macOS ClickFix: a fake CAPTCHA silently mounts a DMG to drop Atomic Stealer
A campaign tricks macOS users into pasting a command into Terminal. It abuses curl and hdiutil to mount a hidden DMG and install the AMOS infostealer.
Read more →$ ls /articles/security
News, guides and releases from the free software world
Squid on Debian Trixie: four bugs patched, including the 'Squidbleed' memory leak
Debian shipped DSA-6360-1 to fix four Squid proxy vulnerabilities, among them Squidbleed (CVE-2026-47729), which can leak other users' HTTP headers. What it affects and how to update.
Read more →Apple opens up iOS in Brazil: alternative stores, external payments and Notarization
After its deal with CADE, Apple allows alternative app marketplaces and external payments on iOS in Brazil. The changes ship with iOS 26.5 and add Notarization plus safeguards for minors.
Read more →libheif: a malicious HEIF/AVIF image can crash your system or run code (USN-8454-1)
Ubuntu fixes several libheif vulnerabilities in advisory USN-8454-1. A crafted HEIF or AVIF image could cause denial of service or code execution. Here's who is affected and how to update.
Read more →CVE-2026-43495: out-of-bounds read in the Linux kernel MediaTek t7xx WWAN driver
A malicious MediaTek 5G modem can read up to 262140 bytes of kernel memory through the t7xx driver. What it affects, severity, and how to patch.
Read more →CVE-2026-42055: heap buffer overflow in nginx HTTP/2 proxy (USN-8458-1)
Mishandling of large headers in nginx's proxy_v2 and gRPC modules can restart the worker and, without ASLR, lead to code execution. F5 fixes it in 1.31.2 and 1.30.3; Ubuntu ships USN-8458-1.
Read more →CVE-2026-42530: critical use-after-free in NGINX's HTTP/3 (QUIC) module
A use-after-free in NGINX's HTTP/3 module lets an unauthenticated remote attacker crash worker processes, and on systems without ASLR potentially run code. It affects 1.31.0 and 1.31.1; fixed in 1.31.2.
Read more →Atril on Debian: opening a malicious PDF could run commands (DSA-6349-1)
MATE's Atril document viewer carried a command injection (CVE-2026-46529) allowing one-click code execution. Debian fixed it in Trixie and Bookworm.
Read more →CVE-2026-35248: the VirtualBox flaw Oracle fixed in April, already behind the 7.2 branch
Oracle's April 2026 Critical Patch Update included CVE-2026-35248, a Core flaw in VirtualBox 7.2.6 rated CVSS 5.0. The current 7.2.10 branch already sits above the affected release.
Read more →Linux 7.1: the security changes and what to check before you upgrade
Kernel 7.1 extends Landlock to UNIX sockets, turns on Intel FRED by default, and ships two networking changes (IPv6 and UDP-Lite) that can break custom kernel builds.
Read more →
CVE-2026-48914: QEMU/KVM heap overflow lets a guest VM crash the host
A bounds-checking flaw in virtio_blk_handle_scsi lets a VM with CAP_SYS_ADMIN corrupt the heap and take down the host QEMU process. CVSS 8.2. Update to QEMU 9.2.1.
Read more →CVE-2026-42897: Exchange Server zero-day exploited through Outlook Web Access
An OWA XSS lets attackers run JavaScript just by getting a user to open an email in the browser. Microsoft had already mitigated it in May, and CISA listed it as actively exploited.
Read more →
CVE-2026-46316 (ITScape): the first guest-to-host escape on KVM/arm64
Hyunwoo Kim disclosed ITScape, a use-after-free in KVM/arm64's vGIC-ITS cache that lets a guest VM run code as root on the host. What it is, who it affects, and how to patch it.
Read more →CVE-2026-44815: remote code execution in the Windows DHCP Client Service
Microsoft fixed a CVSS 9.8 flaw in the Windows DHCP Client Service in June 2026 that could allow remote code execution. It affects every Windows system with a DHCP client.
Read more →OpenSSL fixes a PKCS#7 use-after-free that can lead to code execution (CVE-2026-45447)
A malformed S/MIME message can free a BIO the application still owns during PKCS7_verify(). It affects OpenSSL 1.0.2, 1.1.1, 3.0, 3.4, 3.5, 3.6 and 4.0.
Read more →CVE-2026-47291: Unauthenticated RCE in Windows HTTP.sys via Integer Overflow
A flaw in the HTTP.sys kernel driver allows unauthenticated RCE through oversized HTTP requests. It hits IIS, WinRM and WCF, but only if you raised MaxRequestBytes.
Read more →CVE-2026-49160 (HTTP/2 Bomb): the zero-day that takes down HTTP.sys with a few bytes
A resource-consumption flaw in Windows' HTTP/2 implementation lets a remote attacker cause denial of service by sending very little data. CVSS 7.5, fixed in the June 2026 Patch Tuesday.
Read more →FreeBSD KTLS: a local user can overwrite files and escalate to root (CVE-2026-45257)
A flaw in the KTLS receive path lets an unprivileged user overwrite arbitrary files over loopback. Affected versions, the June 9, 2026 patch, and the mitigation.
Read more →FreeBSD fixes a Linuxulator privilege escalation via LD_PRELOAD (CVE-2026-49413)
An unprivileged local user could inject a library with LD_PRELOAD into a setuid Linux binary running under FreeBSD's Linuxulator and inherit its privileges. What breaks, who is affected, and how to patch.
Read more →FreeBSD patches an Arm CPU erratum that allows privilege escalation on arm64 (CVE-2025-10263)
A hardware flaw in Cortex-A, Neoverse and Ampere processors lets software write to memory after page permissions are revoked. FreeBSD ships a kernel mitigation for its 14.x and 15.x branches.
Read more →
Three Guest-to-Host RCE Flaws in Windows Hyper-V (June 2026 Patch Tuesday)
Microsoft patches three Hyper-V remote code execution bugs that let an attacker escape a guest VM and run code on the host server, plus a host memory leak.
Read more →
June 2026 Patch Tuesday: 198 CVEs, Microsoft's largest ever
Microsoft fixes 198 vulnerabilities in June 2026, its biggest bulletin to date, with 32 critical flaws, three zero-days and a CVSS 9.8 RCE in the Windows kernel.
Read more →
Four Xen advisories (XSA-491 to XSA-494): mapcache memory corruption and hypervisor crash
Xen released four advisories on 9 June 2026. XSA-494 (CVE-2026-42488) allows memory corruption, privilege escalation and host crash; XSA-491 (CVE-2026-42487) lets a device model crash the hypervisor.
Read more →Apple tightens parental controls and child accounts in iOS 27, iPadOS 27, and macOS 27
At WWDC26 Apple announced child accounts that are mandatory for kids under 13, expanded Communication Safety, Ask to Browse, and per-category time limits across iOS 27, iPadOS 27, and macOS 27.
Read more →Chrome rushes a fix for CVE-2026-11645, a V8 zero-day already under attack
Google patched an out-of-bounds read/write in V8 in Chrome 149.0.7827.103 with an exploit in the wild. What's affected, severity, and how to update.
Read more →Debian DSA-6331-1: several Keystone (OpenStack) flaws that touch your cloud's identity layer
Debian fixes authorization bypass, privilege escalation and user impersonation bugs in Keystone for Bookworm and Trixie. Here's what to update.
Read more →FRRouting on RHEL 10: two denial-of-service flaws in bgpd (RHSA-2026:24347)
Red Hat patches CVE-2026-37457 and CVE-2026-37459 in FRRouting: two ways to crash the bgpd daemon with a crafted BGP UPDATE. Update to FRR 10.4.4 on RHEL 10.
Read more →PostgreSQL JDBC: a malicious server can hang the client over SCRAM (CVE-2026-42198)
Red Hat fixes a denial of service in the PostgreSQL JDBC driver on RHEL 10. A hostile server forces a runaway PBKDF2 computation during SCRAM-SHA-256 authentication. CVSS 7.5.
Read more →
VMSA-2026-0004: Stored XSS in VMware Cloud Foundation Operations
Broadcom patches three stored XSS flaws (CVE-2026-41722, 41723 and 41724), CVSS 8.0, in VMware Cloud Foundation Operations. No workaround: you have to update.
Read more →
CIFSwitch (CVE-2026-46243): a 19-year-old Linux kernel flaw hands root to any local user
CVE-2026-46243 lets an unprivileged user open a root shell by abusing the CIFS module's SPNEGO upcall. Red Hat, Ubuntu, Debian, SUSE, Oracle Linux and Amazon Linux are affected.
Read more →HTTP/2 Bomb (CVE-2026-49975): one client takes a web server down in seconds
The HTTP/2 Bomb pairs HPACK compression with flow control to exhaust the RAM of nginx, Apache, IIS, Envoy and Pingora. Affected versions, impact and patches.
Read more →OpenBSD 7.8 patches several X server flaws with errata 037
OpenBSD 7.8 errata 037 fixes multiple vulnerabilities in the X server's dri2, sync, saver and Xkb extensions. What it affects and how to apply the patch.
Read more →Use-after-free in the Linux kernel TLS layer: a socket close that steps on freed memory
A race condition in the Linux kernel's tls_sk_proto_close() lets one thread close a TLS socket while another changes options, triggering a use-after-free. Disclosed on oss-security, 2 June 2026.
Read more →Android Security Bulletin June 2026: one exploited flaw among 124 fixes
Google patches over a hundred Android vulnerabilities. CVE-2025-48595, a Framework privilege escalation, may already be under targeted exploitation.
Read more →CVE-2026-41089: the Netlogon RCE is now hitting domain controllers
A stack-based buffer overflow in the Windows Server Netlogon service lets an unauthenticated remote attacker run code on a domain controller. What it is, who it affects and how to protect yourself.
Read more →CVE-2026-46129: Btrfs double-free triggered by a sysfs kobject registration failure
A double free in the error path of Btrfs create_space_info() can corrupt kernel memory. Here is who it affects, how serious it is, and how to patch it.
Read more →Samba on Ubuntu: USN-8306-1 fixes six flaws, two with code execution
Ubuntu ships USN-8306-1 patching six Samba vulnerabilities, including two that allow arbitrary code execution in the SAMR server and the printing subsystem.
Read more →Chrome 148 patches a WebRTC use-after-free that runs code on Linux (CVE-2026-9111)
Google shipped Chrome 148.0.7778.178 to close a critical WebRTC use-after-free affecting Linux that runs code just from visiting a web page.
Read more →Packagist supply chain attack: Linux malware hidden in package.json
Eight PHP packages on Packagist, including devdojo/wave and devdojo/genesis, ran a Linux binary pulled from GitHub. Separately, hundreds of laravel-lang versions were republished with a credential stealer after a GitHub token leaked.
Read more →CVE-2026-45250: a stack overflow in setcred(2) hands out root on FreeBSD
The setcred(2) syscall copied the supplementary group list into a fixed-size kernel stack buffer without checking its length, letting an unprivileged local user run code in the kernel and escalate to root on FreeBSD 14.3, 14.4 and 15.0.
Read more →FreeBSD fixes a ptrace(PT_SC_REMOTE) flaw that gave local root (CVE-2026-45253)
Poor parameter validation in ptrace(PT_SC_REMOTE) let an unprivileged local user run code in the FreeBSD kernel. There is no workaround: you have to patch.
Read more →FreeBSD fixes a libcap_net flaw that let Capsicum sandboxes widen their network permissions (CVE-2026-45254)
A logic bug in libcap_net treated an omitted restriction as 'allow any', so an application inside a Capsicum sandbox could gain network permissions instead of losing them. What breaks, who is affected, and how to patch.
Read more →Firefox 151 fixes a sandbox escape and a DOM use-after-free (MFSA 2026-46)
Mozilla ships Firefox 151 with 27 fixes, including an Android sandbox escape, a use-after-free in DOM Bindings, and a same-origin bypass. Update now.
Read more →ssh-keysign-pwn (CVE-2026-46333): a ptrace race exposes SSH keys and /etc/shadow
A logic flaw in the Linux kernel ptrace subsystem lets an unprivileged local user steal SSH host keys and password hashes. It has been there since 2016, and patches are out for Debian, Ubuntu, Fedora, SUSE, AlmaLinux and CloudLinux.
Read more →Fragnesia (CVE-2026-46300): a skb_try_coalesce bug hands out local root on the Linux kernel
skb_try_coalesce() drops the SKBFL_SHARED_FRAG marker and lets an unprivileged user write over page-cache pages to get root. AlmaLinux already shipped patched kernels.
Read more →NGINX Rift (CVE-2026-42945): an 18-year-old rewrite-module bug allows unauthenticated RCE
A heap overflow in ngx_http_rewrite_module with a 9.2 CVSS leaves NGINX open to remote code execution. Red Hat already ships a fix for RHEL 9 in RHSA-2026:18029. What it is, who it affects and how to mitigate it.
Read more →CVE-2026-35421: one EMF file in Paint is enough to run code on Windows
Microsoft patched a Windows GDI heap overflow in May 2026 that lets an attacker run code when a crafted Enhanced Metafile is opened in Microsoft Paint. What it is, who it affects, and how to mitigate.
Read more →CVE-2026-40361: four code-execution flaws in Microsoft Word, and the Preview Pane is enough
Microsoft patched four Word RCE vulnerabilities (CVSS 8.4) in May 2026. The Preview Pane is an attack vector and two of them are rated more likely to be exploited.
Read more →CVE-2026-41096: remote code execution in the Windows DNS Client via a crafted response
Microsoft patched CVE-2026-41096, a critical flaw in the Windows DNS Client that allows remote code execution through a specially crafted DNS response. It was fixed in the May 2026 Patch Tuesday.
Read more →CVE-2026-41103: Microsoft's SSO plugin for Jira and Confluence lets attackers impersonate any user
A flawed SAML check in the Microsoft SSO Plugin for Jira and Confluence (CVSS 9.1) lets an unauthenticated attacker forge identities and log in as anyone. Affected versions and the fix.
Read more →CVE-2026-45185: unauthenticated remote code execution in Exim with GnuTLS
A use-after-free during TLS shutdown in GnuTLS builds of Exim allows unauthenticated remote code execution when handling SMTP with BDAT. Affects Exim 4.97 to 4.99.2, fixed in 4.99.3.
Read more →May 2026 Patch Tuesday: 120 flaws fixed and, for the first time in nearly two years, no zero-days
Microsoft closes around 120 vulnerabilities in its May 2026 release, 17 of them critical, with no known zero-days at launch. Here's what got fixed and why you should patch now.
Read more →iOS 26.5 fixes a kernel privilege escalation to root (CVE-2026-28951)
Apple ships iOS 26.5 and iPadOS 26.5 with over 90 security patches. CVE-2026-28951 is a kernel authorization flaw that could let an app gain root privileges.
Read more →macOS Tahoe 26.5 fixes a Gatekeeper bypass and serious kernel bugs
Apple ships macOS Tahoe 26.5 with patches across more than twenty subsystems. CVE-2026-28954 lets a malicious disk image slip past Gatekeeper, and two kernel flaws allow tampering with privileged memory.
Read more →Dirty Frag (CVE-2026-43284): two Linux kernel bugs chain into local root
A write-what-where condition in ESP plus a privilege escalation flaw in RxRPC let an unprivileged local user reach root. Public PoCs exist and no universal patch shipped on 8 May 2026.
Read more →CVE-2026-43303: a Linux kernel use-after-free that hits WSL2 and containers
A flaw in the Linux kernel's memory management leaves stale pointers in page->private, opening the door to memory corruption or privilege escalation. It affects 5.18 onward and matters most for WSL2 and containers. What it is, who it hits, and how to patch it.
Read more →Ubuntu patches EntrySign and 130+ kernel CVEs in USN-8245-1
USN-8245-1 fixes EntrySign (CVE-2024-36347), the microcode signature flaw in AMD Zen processors, along with more than a hundred kernel vulnerabilities. Here's who's affected and how to update.
