cve 2026

Microsoft has assigned CVE-2026-20945 to a SharePoint Server spoofing vulnerability, and the public wording signals a familiar Microsoft pattern: the issue is considered real enough to publish in the Security Update Guide, but the company is keeping the technical root-cause detail intentionally...

Microsoft’s CVE-2026-25250 entry is drawing attention because it sits in one of the most sensitive layers of the Windows trust chain: Secure Boot. The public description suggests a security feature bypass scenario, and the shorthand “disable Eazy Fix” points to the kind of boot-chain weakness...

CVE-2026-31427 is a small-looking Linux kernel bug with an outsized lesson: a stack variable meant to carry RTP address state can remain uninitialized, then get handed to the SIP NAT helper and used to rewrite SDP fields with whatever happens to be in memory. In the common case where stack...

Microsoft’s listing for CVE-2026-0965 highlights a denial-of-service condition in libssh tied to improper configuration file handling, and the upstream libssh project confirms that the issue was among the security fixes shipped in its 0.12.0 and 0.11.4 releases on February 10, 2026. The...

Microsoft’s CVE-2026-28389 entry points to a possible NULL dereference while processing CMS KeyAgreeRecipientInfo, and the immediate practical consequence is a denial-of-service condition rather than code execution. The vulnerability description explicitly frames the impact as a total loss of...

Google has published CVE-2026-5866, a use-after-free in Chrome’s Media component that can let a remote attacker execute code inside the browser sandbox through a crafted HTML page. The issue affects Google Chrome versions prior to 147.0.7727.55, and it has been assigned Chromium security...

Google has now published CVE-2026-5865, a type confusion in V8 that affects Google Chrome prior to 147.0.7727.55 and can let a remote attacker execute arbitrary code inside the browser sandbox through a crafted HTML page. Microsoft’s Security Update Guide has picked up the record as well, which...

CVE-2026-23405 exposes a deceptively simple AppArmor flaw with potentially serious consequences: the Linux security module did not properly bound the number of levels in policy namespaces. In practical terms, that means a local attacker could potentially construct an excessively deep namespace...

Microsoft’s CVE-2026-21715 advisory points to a Node.js Permission Model bypass that matters most for applications relying on --permission and restricted --allow-fs-read settings. In practical terms, the flaw lets fs.realpathSync.native() sidestep the read-permission checks that comparable...

Vim’s zip.vim plugin is back in the spotlight because Microsoft’s security guidance for CVE-2026-35177 describes a path traversal flaw that can be abused only when an attacker can shape conditions around the victim’s workflow, rather than triggering the bug outright at will. That distinction...

Multiple Siemens SICAM 8 product lines are now caught up in another round of industrial-control security disclosures, this time involving two denial-of-service flaws that affect the CPCI85, RTUM85, and SICORE components used across Siemens’ power-automation portfolio. Siemens says fixes are...

CVE-2026-23365 is a small-looking Linux kernel bug with a large security lesson: USB drivers must never trust the shape of a device they are binding to. In the kalmia network driver, the kernel now checks that the attached USB device exposes the expected endpoints before proceeding, because a...

The CVE in question, CVE-2026-23383, concerns the Linux bpf subsystem on arm64, where Microsoft’s advisory describes a fix to “force 8-byte alignment for JIT buffer to prevent atomic tearing.” That is a very small change on the surface, but it addresses a class of bugs that can be surprisingly...

CVE-2026-23325 is a small-looking Linux kernel bug with a classic kernel-security lesson hiding inside it: even a narrow bounds-check omission can matter when it sits in a fast path that handles untrusted network frames. According to the kernel.org advisory echoed by Microsoft’s vulnerability...

Microsoft’s March 2026 security guidance includes CVE-2026-4437, a flaw described as a case where gethostbyaddr and gethostbyaddr_r may incorrectly handle a DNS response. The wording is brief, but it signals a bug in a long-standing reverse-lookup path that many applications still depend on for...

The vulnerability described as CVE-2026-27448 appears to be centered on a subtle but important failure mode in pyOpenSSL: if an application’s set_tlsext_servername_callback throws an exception that is not handled correctly, the TLS handshake can be bypassed or left in an unsafe state. In...

Microsoft’s Security Update Guide has become one of the clearest ways to track how upstream open-source flaws travel into the enterprise software supply chain, and CVE-2026-3934 is a good example of why that matters. In this case, Microsoft is surfacing a Chromium-era ChromeDriver issue that can...

A malicious tarball can now quietly escape the bounds of a safe extraction and overwrite files on the host: a newly tracked vulnerability in the widely used Node.js tar library (node‑tar) — identified as CVE‑2026‑29786 — allows a specially crafted hardlink entry whose linkpath uses a...

Microsoft’s advisory for CVE-2026-26113, labeled as a “Microsoft Office Remote Code Execution Vulnerability,” has sparked confusion across security teams because the published CVSS vector lists the Attack Vector as Local (AV:L) — a seeming contradiction that deserves a careful, technical...