News, guides and releases from the free software world
Debian shipped DSA-6360-1 to fix four Squid proxy vulnerabilities, among them Squidbleed (CVE-2026-47729), which can leak other users' HTTP headers. What it affects and how to update.
Read more →Ubuntu fixes several libheif vulnerabilities in advisory USN-8454-1. A crafted HEIF or AVIF image could cause denial of service or code execution. Here's who is affected and how to update.
Read more →A malicious MediaTek 5G modem can read up to 262140 bytes of kernel memory through the t7xx driver. What it affects, severity, and how to patch.
Read more →Mishandling of large headers in nginx's proxy_v2 and gRPC modules can restart the worker and, without ASLR, lead to code execution. F5 fixes it in 1.31.2 and 1.30.3; Ubuntu ships USN-8458-1.
Read more →A use-after-free in NGINX's HTTP/3 module lets an unauthenticated remote attacker crash worker processes, and on systems without ASLR potentially run code. It affects 1.31.0 and 1.31.1; fixed in 1.31.2.
Read more →MATE's Atril document viewer carried a command injection (CVE-2026-46529) allowing one-click code execution. Debian fixed it in Trixie and Bookworm.
Read more →Kernel 7.1 extends Landlock to UNIX sockets, turns on Intel FRED by default, and ships two networking changes (IPv6 and UDP-Lite) that can break custom kernel builds.
Read more →A bounds-checking flaw in virtio_blk_handle_scsi lets a VM with CAP_SYS_ADMIN corrupt the heap and take down the host QEMU process. CVSS 8.2. Update to QEMU 9.2.1.
Read more →An OWA XSS lets attackers run JavaScript just by getting a user to open an email in the browser. Microsoft had already mitigated it in May, and CISA listed it as actively exploited.
Read more →Hyunwoo Kim disclosed ITScape, a use-after-free in KVM/arm64's vGIC-ITS cache that lets a guest VM run code as root on the host. What it is, who it affects, and how to patch it.
Read more →Microsoft fixed a CVSS 9.8 flaw in the Windows DHCP Client Service in June 2026 that could allow remote code execution. It affects every Windows system with a DHCP client.
Read more →A malformed S/MIME message can free a BIO the application still owns during PKCS7_verify(). It affects OpenSSL 1.0.2, 1.1.1, 3.0, 3.4, 3.5, 3.6 and 4.0.
Read more →A flaw in the HTTP.sys kernel driver allows unauthenticated RCE through oversized HTTP requests. It hits IIS, WinRM and WCF, but only if you raised MaxRequestBytes.
Read more →A resource-consumption flaw in Windows' HTTP/2 implementation lets a remote attacker cause denial of service by sending very little data. CVSS 7.5, fixed in the June 2026 Patch Tuesday.
Read more →A flaw in the KTLS receive path lets an unprivileged user overwrite arbitrary files over loopback. Affected versions, the June 9, 2026 patch, and the mitigation.
Read more →An unprivileged local user could inject a library with LD_PRELOAD into a setuid Linux binary running under FreeBSD's Linuxulator and inherit its privileges. What breaks, who is affected, and how to patch.
Read more →A hardware flaw in Cortex-A, Neoverse and Ampere processors lets software write to memory after page permissions are revoked. FreeBSD ships a kernel mitigation for its 14.x and 15.x branches.
Read more →Microsoft patches three Hyper-V remote code execution bugs that let an attacker escape a guest VM and run code on the host server, plus a host memory leak.
Read more →Microsoft fixes 198 vulnerabilities in June 2026, its biggest bulletin to date, with 32 critical flaws, three zero-days and a CVSS 9.8 RCE in the Windows kernel.
Read more →Xen released four advisories on 9 June 2026. XSA-494 (CVE-2026-42488) allows memory corruption, privilege escalation and host crash; XSA-491 (CVE-2026-42487) lets a device model crash the hypervisor.
Read more →Google patched an out-of-bounds read/write in V8 in Chrome 149.0.7827.103 with an exploit in the wild. What's affected, severity, and how to update.
