cve 2026

Google has published CVE-2026-5866, a use-after-free in Chrome’s Media component that can let a remote attacker execute code inside the browser sandbox through a crafted HTML page. The issue affects Google Chrome versions prior to 147.0.7727.55, and it has been assigned Chromium security...

Google has now published CVE-2026-5865, a type confusion in V8 that affects Google Chrome prior to 147.0.7727.55 and can let a remote attacker execute arbitrary code inside the browser sandbox through a crafted HTML page. Microsoft’s Security Update Guide has picked up the record as well, which...

CVE-2026-23405 exposes a deceptively simple AppArmor flaw with potentially serious consequences: the Linux security module did not properly bound the number of levels in policy namespaces. In practical terms, that means a local attacker could potentially construct an excessively deep namespace...

Microsoft’s CVE-2026-21715 advisory points to a Node.js Permission Model bypass that matters most for applications relying on --permission and restricted --allow-fs-read settings. In practical terms, the flaw lets fs.realpathSync.native() sidestep the read-permission checks that comparable...

Vim’s zip.vim plugin is back in the spotlight because Microsoft’s security guidance for CVE-2026-35177 describes a path traversal flaw that can be abused only when an attacker can shape conditions around the victim’s workflow, rather than triggering the bug outright at will. That distinction...

Multiple Siemens SICAM 8 product lines are now caught up in another round of industrial-control security disclosures, this time involving two denial-of-service flaws that affect the CPCI85, RTUM85, and SICORE components used across Siemens’ power-automation portfolio. Siemens says fixes are...

CVE-2026-23365 is a small-looking Linux kernel bug with a large security lesson: USB drivers must never trust the shape of a device they are binding to. In the kalmia network driver, the kernel now checks that the attached USB device exposes the expected endpoints before proceeding, because a...

The CVE in question, CVE-2026-23383, concerns the Linux bpf subsystem on arm64, where Microsoft’s advisory describes a fix to “force 8-byte alignment for JIT buffer to prevent atomic tearing.” That is a very small change on the surface, but it addresses a class of bugs that can be surprisingly...

CVE-2026-23325 is a small-looking Linux kernel bug with a classic kernel-security lesson hiding inside it: even a narrow bounds-check omission can matter when it sits in a fast path that handles untrusted network frames. According to the kernel.org advisory echoed by Microsoft’s vulnerability...

Microsoft’s March 2026 security guidance includes CVE-2026-4437, a flaw described as a case where gethostbyaddr and gethostbyaddr_r may incorrectly handle a DNS response. The wording is brief, but it signals a bug in a long-standing reverse-lookup path that many applications still depend on for...

The vulnerability described as CVE-2026-27448 appears to be centered on a subtle but important failure mode in pyOpenSSL: if an application’s set_tlsext_servername_callback throws an exception that is not handled correctly, the TLS handshake can be bypassed or left in an unsafe state. In...

Microsoft’s Security Update Guide has become one of the clearest ways to track how upstream open-source flaws travel into the enterprise software supply chain, and CVE-2026-3934 is a good example of why that matters. In this case, Microsoft is surfacing a Chromium-era ChromeDriver issue that can...

A malicious tarball can now quietly escape the bounds of a safe extraction and overwrite files on the host: a newly tracked vulnerability in the widely used Node.js tar library (node‑tar) — identified as CVE‑2026‑29786 — allows a specially crafted hardlink entry whose linkpath uses a...

Microsoft’s advisory for CVE-2026-26113, labeled as a “Microsoft Office Remote Code Execution Vulnerability,” has sparked confusion across security teams because the published CVSS vector lists the Attack Vector as Local (AV:L) — a seeming contradiction that deserves a careful, technical...