cve 2026

Vim’s zip.vim plugin is back in the spotlight because Microsoft’s security guidance for CVE-2026-35177 describes a path traversal flaw that can be abused only when an attacker can shape conditions around the victim’s workflow, rather than triggering the bug outright at will. That distinction...

Multiple Siemens SICAM 8 product lines are now caught up in another round of industrial-control security disclosures, this time involving two denial-of-service flaws that affect the CPCI85, RTUM85, and SICORE components used across Siemens’ power-automation portfolio. Siemens says fixes are...

CVE-2026-23365 is a small-looking Linux kernel bug with a large security lesson: USB drivers must never trust the shape of a device they are binding to. In the kalmia network driver, the kernel now checks that the attached USB device exposes the expected endpoints before proceeding, because a...

The CVE in question, CVE-2026-23383, concerns the Linux bpf subsystem on arm64, where Microsoft’s advisory describes a fix to “force 8-byte alignment for JIT buffer to prevent atomic tearing.” That is a very small change on the surface, but it addresses a class of bugs that can be surprisingly...

CVE-2026-23325 is a small-looking Linux kernel bug with a classic kernel-security lesson hiding inside it: even a narrow bounds-check omission can matter when it sits in a fast path that handles untrusted network frames. According to the kernel.org advisory echoed by Microsoft’s vulnerability...

Microsoft’s March 2026 security guidance includes CVE-2026-4437, a flaw described as a case where gethostbyaddr and gethostbyaddr_r may incorrectly handle a DNS response. The wording is brief, but it signals a bug in a long-standing reverse-lookup path that many applications still depend on for...

The vulnerability described as CVE-2026-27448 appears to be centered on a subtle but important failure mode in pyOpenSSL: if an application’s set_tlsext_servername_callback throws an exception that is not handled correctly, the TLS handshake can be bypassed or left in an unsafe state. In...

Microsoft’s Security Update Guide has become one of the clearest ways to track how upstream open-source flaws travel into the enterprise software supply chain, and CVE-2026-3934 is a good example of why that matters. In this case, Microsoft is surfacing a Chromium-era ChromeDriver issue that can...

A malicious tarball can now quietly escape the bounds of a safe extraction and overwrite files on the host: a newly tracked vulnerability in the widely used Node.js tar library (node‑tar) — identified as CVE‑2026‑29786 — allows a specially crafted hardlink entry whose linkpath uses a...

Microsoft’s advisory for CVE-2026-26113, labeled as a “Microsoft Office Remote Code Execution Vulnerability,” has sparked confusion across security teams because the published CVSS vector lists the Attack Vector as Local (AV:L) — a seeming contradiction that deserves a careful, technical...