Microsoft Security Response Center Blog Alerts

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.

Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network.

To comprehensively address CVE-2024-21302, Microsoft has released April 2025 security updates for all supported editions of Windows. Microsoft recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.

Incorrect default permissions in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally.

Heap-based buffer overflow in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.

Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Stack-based buffer overflow in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally.