April’s Patch Tuesday fixes a whopping 126 Microsoft vulnerabilities.

Compared to last month, that’s more than twice the amount, but the good news is there’s only one actively exploited vulnerability, compared to six in March.

The zero-day vulnerability is CVE-2025-29824 (CVSS score 7.8 out of 10), a use after free (UAF) vulnerability in the Windows Common Log File System (CLFS) driver which allows an authorized attacker to elevate privileges locally. A successful attacker can gain SYSTEM-level privileges, enabling them to execute arbitrary code, install malware, modify system settings, or access sensitive data.

UAF is a type of vulnerability that results from incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, this can lead to corruption of valid data and the execution of arbitrary code on affected systems.

The CLFS driver is a component of the Windows operating system designed to manage high-performance logging. It is used for recording events or data in a structured way, which is essential for applications and system processes that require reliable transaction logging or recovery. CLFS helps ensure that log data is stored securely and can be retrieved even after system failures.

The driver operates at the kernel level, meaning it interacts directly with the core of the operating system, which is critical for performance but also increases the severity of vulnerabilities. Using elevation of privilege flaws like this one, ransomware affiliates can compromise a network as part of their efforts to steal and encrypt data and ultimately extort their victims.

CISA has added CVE-2025-29824 to its catalog of Known Exploited Vulnerabilities, requiring Federal Civilian Executive Branch (FCEB) agencies to apply necessary remediations by April 29, 2025.

Windows 10 users will have to wait for a patch. Microsoft notes:

The security update for Windows 10 for x64-based Systems and Windows 10 for 32-bit Systems are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.

Other vendors

Adobe issued security updates for 12 products.

CrushFTP patched a know exploited vulnerability tracked as CVE-2025-31161.

Google fixed two actively exploited Android zero-day vulnerabilities in its April 2025 Android Security Bulletin.

Ivanti released its April security updates and updated its security advisory about CVE-2025-22457 to emphasize the importance of patching it.

SAP released April security updates for multiple products.

And last but not least almost every browser vendor issued a patch for CVE-2025-2783 which lies in Mojo for Windows. Mojo is a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC).