55 articles tagged #security
CVE-2026-23111 is a Linux nf_tables privilege escalation, CVSS 7.8. A full working exploit dropped June 8. Patches available since February — if you haven't applied them yet, now is the deadline.
CVE-2026-46243 (CIFSwitch) is a Linux kernel LPE in the CIFS client, CVSS 7.8. Public PoC available since 27 May 2026. Patches are out — patch and reboot.
Traefik v3.7.4 (5 June 2026) fixes six bugs: axios security bump, Redis write-timeout, BackendTLSPolicy for Kubernetes Gateway API, and a TLS SNI keepalive bug.
Grafana 13.0.2 shipped June 2 with seven security-only fixes. Path traversal in Loki and Tempo are the most critical -- upgrade if you run 13.0.0 or 13.0.1.
CVE-2026-28318: unauthenticated POST crashes SolarWinds Serv-U. CVSS 7.5, CISA KEV listed June 5, deadline June 19. Apply Serv-U 15.5.4 Hotfix 1.
Vault 2.0.2 removes cap_ipc_lock from the binary at build time, reversing a change made in 2.0.1. Without action, vault mlock container workloads can no longer pin secrets in memory -- check your securityContext and Helm values before upgrading.
CVE-2026-45247 Mirasvit Magento RCE via PHP deserialization in the Cache Warmer extension. CVSS 9.8. Active exploitation confirmed. Patch to 1.11.12.
CVE-2026-20230 affects Cisco Unified CM WebDialer. SSRF leads to arbitrary file write and root privilege escalation. Advisory published June 3, PoC confirmed.
CVE-2022-0492 is a logic bug in Linux cgroups v1 that lets a local attacker escape a container and get root on the host. CISA added it to KEV on June 2, 2026. Active exploitation is confirmed.
Docker Engine 29.5.3 patches CVE-2026-46680 via containerd 2.2.4 -- a flaw where containers with oversized USER IDs silently run as root despite runAsNonRoot: true.
CVE-2026-9256 (Poolslip) is a heap buffer overflow in NGINX's rewrite module affecting versions 0.1.17 through 1.31.0. Patching for Rift in May left you exposed. You need 1.30.2 or 1.31.1.
Google's June 2026 Android Security Bulletin includes CVE-2025-48595, an integer overflow in Framework that enables local privilege escalation. Google confirms active targeted exploitation. CISA added it to KEV on June 2 with a federal remediation deadline of June 5.
Seven kernel branches shipped June 1. Three security fixes land in 7.0.11 — TCP ISN leak, tap stack leak, and a keyring race. Dirty Frag is now half-patched: CVE-2026-43500 fixed, CVE-2026-43284 still open upstream.
OpenTofu 1.12.1 patches multiple SSH vulnerabilities in the underlying golang.org/x/crypto library, including hangs, panics, and a cert revocation bypass. All v1.12.0 users should upgrade.
Prometheus 3.12.0 (released May 28) patches two security issues: STACKIT service discovery exposed credentials in plaintext via the config endpoint, and remote write receivers had no limit on snappy decompression size.
Wazuh 5.0 is not a standard upgrade. The manager cannot be upgraded in-place from any 4.x version -- you are doing a clean install. This checklist covers the full migration: agent inventory, manager rebuild, config migration, and post-migration verification.
PAN-OS GlobalProtect has an authentication bypass via forged override cookies. Exploitation confirmed since May 17. Patch or disable the feature now.
The 23 May batch release patched a UDP/IPsec corruption bug, a ptrace vulnerability, and the Copy Fail LPE across all active LTS branches.
OpenSSH 10.3 patches five CVEs including a privilege escalation via legacy scp. Juniper confirmed Junos OS and Junos Evolved are affected.
Azure Linux 4.0 is Microsoft's first Fedora-based general-purpose server distro, released into public preview on Azure VMs. Here's what it means for teams running Linux in production — and why Microsoft now wants to own the OS layer, not just host it.
CVE-2026-31431 lets any local user escalate to root on Linux 4.14+ via a logic flaw in the AF_ALG crypto socket interface. A 732-byte Python script works every time, on every major distro. Here is how to check your exposure and apply the fix.
GitHub banned Nightmare-Eclipse for publishing six unpatched Windows zero-days without coordination. The security community is angry. I think GitHub made the right call — and the debate we should be having is different from the one we are having.
IBM and Red Hat launched Project Lightwell backed by $5B and Anthropic's Mythos AI model, which flagged 23,000 potential vulnerabilities across 1,000+ open source projects. Here's what the numbers actually mean and what to do before the disclosures land.
PromptArmor achieved 5/5 file exfiltration from M365 tenants via Copilot Cowork with no CVE assigned — because the flaw is in the architecture, not the code.
CVE-2026-9256: buffer overflow in the nginx rewrite module affects all versions to 1.31.0. Fixed in 1.30.2 stable and 1.31.1 mainline. Apply now.
shell-quote 1.8.4 fixes CVE-2026-9277 (CVSS 8.1): a newline in a .op token bypasses escaping because JavaScript's /(.)/g does not match line terminators.