Read more →RHSA-2026:13577: Red Hat patches six kernel flaws in RHEL 8
Red Hat ships an Important kernel update for RHEL 8 that fixes six CVEs, including a KVM privilege escalation and a heap overflow in the NFSv4.0 LOCK replay cache.
Read more →cPanel/WHM under attack: an authentication bypass (CVE-2026-41940) seeded ransomware across thousands of servers
A critical authentication bypass in cPanel/WHM lets attackers take over the panel with no credentials. It landed in CISA's KEV catalog and was exploited at scale to encrypt sites with the .sorry extension.
Read more →CVE-2026-7164: a crafted SCTP packet crashes FreeBSD's pf firewall
Faulty packet validation in pf allows unbounded recursion when parsing SCTP chunks, leading to a kernel panic. FreeBSD 13.5, 14.3, 14.4 and 15.0 are affected. Here's how to fix it.
Read more →FreeBSD patches an execve() bug that hands root to any local user (CVE-2026-7270)
An operator precedence bug in the FreeBSD kernel lets an unprivileged account escalate to superuser. Fixed on 29 April 2026 in FreeBSD-SA-26:13.exec.
Read more →SplitSSHell: a comma in SSH certificates opened root access in OpenSSH (CVE-2026-35414)
A 15-year-old OpenSSH flaw let a certificate with a 'deploy,root' principal bypass access control and authenticate as root. Fixed in OpenSSH 10.3.
Read more →CrackArmor: kernel AppArmor flaws let users load arbitrary profiles (USN-8201-1)
Qualys found 11 CVEs in the Linux kernel AppArmor module. An unprivileged local user could load, replace or remove profiles, escalate to root, or escape a container. Ubuntu fixed it in USN-8201-1.
Read more →CVE-2026-40372: a .NET patch opened a door to SYSTEM in ASP.NET Core
A regression in .NET 10.0.6 made ASP.NET Core Data Protection validate its HMAC over the wrong bytes. The result: forgeable auth cookies and escalation to SYSTEM. Microsoft shipped 10.0.7 out of band.
Read more →Out-of-bounds read in libXpm: OpenBSD fixes it with errata 032 (CVE-2026-4367)
OpenBSD 7.7 and 7.8 patch an out-of-bounds read in libXpm triggered by crafted XPM files. What it affects, how serious it is, and how to apply the fix.
Read more →SUSE patches two glibc DNS parsing flaws (CVE-2026-4437 and CVE-2026-4438)
Update SUSE-SU-2026:1369-1 fixes two DNS resolution issues in glibc: a crafted server response that confuses the resolver and an invalid hostname returned by gethostbyaddr. Affected versions, severity and how to patch.
Read more →CVE-2026-32201: SharePoint spoofing zero-day exploited in real attacks
Microsoft patched a SharePoint zero-day (CVE-2026-32201) in April 2026 that was already under attack: an unauthenticated attacker can view sensitive data and alter information. What it affects and how to stay protected.
Read more →CVE-2026-33824: the wormable Windows IKE RCE that reaches SYSTEM with a single UDP packet
A double free in the Windows IKE extension (CVSS 9.8) allows unauthenticated remote code execution and is wormable. What it is, who it affects, and how to protect yourself.
Read more →BlueHammer (CVE-2026-33825): a Microsoft Defender flaw hands attackers SYSTEM
An elevation-of-privilege bug in the Microsoft Defender antimalware platform, dubbed BlueHammer, lets an unprivileged user run code as SYSTEM on Windows 10 and 11.
Read more →CVE-2026-33827: a Windows TCP/IP race condition opens the door to wormable RCE
A synchronization flaw in the Windows TCP/IP stack allows remote, unauthenticated code execution with no user interaction when IPv6 and IPSec are both enabled. CVSS 8.1, patched in the April 2026 Patch Tuesday.
Read more →April 2026 Patch Tuesday: Microsoft fixes 167 flaws and two zero-days
April 2026's update patches 167 vulnerabilities across Windows, Office, SharePoint and Defender, with eight critical bugs and two zero-days: a SharePoint flaw under active attack and a Defender bug disclosed before the patch.
Read more →RHSA-2026:7674: Red Hat fixes IPv6 literal parsing in rhc (CVE-2026-25679)
Red Hat updates the rhc client on RHEL 8 over an Important flaw: incorrect parsing of IPv6 host literals in net/url can mishandle URLs while connecting to Red Hat managed services.
Read more →Linux 7.0 lands: Intel TSX in auto mode and self-healing XFS
Linus Torvalds released kernel 7.0 on 12 April 2026. Here are the changes that matter for security and robustness: Intel TSX auto mode and online XFS self-repair.
Read more →Adobe ships an emergency fix for an Acrobat Reader zero-day (CVE-2026-34621) exploited since 2025
A prototype pollution bug in Acrobat Reader's JavaScript engine runs code when you open a malicious PDF. CISA added it to the KEV catalog and Adobe pushed an out-of-band patch.
Read more →OpenSSH on Debian: the GSSAPI Key Exchange patch opens the door to DoS and possible code execution (DSA-6204-1)
Debian fixes CVE-2026-3497, a flaw in its GSSAPI Key Exchange patch for OpenSSH that a remote attacker can use to crash SSH processes or, in the worst case, run code.
