cve 2026

Microsoft has listed CVE-2026-35433 as a .NET elevation-of-privilege vulnerability in the Security Update Guide as of May 2026, with the public advisory offering the vulnerability title and scoring context but little technical detail about the underlying flaw. That thin disclosure is not unusual...

Microsoft published CVE-2026-35423 on May 12, 2026, as a Windows 11 Telnet Client information disclosure vulnerability, identifying the legacy optional client as the affected component and framing the issue as a confidentiality risk rather than code execution or privilege escalation. That...

CVE-2026-43298, published to the NVD on May 8, 2026, documents a Linux kernel amdgpu driver flaw in which AMDGPU’s VCN 2.5 virtual-function teardown path tried to release a poison interrupt that the VF never enabled. That sounds almost comically narrow, but it is exactly the kind of kernel...

CVE-2026-43299 is a newly published Linux kernel Btrfs vulnerability, disclosed through kernel.org and surfaced in NVD and Microsoft’s Security Update Guide on May 8, 2026, involving a crash when Btrfs flips a filesystem read-only during pending read-repair work. The flaw is not a flashy...

Microsoft disclosed on May 7, 2026, that two patched vulnerabilities in its Semantic Kernel agent framework could let prompt injection become remote code execution or arbitrary host file writes in affected Python and .NET agent deployments. The headline is not that a chatbot said something...

On May 6, 2026, CVE-2026-43119 was published for a Linux kernel Bluetooth flaw in hci_sync, where unsynchronized reads and writes of hdev->req_status could create a data race across separate kernel workqueues. The fix is small, almost boring: annotate the shared status field with READ_ONCE() and...

CVE-2026-43153 is a newly published Linux kernel vulnerability, disclosed on May 6, 2026, in the XFS filesystem code, where a confusing helper function called xfs_attr_leaf_hasname() could hand callers an invalid buffer pointer after certain extended-attribute lookup failures. That is the dry...

CVE-2026-7351 is a high-severity Chromium vulnerability disclosed on April 28, 2026, affecting Google Chrome before 147.0.7727.138, where a race condition in MHTML could let a malicious Chrome extension leak cross-origin data after persuading a user to install it. The plain-English version is...

CVE-2026-2708 is a reminder that some of the most consequential web vulnerabilities still begin with a deceptively small parsing decision: what should a server do when an HTTP request contains more than one Content-Length header? The flaw, assigned to libsoup, concerns HTTP/1 request smuggling...

The Linux kernel’s networking stack has a new memory-safety problem on its hands, and this one sits in an especially sensitive place: AF_PACKET fanout teardown. CVE-2026-31504 describes a race in packet_release where a concurrent NETDEV_UP event can re-register a socket into a fanout group after...

CVE-2026-31486 is a useful reminder that some of the most serious Linux kernel bugs are not glamorous memory-corruption exploits but plain old synchronization failures that can still destabilize a system. In this case, the flaw sits in the hwmon pmbus/core path, where regulator voltage...

Microsoft’s April 2026 disclosure of CVE-2026-40372 is a reminder that ASP.NET Core vulnerabilities are not always about flashy remote exploitation; sometimes the danger is a very specific deployment pattern colliding with the wrong binary at runtime. In this case, Microsoft says the flaw...

Microsoft’s latest security disclosure around CVE-2026-33810 is the kind of flaw that sounds narrow on paper but can have outsized consequences in real deployments. According to the update guide entry, the issue is a case-sensitive excludedSubtrees name-constraint bypass in crypto/x509, allowing...

CVE-2026-33416 is a reminder that mature image libraries can still hide dangerous memory-safety bugs in code paths that look deceptively routine. Microsoft’s update guide frames the flaw as a use-after-free in libpng with high availability impact, and the PNG Project says the bug affects...

Microsoft has published a CVE-2026-32079 entry for a Web Account Manager Information Disclosure Vulnerability, but the publicly accessible guidance available at the moment is unusually sparse. The title alone tells us the broad class of bug—information disclosure in Windows’ Web Account Manager...

Microsoft’s CVE-2026-32072 entry for an Active Directory spoofing vulnerability is a reminder that, in Microsoft’s security taxonomy, the label is only part of the story. The more important signal is the confidence metric, which tells defenders how certain Microsoft is that the vulnerability...

User Interface Core vulnerabilities occupy a strange place in Windows security: they are often invisible to most users, but highly consequential for defenders because they can turn a minor local foothold into a full system compromise. CVE-2026-27911, labeled by Microsoft as a Windows User...

Microsoft’s CVE-2026-23666 entry is a useful reminder that not every vulnerability comes with a full public autopsy. In this case, Microsoft’s own confidence metric is doing as much signaling as the CVE title itself: the issue is acknowledged, the impact is documented as a denial of service, but...

Microsoft’s CVE-2026-32212 advisory points to a Universal Plug and Play (upnp.dll) information disclosure vulnerability, and the wording itself matters. Microsoft’s confidence metric is meant to tell defenders how certain the company is that the flaw exists and how credible the technical details...

Microsoft’s CVE-2026-33822 entry for Microsoft Word Information Disclosure Vulnerability is a good example of why vendor metadata matters as much as the CVE label itself. The public record may be sparse on exploit mechanics, but Microsoft’s own framing tells defenders that the issue is real...