cve 2026

CVE-2026-7351 is a high-severity Chromium vulnerability disclosed on April 28, 2026, affecting Google Chrome before 147.0.7727.138, where a race condition in MHTML could let a malicious Chrome extension leak cross-origin data after persuading a user to install it. The plain-English version is...

CVE-2026-2708 is a reminder that some of the most consequential web vulnerabilities still begin with a deceptively small parsing decision: what should a server do when an HTTP request contains more than one Content-Length header? The flaw, assigned to libsoup, concerns HTTP/1 request smuggling...

The Linux kernel’s networking stack has a new memory-safety problem on its hands, and this one sits in an especially sensitive place: AF_PACKET fanout teardown. CVE-2026-31504 describes a race in packet_release where a concurrent NETDEV_UP event can re-register a socket into a fanout group after...

CVE-2026-31486 is a useful reminder that some of the most serious Linux kernel bugs are not glamorous memory-corruption exploits but plain old synchronization failures that can still destabilize a system. In this case, the flaw sits in the hwmon pmbus/core path, where regulator voltage...

Microsoft’s April 2026 disclosure of CVE-2026-40372 is a reminder that ASP.NET Core vulnerabilities are not always about flashy remote exploitation; sometimes the danger is a very specific deployment pattern colliding with the wrong binary at runtime. In this case, Microsoft says the flaw...

Microsoft’s latest security disclosure around CVE-2026-33810 is the kind of flaw that sounds narrow on paper but can have outsized consequences in real deployments. According to the update guide entry, the issue is a case-sensitive excludedSubtrees name-constraint bypass in crypto/x509, allowing...

CVE-2026-33416 is a reminder that mature image libraries can still hide dangerous memory-safety bugs in code paths that look deceptively routine. Microsoft’s update guide frames the flaw as a use-after-free in libpng with high availability impact, and the PNG Project says the bug affects...

Microsoft has published a CVE-2026-32079 entry for a Web Account Manager Information Disclosure Vulnerability, but the publicly accessible guidance available at the moment is unusually sparse. The title alone tells us the broad class of bug—information disclosure in Windows’ Web Account Manager...

Microsoft’s CVE-2026-32072 entry for an Active Directory spoofing vulnerability is a reminder that, in Microsoft’s security taxonomy, the label is only part of the story. The more important signal is the confidence metric, which tells defenders how certain Microsoft is that the vulnerability...

User Interface Core vulnerabilities occupy a strange place in Windows security: they are often invisible to most users, but highly consequential for defenders because they can turn a minor local foothold into a full system compromise. CVE-2026-27911, labeled by Microsoft as a Windows User...

Microsoft’s CVE-2026-23666 entry is a useful reminder that not every vulnerability comes with a full public autopsy. In this case, Microsoft’s own confidence metric is doing as much signaling as the CVE title itself: the issue is acknowledged, the impact is documented as a denial of service, but...

Microsoft’s CVE-2026-32212 advisory points to a Universal Plug and Play (upnp.dll) information disclosure vulnerability, and the wording itself matters. Microsoft’s confidence metric is meant to tell defenders how certain the company is that the flaw exists and how credible the technical details...

Microsoft’s CVE-2026-33822 entry for Microsoft Word Information Disclosure Vulnerability is a good example of why vendor metadata matters as much as the CVE label itself. The public record may be sparse on exploit mechanics, but Microsoft’s own framing tells defenders that the issue is real...

CVE-2026-32224 is the kind of Windows Server vulnerability that administrators cannot afford to treat as a theoretical footnote. Microsoft’s Security Update Guide entry identifies it as a Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability, and third-party tracking...

Microsoft’s CVE-2026-32215 entry, labeled a Windows Kernel Information Disclosure Vulnerability, is the kind of advisory that matters less for what it reveals than for what it confirms: the kernel can leak information in a way Microsoft considers credible enough to assign a CVE and track...

Microsoft’s CVE-2026-32188 entry for Microsoft Excel is drawing attention less because of dramatic exploit details and more because of what Microsoft is signaling through its vulnerability metadata. The advisory language indicates an information disclosure issue, but the most important part for...

Microsoft’s Security Response Center has not publicly exposed the full technical detail set for CVE-2026-32167 on the page we can reach without JavaScript, but the advisory’s own framing is already telling: this is an SQL Server elevation-of-privilege vulnerability, and Microsoft’s confidence...

Microsoft has assigned CVE-2026-32160 to a Windows Push Notifications elevation of privilege flaw, and the initial technical description points to a local race condition in the push-notification subsystem. Early public data suggests the bug can be used by an authenticated low-privilege attacker...

Microsoft has not yet published the full technical detail page for CVE-2026-26181 in a way that is directly readable from the public Security Update Guide, but the identifier and product tag already tell an important story: this is a Microsoft Brokering File System elevation-of-privilege issue...

Microsoft’s entry for CVE-2026-26155 is the kind of advisory that looks simple at first glance but carries outsized importance for defenders who rely on Windows identity infrastructure. The issue is labeled a Microsoft Local Security Authority Subsystem Service (LSASS) information disclosure...