Read more →Apple ships iOS and macOS Tahoe 26.4.1 with no detailed CVEs
A look at Apple's April 2026 security updates: macOS Tahoe 26.4.1, iOS/iPadOS 26.4.1, 26.4.2 and 18.7.8, none of them with published CVE entries.
Read more →OpenSSL fixes two low-severity bugs in April 2026: DANE and AES-CFB128
The 7 April 2026 OpenSSL update patches CVE-2026-28387 (DANE use-after-free) and CVE-2026-28386 (out-of-bounds read in AES-CFB128). Who is affected and how to update.
Read more →Firefox 149.0.2 patches high-impact memory-safety bugs (MFSA 2026-25)
Mozilla ships Firefox 149.0.2 to fix several high-impact memory-safety bugs, some with signs of memory corruption. If you run Firefox or Thunderbird, update now.
Read more →CVE-2026-31405: out-of-bounds read in the Linux kernel dvb-net (ULE) path, CVSS 9.8
A flaw in the Linux kernel DVB subsystem reads a function pointer past the end of a table and can invoke it. Present since 2.6.12. What happens and how to stay safe.
Read more →CVE-2026-31407: netfilter conntrack skips netlink validation and leaks kernel memory
A flaw in the Linux kernel's SCTP connection tracking lets a local user read kernel memory because of missing netlink validation. CVSS 7.1. Who is affected and which versions fix it.
Read more →CVE-2026-31408: use-after-free in the Linux kernel Bluetooth SCO stack
A race in sco_recv_frame() frees the socket too early and opens the door to a use-after-free in the kernel's Bluetooth code. CVSS 8.8. Here's what it affects and how to patch it.
Read more →OpenBSD patches iked(8): out-of-bounds read and NULL pointer dereference in IKEv2
OpenBSD 7.8 errata 027 fixes flaws in iked, the daemon that negotiates IPsec tunnels. A crafted packet could read out-of-bounds memory or crash the service.
Read more →CVE-2026-4747: an unauthenticated RPCSEC_GSS flaw opens the door to kernel-level RCE on FreeBSD
A stack overflow in RPCSEC_GSS packet validation lets a malicious client run code with kernel privileges on FreeBSD NFS servers, no authentication required. Affected versions, impact and the March 26, 2026 patches.
Read more →CVE-2026-20698: Apple fixes a macOS kernel flaw that could corrupt memory
macOS Tahoe 26.4 patches CVE-2026-20698, a kernel memory-handling bug that let an app crash the system or corrupt kernel memory.
Read more →macOS Tahoe 26.4: Apple fixes a PackageKit root escalation (CVE-2026-28840)
Apple patches over 70 flaws in macOS Tahoe 26.4. The worst lets an app gain root through PackageKit. What it affects and how to update.
Read more →Firefox 149 fixes 34 security flaws, several allowing code execution (CVE-2026-4684)
Mozilla ships Firefox 149 with 34 fixes, 17 rated high. Among them a WebRender use-after-free and several memory bugs showing evidence of exploitable corruption.
Read more →CVE-2026-3055: a Citrix NetScaler memory flaw is being used to steal sessions
A memory overread in NetScaler ADC and Gateway configured as a SAML IdP leaks session tokens. Exploitation is already active and CISA has set a patch deadline.
Read more →Copy Fail (CVE-2026-31431): a 2017 algif_aead bug lets local users get root on Linux
An optimization in the kernel's AF_ALG crypto module lets a local user write 4 bytes into any cached file and become root. Nearly every distribution is affected.
Read more →Chrome 146 fixes two serious flaws in WebGL and Dawn (CVE-2026-4675 and CVE-2026-4676)
Google ships Chrome 146.0.7680.164/165 with patches for a heap buffer overflow in WebGL and a use-after-free in Dawn, both reachable through a crafted web page.
Read more →OpenBSD 7.8 errata 024: three denial-of-service flaws in libexpat
OpenBSD 7.8 errata 024 fixes CVE-2026-32776, 32777 and 32778 in libexpat, which let malformed XML hang or crash applications that rely on the library.
Read more →CVE-2026-22732: Spring Security silently drops HTTP security headers
A critical flaw (CVSS 9.1) makes servlet apps using Spring Security lose headers like Content-Security-Policy and Strict-Transport-Security without warning. Affected versions and fix.
Read more →CVE-2026-23245: race condition in the Linux traffic control gate action
A flaw in net/sched/act_gate.c let a local user trigger inconsistent kernel memory access when the gate action was replaced while a timer or dump walked the schedule list. CVSS 7.8.
Read more →Apple ships its first background patch to close a WebKit flaw (CVE-2026-20643)
Apple uses Background Security Improvements for the first time to fix CVE-2026-20643, a WebKit Navigation API bug that bypassed the same-origin policy on iOS and macOS.
Read more →CrackArmor: nine AppArmor flaws let a local user escalate to root
Qualys reveals CrackArmor, a set of confused-deputy vulnerabilities in AppArmor present since 2017 that let a local user reach root, leak kernel memory and break container isolation on Ubuntu, Debian and SUSE.
Read more →CrackArmor on Ubuntu: fixes for the kernel, sudo and util-linux
Canonical split the CrackArmor fixes across three packages: kernel, sudo and util-linux. What each one patches, and why you need all three.
Read more →Debian DSA-6162-1: kernel patch for the CrackArmor AppArmor flaws
Debian ships DSA-6162-1 and fixes the CrackArmor AppArmor vulnerabilities found by Qualys in trixie. They allow local privilege escalation to root. Fixed version: 6.12.74-2.