Read more →Debian fixes authorization bypass, privilege escalation and user impersonation bugs in Keystone for Bookworm and Trixie. Here's what to update.
Read more →Red Hat patches CVE-2026-37457 and CVE-2026-37459 in FRRouting: two ways to crash the bgpd daemon with a crafted BGP UPDATE. Update to FRR 10.4.4 on RHEL 10.
Read more →Red Hat fixes a denial of service in the PostgreSQL JDBC driver on RHEL 10. A hostile server forces a runaway PBKDF2 computation during SCRAM-SHA-256 authentication. CVSS 7.5.
Read more →Broadcom patches three stored XSS flaws (CVE-2026-41722, 41723 and 41724), CVSS 8.0, in VMware Cloud Foundation Operations. No workaround: you have to update.
Read more →CVE-2026-46243 lets an unprivileged user open a root shell by abusing the CIFS module's SPNEGO upcall. Red Hat, Ubuntu, Debian, SUSE, Oracle Linux and Amazon Linux are affected.
Read more →The HTTP/2 Bomb pairs HPACK compression with flow control to exhaust the RAM of nginx, Apache, IIS, Envoy and Pingora. Affected versions, impact and patches.
Read more →OpenBSD 7.8 errata 037 fixes multiple vulnerabilities in the X server's dri2, sync, saver and Xkb extensions. What it affects and how to apply the patch.
Read more →A race condition in the Linux kernel's tls_sk_proto_close() lets one thread close a TLS socket while another changes options, triggering a use-after-free. Disclosed on oss-security, 2 June 2026.
Read more →Google patches over a hundred Android vulnerabilities. CVE-2025-48595, a Framework privilege escalation, may already be under targeted exploitation.
Read more →A stack-based buffer overflow in the Windows Server Netlogon service lets an unauthenticated remote attacker run code on a domain controller. What it is, who it affects and how to protect yourself.
Read more →A double free in the error path of Btrfs create_space_info() can corrupt kernel memory. Here is who it affects, how serious it is, and how to patch it.
Read more →Ubuntu ships USN-8306-1 patching six Samba vulnerabilities, including two that allow arbitrary code execution in the SAMR server and the printing subsystem.
Read more →Google shipped Chrome 148.0.7778.178 to close a critical WebRTC use-after-free affecting Linux that runs code just from visiting a web page.
Read more →Eight PHP packages on Packagist, including devdojo/wave and devdojo/genesis, ran a Linux binary pulled from GitHub. Separately, hundreds of laravel-lang versions were republished with a credential stealer after a GitHub token leaked.
Read more →The setcred(2) syscall copied the supplementary group list into a fixed-size kernel stack buffer without checking its length, letting an unprivileged local user run code in the kernel and escalate to root on FreeBSD 14.3, 14.4 and 15.0.
Read more →Poor parameter validation in ptrace(PT_SC_REMOTE) let an unprivileged local user run code in the FreeBSD kernel. There is no workaround: you have to patch.
Read more →A logic bug in libcap_net treated an omitted restriction as 'allow any', so an application inside a Capsicum sandbox could gain network permissions instead of losing them. What breaks, who is affected, and how to patch.
Read more →Mozilla ships Firefox 151 with 27 fixes, including an Android sandbox escape, a use-after-free in DOM Bindings, and a same-origin bypass. Update now.
Read more →A logic flaw in the Linux kernel ptrace subsystem lets an unprivileged local user steal SSH host keys and password hashes. It has been there since 2016, and patches are out for Debian, Ubuntu, Fedora, SUSE, AlmaLinux and CloudLinux.
Read more →skb_try_coalesce() drops the SKBFL_SHARED_FRAG marker and lets an unprivileged user write over page-cache pages to get root. AlmaLinux already shipped patched kernels.
Read more →A heap overflow in ngx_http_rewrite_module with a 9.2 CVSS leaves NGINX open to remote code execution. Red Hat already ships a fix for RHEL 9 in RHSA-2026:18029. What it is, who it affects and how to mitigate it.
