tuesday is here to stay, and it will continue to be a cornerstone of enterprise security for years to come.