Read more →Debian DSA-6163-1: the Bookworm kernel fixes 49 vulnerabilities
Debian ships a Linux kernel update for Debian 12 Bookworm bundling 49 flaws, including the AppArmor bugs found by Qualys. Fixed version: 6.1.164-1.
Read more →CVE-2026-21262: a SQL Server zero-day that hands over sysadmin
Microsoft fixed an improper access control flaw in SQL Server in March 2026 that lets an authenticated user escalate to sysadmin over the database. CVSS 8.8.
Read more →CVE-2026-23240: critical use-after-free in the Linux kernel TLS subsystem
A race condition in net/tls/tls_sw.c lets a worker touch already-freed memory. What it affects, which versions, and how it's fixed.
Read more →CVE-2026-26144: an Excel XSS can turn Copilot into a zero-click data thief
Microsoft rated this Excel information-disclosure flaw Critical. Chained with the Copilot agent, it can exfiltrate sensitive data with no user interaction. Fixed in the March 2026 Patch Tuesday.
Read more →March 2026 Patch Tuesday: Microsoft fixes 2 zero-days and 79 flaws
March 2026's security rollup patches 79 vulnerabilities across Windows, Office, SQL Server, .NET and Azure, including two disclosed zero-days and four critical Office and Excel flaws.
Read more →CVE-2026-20127: Cisco confirms real-world attacks against Catalyst SD-WAN via auth bypass
A critical flaw in Cisco Catalyst SD-WAN Controller and Manager lets an unauthenticated remote attacker log in as a high-privileged account. Cisco confirms active exploitation tied to UAT-8616.
Read more →CVE-2026-20131: the critical Cisco FMC flaw Interlock exploited 36 days before disclosure
A Java deserialization bug in Cisco Secure Firewall Management Center (CVSS 10.0) lets an unauthenticated attacker run code as root. Interlock ransomware used it as a 0-day from January 2026.
Read more →CVE-2026-23236: smscufx driver lets an unprivileged user corrupt kernel memory
The Linux kernel's smscufx framebuffer driver dereferenced a userspace pointer instead of copying it in first. A local user could corrupt kernel memory and crash the box. Here's who's affected and how to patch.
Read more →Ubuntu ships kernel updates across every supported LTS (March 2026)
On 4 March 2026 Canonical released kernel patches for Ubuntu 25.10 and the 24.04, 22.04, 20.04 and 18.04 LTS branches, fixing CVE-2025-40214 and other flaws.
Read more →DSA-6153-1: an LXD flaw lets you run commands on the host (CVE-2026-23953)
Debian patches LXD over a newline injection (CVE-2026-23953, CVSS 8.7) that lets attackers add arbitrary hooks to lxc.conf and run commands as root on the host.
Read more →CVE-2026-22719: VMware Aria Operations Command Injection Exploited in the Wild
Broadcom patches an unauthenticated command injection flaw in VMware Aria Operations (CVSS 8.1) that enables RCE during assisted migrations. Exploited in the wild and added to CISA's KEV catalog.
Read more →CVE-2026-3038: Stack buffer overflow in FreeBSD routing sockets causes kernel panic
An unprivileged user can trigger a kernel panic on FreeBSD by exploiting a stack buffer overflow in rtsock_msg_buffer(). Here's who is affected, the severity, and how to patch it.
Read more →Firefox 148 fixes more than 40 vulnerabilities: WebRender sandbox escapes and a JavaScript engine use-after-free
Mozilla ships Firefox 148 (MFSA 2026-13) with 45 CVEs, 28 of them high impact, including sandbox escapes and memory bugs that could allow code execution. Update now.
Read more →USN-8059-1: Ubuntu fixes Linux kernel security flaws (SMB/ksmbd)
Ubuntu releases USN-8059-1 with Linux kernel fixes affecting the SMB subsystem. Here is what is fixed, who is affected, and how to update.
Read more →CVE-2026-23226: use-after-free in the Linux kernel's ksmbd (SMB3 multichannel)
A synchronization flaw in the Linux kernel's in-kernel SMB3 server (ksmbd) allows a use-after-free in multichannel sessions. It affects kernels 6.3 through 6.19.0. We explain the risk, who is affected and how to mitigate it.
Read more →Debian releases DSA-6141-1: a Linux kernel update fixing more than 40 vulnerabilities
Debian patches dozens of Linux kernel vulnerabilities in trixie with version 6.12.73-1. Risks include privilege escalation, denial of service and information leaks.
Read more →CVE-2026-2441: Actively Exploited Chrome CSS Zero-Day (Use-After-Free)
Google ships an emergency fix for a use-after-free in Chrome's CSS engine (CVE-2026-2441), exploited in the wild. What it is, who is affected and how to update.
Read more →nginx: man-in-the-middle injection when proxying to TLS servers (CVE-2026-1642, DSA-6131-1)
Debian releases DSA-6131-1 to fix CVE-2026-1642 in nginx, a race condition that lets an attacker inject plaintext data into responses from proxied upstream TLS servers.
Read more →CVE-2026-20700: Apple Patches a dyld Zero-Day Exploited in Targeted Attacks
A memory corruption flaw in dyld, Apple's dynamic linker, allowed code execution and was used in sophisticated attacks. Fixed in iOS, macOS, watchOS, tvOS and visionOS 26.3.