Read more →Microsoft patched a Windows GDI heap overflow in May 2026 that lets an attacker run code when a crafted Enhanced Metafile is opened in Microsoft Paint. What it is, who it affects, and how to mitigate.
Read more →Microsoft patched four Word RCE vulnerabilities (CVSS 8.4) in May 2026. The Preview Pane is an attack vector and two of them are rated more likely to be exploited.
Read more →Microsoft patched CVE-2026-41096, a critical flaw in the Windows DNS Client that allows remote code execution through a specially crafted DNS response. It was fixed in the May 2026 Patch Tuesday.
Read more →A flawed SAML check in the Microsoft SSO Plugin for Jira and Confluence (CVSS 9.1) lets an unauthenticated attacker forge identities and log in as anyone. Affected versions and the fix.
Read more →A use-after-free during TLS shutdown in GnuTLS builds of Exim allows unauthenticated remote code execution when handling SMTP with BDAT. Affects Exim 4.97 to 4.99.2, fixed in 4.99.3.
Read more →Microsoft closes around 120 vulnerabilities in its May 2026 release, 17 of them critical, with no known zero-days at launch. Here's what got fixed and why you should patch now.
Read more →Apple ships iOS 26.5 and iPadOS 26.5 with over 90 security patches. CVE-2026-28951 is a kernel authorization flaw that could let an app gain root privileges.
Read more →Apple ships macOS Tahoe 26.5 with patches across more than twenty subsystems. CVE-2026-28954 lets a malicious disk image slip past Gatekeeper, and two kernel flaws allow tampering with privileged memory.
Read more →A write-what-where condition in ESP plus a privilege escalation flaw in RxRPC let an unprivileged local user reach root. Public PoCs exist and no universal patch shipped on 8 May 2026.
Read more →A flaw in the Linux kernel's memory management leaves stale pointers in page->private, opening the door to memory corruption or privilege escalation. It affects 5.18 onward and matters most for WSL2 and containers. What it is, who it hits, and how to patch it.
Read more →USN-8245-1 fixes EntrySign (CVE-2024-36347), the microcode signature flaw in AMD Zen processors, along with more than a hundred kernel vulnerabilities. Here's who's affected and how to update.
Read more →Red Hat ships an Important kernel update for RHEL 8 that fixes six CVEs, including a KVM privilege escalation and a heap overflow in the NFSv4.0 LOCK replay cache.
Read more →A critical authentication bypass in cPanel/WHM lets attackers take over the panel with no credentials. It landed in CISA's KEV catalog and was exploited at scale to encrypt sites with the .sorry extension.
Read more →Faulty packet validation in pf allows unbounded recursion when parsing SCTP chunks, leading to a kernel panic. FreeBSD 13.5, 14.3, 14.4 and 15.0 are affected. Here's how to fix it.
Read more →An operator precedence bug in the FreeBSD kernel lets an unprivileged account escalate to superuser. Fixed on 29 April 2026 in FreeBSD-SA-26:13.exec.
Read more →A 15-year-old OpenSSH flaw let a certificate with a 'deploy,root' principal bypass access control and authenticate as root. Fixed in OpenSSH 10.3.
Read more →Qualys found 11 CVEs in the Linux kernel AppArmor module. An unprivileged local user could load, replace or remove profiles, escalate to root, or escape a container. Ubuntu fixed it in USN-8201-1.
Read more →A regression in .NET 10.0.6 made ASP.NET Core Data Protection validate its HMAC over the wrong bytes. The result: forgeable auth cookies and escalation to SYSTEM. Microsoft shipped 10.0.7 out of band.
Read more →OpenBSD 7.7 and 7.8 patch an out-of-bounds read in libXpm triggered by crafted XPM files. What it affects, how serious it is, and how to apply the fix.
Read more →Update SUSE-SU-2026:1369-1 fixes two DNS resolution issues in glibc: a crafted server response that confuses the resolver and an invalid hostname returned by gethostbyaddr. Affected versions, severity and how to patch.