CVE-2026-33555: HAProxy HTTP/3 parser skips body size validation on stream close. One zero-byte QUIC DATA frame enables request smuggling. Patch via DSA-6291.
HPLIP 3.26.4 patches CVE-2026-8631 (CVSS 9.3): unauthenticated remote command injection via the HP printer driver daemon. No interaction required — update now.
OpenVPN 2.6.14 patches two unauthenticated CVEs: a DoS via malformed packet and a handshake data leak. Debian DSA-6289-1 covers Bookworm and Trixie.
CVE-2026-45434 (CVSS 9.8) in Apache OFBiz chains auth bypass to Groovy RCE. Default password 'ofbiz' ships on 10+ demo accounts. Fixed in 24.09.06.
CVE-2026-46633 in Twig lets a single quote in a template name inject arbitrary PHP into the cache file. Twig sandbox does not block it. Fixed in Twig 3.26.0.
BIND 9 patches six CVEs on May 20. CVE-2026-5950 lets unauthenticated remote attackers exhaust resolver memory. Update to 9.18.49, 9.20.23, or 9.21.22.
rsync 3.4.3 fixes six CVEs released May 20. CVE-2026-43618 (CVSS 8.1) leaks client memory from any pull against a malicious server -- no daemon config required.
Evince and Atril have an argument injection bug in ev_spawn(). Opening a crafted PDF on GNOME or MATE runs arbitrary code. No patch — avoid untrusted PDFs.
CVE-2026-46680 patched across all four active containerd branches on May 20. Pick up 2.3.1, 2.2.4, 2.0.9, or 1.7.32 depending on which branch you run.
CVE-2026-20182: CVSS 10.0 auth bypass in Cisco SD-WAN, exploited by UAT-8616. No credentials needed. Patch now and audit SSH authorized_keys for backdoors.
How to lock down your wazuh cluster in 2026 after CVE-2026-25769 and CVE-2026-30893 — five concrete hardening steps for production deployments.
Over 160 npm packages were backdoored with valid SLSA Build Level 3 attestations. The trust model for GitHub Actions is broken -- here is what to fix.
Day 2 of Pwn2Own Berlin 2026 yielded 15 zero-days and $385,750 in prizes. Exchange fell to a three-bug RCE chain. Cursor AI and OpenAI Codex were exploited too.
Google Project Zero built a zero-click root exploit for Pixel 10 in under a day. Arbitrary kernel read/write in 5 lines. 71 days to patch.
Researchers at Calif published the first public kernel exploit for macOS on M5 hardware that survives Apple's Memory Integrity Enforcement — a data-only LPE chain completed in five days.
CVE-2026-42945 is a critical heap buffer overflow in NGINX's rewrite module, present since 2008. Unauthenticated remote attackers can crash worker processes or achieve RCE. Patch now.
CVE-2026-45585 (YellowKey) gives an attacker shell access to a BitLocker volume using physical access and a USB drive. PoC is public, no patch exists. Enable TPM+PIN to block it.
CloakBrowser patches 49–57 Chromium fingerprinting vectors at the C++ level, not via JS. Bot detectors that assume JS-layer stealth are looking in the wrong place.
CVE-2026-7482 'Bleeding Llama' in Ollama leaks heap memory (API keys, env vars, chat history) to unauthenticated attackers. Patched in 0.17.1.
Debian 14 is the first distro to hard-gate on reproducible builds. 414 packages are currently blocked from testing. What this means for maintainers and downstream users.
12 CVEs in vm2 disclosed May 7, 2026 — CVSS 9.1-10.0, all sandbox escapes. Patched in 3.11.2. If you run untrusted code under vm2, update today.
CVE-2026-41940 is a critical cPanel/WHM auth bypass via CRLF injection. CVSS 9.8. Shadowserver counted 44,000 compromised IPs by April 30. Patch now.
ingress-nginx went EOL in March 2026. No security patches, no CVE fixes. 50% of Kubernetes clusters still run it. Time to move to Gateway API.
OpenClaw connects your AI model to 50+ messaging channels. The core gateway works. The plugin ecosystem has a 20% malicious skill rate and two active CVEs.
CVE-2026-31431 (Copy Fail) is a Linux kernel LPE, CVSS 7.8. Working PoC is public. CISA KEV. Patches out for Ubuntu, Debian, AlmaLinux, and RHEL.
Trivy 0.70.0 is the first release after the March supply chain incident. New features landed, but the rotated GPG key for deb/rpm will silently break CI.
Traefik 3.6.14 patches five CVEs. The critical one: CVE-2026-40912 bypasses ForwardAuth, BasicAuth, and DigestAuth via percent-encoded paths. Upgrade now.
Wazuh 4.14.5 hid five security advisories in routine release notes. One is a pre-auth stack overflow on port 1514. Upgrade today — a PoC lands in late July.
Wazuh 5.0 beta rewrites agent state handling and replaces Filebeat with a native indexer connector. 4.x agents need upgrading before they reconnect. What changes, what breaks, and when stable lands.