Read more →Ubuntu fixes kernel flaws and AMD SEV-SNP vulnerabilities (USN-8028-1)
Ubuntu ships USN-8028-1 for 24.04 LTS: numerous Linux kernel flaws and AMD issues, including CVE-2024-36331 in SEV-SNP. Who is affected and how to update.
Read more →CVE-2026-21513: Windows MSHTML zero-day exploited by APT28
In February 2026 Microsoft patched a security feature bypass in the MSHTML framework (CVE-2026-21513, CVSS 8.8) exploited as a zero-day by the APT28 group through malicious shortcuts and HTML files.
Read more →CVE-2026-21514: Microsoft Word zero-day that bypasses OLE mitigations
A security feature bypass in Microsoft Word, exploited as a zero-day, evades OLE and Mark-of-the-Web protections. What it is, who it affects and how to patch it.
Read more →CVE-2026-21533: Remote Desktop Services zero-day escalates to SYSTEM on Windows Server
A privilege-escalation flaw in Windows Remote Desktop Services, exploited as a zero-day, lets a local attacker reach SYSTEM by tampering with the registry. What it is, who is affected, and how to mitigate it.
Read more →CVE-2026-2261: A descriptor leak in blocklistd can disable FreeBSD's defenses
A bug in FreeBSD 15.0's blocklistd(8) leaks one socket descriptor per event, exhausting resources and letting an attacker disable automatic IP blocking before their attack.
Read more →CVE-2026-24300: Critical Elevation of Privilege Flaw in Azure Front Door (CVSS 9.8)
A critical improper access control vulnerability (CWE-284) in Azure Front Door allows privilege escalation without authentication. Learn who it affects, how severe it is, and what to do.
Read more →February 2026 Patch Tuesday: Microsoft fixes 6 zero-days and 58 flaws
Microsoft's February 2026 Patch Tuesday fixes 58 vulnerabilities in Windows, including 6 actively exploited zero-days, 5 critical flaws and new Secure Boot certificates.
Read more →OpenBSD patches two denial-of-service flaws in libexpat (CVE-2026-24515 and CVE-2026-25210)
OpenBSD 7.7 and 7.8 ship errata 014 to fix a NULL pointer dereference and an integer overflow in libexpat that can cause denial of service when parsing XML.
Read more →Debian fixes more than 170 Linux kernel vulnerabilities (DSA-6126-1)
Debian releases DSA-6126-1, a Linux kernel update that resolves over 170 CVEs with risks of privilege escalation, denial of service and information disclosure. Fixed in 6.12.69-1 for Trixie.
Read more →Debian Patches CVE-2025-68670: Unauthenticated RCE in the xrdp RDP Server (DSA-6123-1)
An unauthenticated stack-based buffer overflow in xrdp allows remote code execution (CVSS 9.8). Debian shipped fixes for bookworm and trixie. What's affected and how to mitigate.
Read more →CVE-2026-1731: Critical Unauthenticated RCE in BeyondTrust Exploited by Ransomware
An unauthenticated command injection in BeyondTrust Remote Support and Privileged Remote Access allows remote code execution. Exploited as a zero-day and used in ransomware attacks. What it is, who is affected, and how to mitigate it.
Read more →CVE-2026-24423: SmarterMail authentication bypass exploited by ransomware
A critical flaw in SmarterMail's ConnectToHub endpoint allows unauthenticated RCE. Actively exploited by the Storm-2603 group in ransomware attacks. CISA ordered patching.
Read more →CVE-2026-23111: a single character in nf_tables opens the door to root on Linux
An inverted condition in the kernel's nft_map_catchall_activate() leads to a use-after-free that lets an unprivileged user escalate to root. Who is affected, how severe it is, and how to mitigate it.
Read more →CVE-2026-23069: integer underflow in the Linux kernel vsock/virtio transport
An integer underflow in vsock/virtio credit accounting can queue more data than the peer can handle. Affects a wide range of Linux kernel versions. CVSS 5.5.
Read more →CVE-2026-23074: use-after-free in the Linux kernel teql qdisc enables local privilege escalation
A use-after-free flaw in the Linux kernel traffic control teql queueing discipline allows local privilege escalation. Affects 2.6.12 through several stable branches. CVSS 7.8.
Read more →OpenBSD patches a use-after-free in httpd(8) with chunked encoding (errata 013)
The OpenBSD project published errata 013 for 7.8, fixing a use-after-free in its httpd(8) web server when processing requests with chunked transfer encoding. Available via syspatch.
Read more →Match Group breach: data from Hinge, Tinder, OkCupid and Match leaked
ShinyHunters claims the theft of roughly 10 million Match Group user records after compromising Okta SSO credentials through vishing. What leaked and how to protect yourself.
Read more →CVE-2025-11187: OpenSSL mishandles PBMAC1 parameters in PKCS#12
OpenSSL fixes a flaw in the MAC verification of PBMAC1-protected PKCS#12 files that can cause a stack buffer overflow or denial of service. Affected versions, severity and patches.
Read more →FreeBSD-SA-26:02.jail: jail escape via nullfs (CVE-2025-15547)
A root user inside a FreeBSD jail with allow.mount.nullfs can escape the chroot and reach the entire host filesystem. Analysis of advisory FreeBSD-SA-26:02.jail.