Read more →Microsoft patched a SharePoint zero-day (CVE-2026-32201) in April 2026 that was already under attack: an unauthenticated attacker can view sensitive data and alter information. What it affects and how to stay protected.
Read more →A double free in the Windows IKE extension (CVSS 9.8) allows unauthenticated remote code execution and is wormable. What it is, who it affects, and how to protect yourself.
Read more →An elevation-of-privilege bug in the Microsoft Defender antimalware platform, dubbed BlueHammer, lets an unprivileged user run code as SYSTEM on Windows 10 and 11.
Read more →A synchronization flaw in the Windows TCP/IP stack allows remote, unauthenticated code execution with no user interaction when IPv6 and IPSec are both enabled. CVSS 8.1, patched in the April 2026 Patch Tuesday.
Read more →April 2026's update patches 167 vulnerabilities across Windows, Office, SharePoint and Defender, with eight critical bugs and two zero-days: a SharePoint flaw under active attack and a Defender bug disclosed before the patch.
Read more →Red Hat updates the rhc client on RHEL 8 over an Important flaw: incorrect parsing of IPv6 host literals in net/url can mishandle URLs while connecting to Red Hat managed services.
Read more →Linus Torvalds released kernel 7.0 on 12 April 2026. Here are the changes that matter for security and robustness: Intel TSX auto mode and online XFS self-repair.
Read more →A prototype pollution bug in Acrobat Reader's JavaScript engine runs code when you open a malicious PDF. CISA added it to the KEV catalog and Adobe pushed an out-of-band patch.
Read more →Debian fixes CVE-2026-3497, a flaw in its GSSAPI Key Exchange patch for OpenSSH that a remote attacker can use to crash SSH processes or, in the worst case, run code.
Read more →A look at Apple's April 2026 security updates: macOS Tahoe 26.4.1, iOS/iPadOS 26.4.1, 26.4.2 and 18.7.8, none of them with published CVE entries.
Read more →The 7 April 2026 OpenSSL update patches CVE-2026-28387 (DANE use-after-free) and CVE-2026-28386 (out-of-bounds read in AES-CFB128). Who is affected and how to update.
Read more →Mozilla ships Firefox 149.0.2 to fix several high-impact memory-safety bugs, some with signs of memory corruption. If you run Firefox or Thunderbird, update now.
Read more →A flaw in the Linux kernel DVB subsystem reads a function pointer past the end of a table and can invoke it. Present since 2.6.12. What happens and how to stay safe.
Read more →A flaw in the Linux kernel's SCTP connection tracking lets a local user read kernel memory because of missing netlink validation. CVSS 7.1. Who is affected and which versions fix it.
Read more →A race in sco_recv_frame() frees the socket too early and opens the door to a use-after-free in the kernel's Bluetooth code. CVSS 8.8. Here's what it affects and how to patch it.
Read more →OpenBSD 7.8 errata 027 fixes flaws in iked, the daemon that negotiates IPsec tunnels. A crafted packet could read out-of-bounds memory or crash the service.
Read more →A stack overflow in RPCSEC_GSS packet validation lets a malicious client run code with kernel privileges on FreeBSD NFS servers, no authentication required. Affected versions, impact and the March 26, 2026 patches.
Read more →macOS Tahoe 26.4 patches CVE-2026-20698, a kernel memory-handling bug that let an app crash the system or corrupt kernel memory.
Read more →Apple patches over 70 flaws in macOS Tahoe 26.4. The worst lets an app gain root through PackageKit. What it affects and how to update.
Read more →Mozilla ships Firefox 149 with 34 fixes, 17 rated high. Among them a WebRender use-after-free and several memory bugs showing evidence of exploitable corruption.
Read more →A memory overread in NetScaler ADC and Gateway configured as a SAML IdP leaks session tokens. Exploitation is already active and CISA has set a patch deadline.
Read more →An optimization in the kernel's AF_ALG crypto module lets a local user write 4 bytes into any cached file and become root. Nearly every distribution is affected.
Read more →Google ships Chrome 146.0.7680.164/165 with patches for a heap buffer overflow in WebGL and a use-after-free in Dawn, both reachable through a crafted web page.
Read more →OpenBSD 7.8 errata 024 fixes CVE-2026-32776, 32777 and 32778 in libexpat, which let malformed XML hang or crash applications that rely on the library.
Read more →A critical flaw (CVSS 9.1) makes servlet apps using Spring Security lose headers like Content-Security-Policy and Strict-Transport-Security without warning. Affected versions and fix.
Read more →A flaw in net/sched/act_gate.c let a local user trigger inconsistent kernel memory access when the gate action was replaced while a timer or dump walked the schedule list. CVSS 7.8.
Read more →Apple uses Background Security Improvements for the first time to fix CVE-2026-20643, a WebKit Navigation API bug that bypassed the same-origin policy on iOS and macOS.
Read more →Qualys reveals CrackArmor, a set of confused-deputy vulnerabilities in AppArmor present since 2017 that let a local user reach root, leak kernel memory and break container isolation on Ubuntu, Debian and SUSE.
Read more →Canonical split the CrackArmor fixes across three packages: kernel, sudo and util-linux. What each one patches, and why you need all three.
Read more →Debian ships DSA-6162-1 and fixes the CrackArmor AppArmor vulnerabilities found by Qualys in trixie. They allow local privilege escalation to root. Fixed version: 6.12.74-2.
Read more →Debian ships a Linux kernel update for Debian 12 Bookworm bundling 49 flaws, including the AppArmor bugs found by Qualys. Fixed version: 6.1.164-1.
Read more →Microsoft fixed an improper access control flaw in SQL Server in March 2026 that lets an authenticated user escalate to sysadmin over the database. CVSS 8.8.
Read more →A race condition in net/tls/tls_sw.c lets a worker touch already-freed memory. What it affects, which versions, and how it's fixed.
Read more →Microsoft rated this Excel information-disclosure flaw Critical. Chained with the Copilot agent, it can exfiltrate sensitive data with no user interaction. Fixed in the March 2026 Patch Tuesday.
Read more →March 2026's security rollup patches 79 vulnerabilities across Windows, Office, SQL Server, .NET and Azure, including two disclosed zero-days and four critical Office and Excel flaws.
Read more →A critical flaw in Cisco Catalyst SD-WAN Controller and Manager lets an unauthenticated remote attacker log in as a high-privileged account. Cisco confirms active exploitation tied to UAT-8616.
Read more →A Java deserialization bug in Cisco Secure Firewall Management Center (CVSS 10.0) lets an unauthenticated attacker run code as root. Interlock ransomware used it as a 0-day from January 2026.
Read more →The Linux kernel's smscufx framebuffer driver dereferenced a userspace pointer instead of copying it in first. A local user could corrupt kernel memory and crash the box. Here's who's affected and how to patch.
Read more →On 4 March 2026 Canonical released kernel patches for Ubuntu 25.10 and the 24.04, 22.04, 20.04 and 18.04 LTS branches, fixing CVE-2025-40214 and other flaws.
Read more →Debian patches LXD over a newline injection (CVE-2026-23953, CVSS 8.7) that lets attackers add arbitrary hooks to lxc.conf and run commands as root on the host.
Read more →Broadcom patches an unauthenticated command injection flaw in VMware Aria Operations (CVSS 8.1) that enables RCE during assisted migrations. Exploited in the wild and added to CISA's KEV catalog.
Read more →An unprivileged user can trigger a kernel panic on FreeBSD by exploiting a stack buffer overflow in rtsock_msg_buffer(). Here's who is affected, the severity, and how to patch it.
Read more →Mozilla ships Firefox 148 (MFSA 2026-13) with 45 CVEs, 28 of them high impact, including sandbox escapes and memory bugs that could allow code execution. Update now.
Read more →Ubuntu releases USN-8059-1 with Linux kernel fixes affecting the SMB subsystem. Here is what is fixed, who is affected, and how to update.