Read more →Xen XSA-477 (CVE-2025-58150): buffer overflow in shadow paging with tracing enabled
A flaw in Xen's tracing code lets an HVM guest in shadow paging mode overrun per-CPU buffers, risking privilege escalation, information disclosure or denial of service on x86.
Read more →Xen XSA-478 (CVE-2025-58151): a TOCTOU flaw in varstored enables privilege escalation from the VM
A TOCTOU race condition in varstored, the Xapi toolstack component that manages UEFI variables, lets an attacker with kernel-level access inside a VM run code and escalate privileges. Here is who is affected and how to mitigate it.
Read more →Xen XSA-479 (CVE-2026-23553): Incomplete IBPB Allows Information Leaks Between Guest Tasks on x86
An incomplete IBPB during Xen vCPU context switches lets a guest process leak data private to other tasks on the same CPU. It affects x86; ARM is not impacted.
Read more →CVE-2025-13878: malformed BRID/HHIT records crash the BIND 9 DNS server
ISC patches a denial-of-service flaw in BIND 9 (CVSS 7.5) that lets a remote, unauthenticated attacker abort the named daemon with malformed DNS records. What it is, who is affected and how to patch it.
Read more →Qilin brings its ransomware to Linux to encrypt VMware ESXi servers
A new Linux variant of the Qilin (Agenda) ransomware encrypts VMware ESXi, FreeBSD and Linux servers, deleting snapshots and shutting down virtual machines to hinder recovery.
Read more →CVE-2026-23760: SmarterMail authentication bypass exploited two days after the patch
A critical flaw (CVSS 9.8) in SmarterMail's force-reset-password endpoint lets attackers hijack the system administrator account. Over 6,000 servers were exposed.
Read more →CVE-2025-8110: the Gogs vulnerability CISA confirms is being exploited for code execution
A path traversal flaw in the Gogs file editor allows code execution through symbolic links. CISA added it to its KEV catalog after confirming active exploitation.
Read more →OpenBSD 7.8 errata 012: two denial-of-service bugs in rpki-client
OpenBSD 7.8 errata 012 fixes a NULL pointer dereference and a memory exhaustion in rpki-client that can be triggered by a malicious RPKI CA or Trust Anchor.
Read more →CVE-2023-31096: Microsoft Removes the Agere Soft Modem Driver Over Privilege Escalation
In the January 2026 Patch Tuesday, Microsoft removed the third-party Agere Soft Modem driver from Windows over a previously exploited elevation-of-privilege flaw (CVE-2023-31096). What it is, who is affected, and how to respond.
Read more →CVE-2026-20805: actively exploited zero-day in Windows Desktop Window Manager
Microsoft patched CVE-2026-20805, an information-disclosure flaw in DWM exploited as a zero-day that helps defeat ASLR. Affects Windows 10, 11 and Server.
Read more →CVE-2026-20854: critical remote code execution in Windows LSASS
Microsoft fixes a use-after-free in LSASS (CVSS 7.5) that allows code execution over the network. Affects Windows 11 24H2/25H2 and Windows Server 2025.
Read more →CVE-2026-20953: remote code execution in Microsoft Office through the Preview Pane
Critical RCE (CVSS 8.4) in Microsoft Office exploitable just by previewing a malicious document. Who is affected, how severe it is, and how to mitigate it.
Read more →CVE-2026-20957 and CVE-2026-20955: code execution in Microsoft Excel
Two critical remote code execution vulnerabilities in Microsoft Excel fixed in the January 2026 Patch Tuesday. What they are, who is affected and how to stay protected.
Read more →CVE-2026-21265: the Secure Boot zero-day caused by 2026 UEFI certificate expiration
Microsoft disclosed CVE-2026-21265, a Secure Boot bypass caused by the expiration of its 2011 UEFI certificates. We explain who it affects, its severity and how to mitigate it.
Read more →January 2026 Patch Tuesday: Microsoft fixes 114 flaws and three zero-days
The first Patch Tuesday of 2026 fixes 114 vulnerabilities across Windows, Office and Azure, including one actively exploited zero-day and two publicly disclosed.
Read more →MongoBleed (CVE-2025-14847): the MongoDB memory leak CISA orders patched urgently
MongoBleed lets unauthenticated attackers read MongoDB server memory and steal credentials, keys and tokens. Here is what the flaw is, who it affects and how to mitigate it.
Read more →VMSCAPE (CVE-2025-40300): Ubuntu Patches a Guest-to-Host Leak in the Linux Kernel
Ubuntu's USN-7940-2 advisory fixes VMSCAPE, a branch predictor isolation flaw in the Linux kernel that could let a malicious guest expose host information. What it is, who is affected, and how to mitigate it.
Read more →CVE-2026-0628: Chrome patches a high-risk WebView flaw in its first 2026 update
Insufficient policy enforcement in Chrome's WebView component (CVSS 8.8) lets malicious extensions bypass security boundaries. Google fixed it in Chrome 143.
Read more →CVE-2025-43529: Apple WebKit zero-day exploited in targeted attacks
A use-after-free in WebKit (CVSS 8.8) allows code execution when opening a malicious web page. Apple patched it and CISA set a remediation deadline of January 5, 2026.
Read more →Smb4K on Debian (CVE-2025-66002): Local Privilege Escalation in Samba Share Mounting
Debian released advisory DSA-6092-1 to fix two flaws in smb4k that can lead to local denial of service or privilege escalation. What it is, who it affects and how to apply the patch.
Read more →