Read more →A synchronization flaw in the Linux kernel's in-kernel SMB3 server (ksmbd) allows a use-after-free in multichannel sessions. It affects kernels 6.3 through 6.19.0. We explain the risk, who is affected and how to mitigate it.
Read more →Debian patches dozens of Linux kernel vulnerabilities in trixie with version 6.12.73-1. Risks include privilege escalation, denial of service and information leaks.
Read more →Google ships an emergency fix for a use-after-free in Chrome's CSS engine (CVE-2026-2441), exploited in the wild. What it is, who is affected and how to update.
Read more →Debian releases DSA-6131-1 to fix CVE-2026-1642 in nginx, a race condition that lets an attacker inject plaintext data into responses from proxied upstream TLS servers.
Read more →A memory corruption flaw in dyld, Apple's dynamic linker, allowed code execution and was used in sophisticated attacks. Fixed in iOS, macOS, watchOS, tvOS and visionOS 26.3.
Read more →Ubuntu ships USN-8028-1 for 24.04 LTS: numerous Linux kernel flaws and AMD issues, including CVE-2024-36331 in SEV-SNP. Who is affected and how to update.
Read more →In February 2026 Microsoft patched a security feature bypass in the MSHTML framework (CVE-2026-21513, CVSS 8.8) exploited as a zero-day by the APT28 group through malicious shortcuts and HTML files.
Read more →A security feature bypass in Microsoft Word, exploited as a zero-day, evades OLE and Mark-of-the-Web protections. What it is, who it affects and how to patch it.
Read more →A privilege-escalation flaw in Windows Remote Desktop Services, exploited as a zero-day, lets a local attacker reach SYSTEM by tampering with the registry. What it is, who is affected, and how to mitigate it.
Read more →A bug in FreeBSD 15.0's blocklistd(8) leaks one socket descriptor per event, exhausting resources and letting an attacker disable automatic IP blocking before their attack.
Read more →A critical improper access control vulnerability (CWE-284) in Azure Front Door allows privilege escalation without authentication. Learn who it affects, how severe it is, and what to do.
Read more →Microsoft's February 2026 Patch Tuesday fixes 58 vulnerabilities in Windows, including 6 actively exploited zero-days, 5 critical flaws and new Secure Boot certificates.
Read more →OpenBSD 7.7 and 7.8 ship errata 014 to fix a NULL pointer dereference and an integer overflow in libexpat that can cause denial of service when parsing XML.
Read more →Debian releases DSA-6126-1, a Linux kernel update that resolves over 170 CVEs with risks of privilege escalation, denial of service and information disclosure. Fixed in 6.12.69-1 for Trixie.
Read more →An unauthenticated stack-based buffer overflow in xrdp allows remote code execution (CVSS 9.8). Debian shipped fixes for bookworm and trixie. What's affected and how to mitigate.
Read more →An unauthenticated command injection in BeyondTrust Remote Support and Privileged Remote Access allows remote code execution. Exploited as a zero-day and used in ransomware attacks. What it is, who is affected, and how to mitigate it.
Read more →A critical flaw in SmarterMail's ConnectToHub endpoint allows unauthenticated RCE. Actively exploited by the Storm-2603 group in ransomware attacks. CISA ordered patching.
Read more →An inverted condition in the kernel's nft_map_catchall_activate() leads to a use-after-free that lets an unprivileged user escalate to root. Who is affected, how severe it is, and how to mitigate it.
Read more →An integer underflow in vsock/virtio credit accounting can queue more data than the peer can handle. Affects a wide range of Linux kernel versions. CVSS 5.5.
Read more →A use-after-free flaw in the Linux kernel traffic control teql queueing discipline allows local privilege escalation. Affects 2.6.12 through several stable branches. CVSS 7.8.
Read more →The OpenBSD project published errata 013 for 7.8, fixing a use-after-free in its httpd(8) web server when processing requests with chunked transfer encoding. Available via syspatch.
Read more →ShinyHunters claims the theft of roughly 10 million Match Group user records after compromising Okta SSO credentials through vishing. What leaked and how to protect yourself.
Read more →OpenSSL fixes a flaw in the MAC verification of PBMAC1-protected PKCS#12 files that can cause a stack buffer overflow or denial of service. Affected versions, severity and patches.
Read more →A root user inside a FreeBSD jail with allow.mount.nullfs can escape the chroot and reach the entire host filesystem. Analysis of advisory FreeBSD-SA-26:02.jail.
Read more →A flaw in Xen's tracing code lets an HVM guest in shadow paging mode overrun per-CPU buffers, risking privilege escalation, information disclosure or denial of service on x86.
Read more →A TOCTOU race condition in varstored, the Xapi toolstack component that manages UEFI variables, lets an attacker with kernel-level access inside a VM run code and escalate privileges. Here is who is affected and how to mitigate it.
Read more →An incomplete IBPB during Xen vCPU context switches lets a guest process leak data private to other tasks on the same CPU. It affects x86; ARM is not impacted.
Read more →ISC patches a denial-of-service flaw in BIND 9 (CVSS 7.5) that lets a remote, unauthenticated attacker abort the named daemon with malformed DNS records. What it is, who is affected and how to patch it.
Read more →A new Linux variant of the Qilin (Agenda) ransomware encrypts VMware ESXi, FreeBSD and Linux servers, deleting snapshots and shutting down virtual machines to hinder recovery.
Read more →A critical flaw (CVSS 9.8) in SmarterMail's force-reset-password endpoint lets attackers hijack the system administrator account. Over 6,000 servers were exposed.
Read more →A path traversal flaw in the Gogs file editor allows code execution through symbolic links. CISA added it to its KEV catalog after confirming active exploitation.
Read more →OpenBSD 7.8 errata 012 fixes a NULL pointer dereference and a memory exhaustion in rpki-client that can be triggered by a malicious RPKI CA or Trust Anchor.
Read more →In the January 2026 Patch Tuesday, Microsoft removed the third-party Agere Soft Modem driver from Windows over a previously exploited elevation-of-privilege flaw (CVE-2023-31096). What it is, who is affected, and how to respond.
Read more →Microsoft patched CVE-2026-20805, an information-disclosure flaw in DWM exploited as a zero-day that helps defeat ASLR. Affects Windows 10, 11 and Server.
Read more →Microsoft fixes a use-after-free in LSASS (CVSS 7.5) that allows code execution over the network. Affects Windows 11 24H2/25H2 and Windows Server 2025.
Read more →Critical RCE (CVSS 8.4) in Microsoft Office exploitable just by previewing a malicious document. Who is affected, how severe it is, and how to mitigate it.
Read more →Two critical remote code execution vulnerabilities in Microsoft Excel fixed in the January 2026 Patch Tuesday. What they are, who is affected and how to stay protected.
Read more →Microsoft disclosed CVE-2026-21265, a Secure Boot bypass caused by the expiration of its 2011 UEFI certificates. We explain who it affects, its severity and how to mitigate it.
Read more →The first Patch Tuesday of 2026 fixes 114 vulnerabilities across Windows, Office and Azure, including one actively exploited zero-day and two publicly disclosed.
Read more →MongoBleed lets unauthenticated attackers read MongoDB server memory and steal credentials, keys and tokens. Here is what the flaw is, who it affects and how to mitigate it.
Read more →Ubuntu's USN-7940-2 advisory fixes VMSCAPE, a branch predictor isolation flaw in the Linux kernel that could let a malicious guest expose host information. What it is, who is affected, and how to mitigate it.
Read more →Insufficient policy enforcement in Chrome's WebView component (CVSS 8.8) lets malicious extensions bypass security boundaries. Google fixed it in Chrome 143.
Read more →A use-after-free in WebKit (CVSS 8.8) allows code execution when opening a malicious web page. Apple patched it and CISA set a remediation deadline of January 5, 2026.
Read more →Debian released advisory DSA-6092-1 to fix two flaws in smb4k that can lead to local denial of service or privilege escalation. What it is, who it affects and how to apply the patch.
Read more →
