cve 2026

Microsoft published CVE-2026-33112 on May 12, 2026, as a Microsoft SharePoint Server remote code execution vulnerability in its Security Update Guide, marking it as a confirmed server-side flaw for administrators to address in the May Patch Tuesday cycle. The dry wording matters because...

Microsoft published CVE-2026-41109 on May 12, 2026, as a GitHub Copilot and Visual Studio Code security feature bypass vulnerability, placing the issue in the developer workstation rather than the traditional Windows endpoint or server stack. That distinction matters because AI coding assistants...

CVE-2026-40360 is a Microsoft Excel information disclosure vulnerability published in Microsoft’s Security Update Guide on May 12, 2026, affecting Excel users who process untrusted workbooks and requiring administrators to evaluate Office updates through the same Patch Tuesday machinery used for...

Microsoft published CVE-2026-35440 on May 12, 2026, as a Microsoft Word information disclosure vulnerability in the Security Update Guide, placing it inside the May Patch Tuesday stream of Office fixes rather than a standalone emergency advisory. The interesting part is not that Word has another...

Microsoft has listed CVE-2026-35433 as a .NET elevation-of-privilege vulnerability in the Security Update Guide as of May 2026, with the public advisory offering the vulnerability title and scoring context but little technical detail about the underlying flaw. That thin disclosure is not unusual...

Microsoft published CVE-2026-35423 on May 12, 2026, as a Windows 11 Telnet Client information disclosure vulnerability, identifying the legacy optional client as the affected component and framing the issue as a confidentiality risk rather than code execution or privilege escalation. That...

CVE-2026-43298, published to the NVD on May 8, 2026, documents a Linux kernel amdgpu driver flaw in which AMDGPU’s VCN 2.5 virtual-function teardown path tried to release a poison interrupt that the VF never enabled. That sounds almost comically narrow, but it is exactly the kind of kernel...

CVE-2026-43299 is a newly published Linux kernel Btrfs vulnerability, disclosed through kernel.org and surfaced in NVD and Microsoft’s Security Update Guide on May 8, 2026, involving a crash when Btrfs flips a filesystem read-only during pending read-repair work. The flaw is not a flashy...

Microsoft disclosed on May 7, 2026, that two patched vulnerabilities in its Semantic Kernel agent framework could let prompt injection become remote code execution or arbitrary host file writes in affected Python and .NET agent deployments. The headline is not that a chatbot said something...

On May 6, 2026, CVE-2026-43119 was published for a Linux kernel Bluetooth flaw in hci_sync, where unsynchronized reads and writes of hdev->req_status could create a data race across separate kernel workqueues. The fix is small, almost boring: annotate the shared status field with READ_ONCE() and...

CVE-2026-43153 is a newly published Linux kernel vulnerability, disclosed on May 6, 2026, in the XFS filesystem code, where a confusing helper function called xfs_attr_leaf_hasname() could hand callers an invalid buffer pointer after certain extended-attribute lookup failures. That is the dry...

CVE-2026-7351 is a high-severity Chromium vulnerability disclosed on April 28, 2026, affecting Google Chrome before 147.0.7727.138, where a race condition in MHTML could let a malicious Chrome extension leak cross-origin data after persuading a user to install it. The plain-English version is...

CVE-2026-2708 is a reminder that some of the most consequential web vulnerabilities still begin with a deceptively small parsing decision: what should a server do when an HTTP request contains more than one Content-Length header? The flaw, assigned to libsoup, concerns HTTP/1 request smuggling...

The Linux kernel’s networking stack has a new memory-safety problem on its hands, and this one sits in an especially sensitive place: AF_PACKET fanout teardown. CVE-2026-31504 describes a race in packet_release where a concurrent NETDEV_UP event can re-register a socket into a fanout group after...

CVE-2026-31486 is a useful reminder that some of the most serious Linux kernel bugs are not glamorous memory-corruption exploits but plain old synchronization failures that can still destabilize a system. In this case, the flaw sits in the hwmon pmbus/core path, where regulator voltage...

Microsoft’s April 2026 disclosure of CVE-2026-40372 is a reminder that ASP.NET Core vulnerabilities are not always about flashy remote exploitation; sometimes the danger is a very specific deployment pattern colliding with the wrong binary at runtime. In this case, Microsoft says the flaw...

Microsoft’s latest security disclosure around CVE-2026-33810 is the kind of flaw that sounds narrow on paper but can have outsized consequences in real deployments. According to the update guide entry, the issue is a case-sensitive excludedSubtrees name-constraint bypass in crypto/x509, allowing...

CVE-2026-33416 is a reminder that mature image libraries can still hide dangerous memory-safety bugs in code paths that look deceptively routine. Microsoft’s update guide frames the flaw as a use-after-free in libpng with high availability impact, and the PNG Project says the bug affects...

Microsoft has published a CVE-2026-32079 entry for a Web Account Manager Information Disclosure Vulnerability, but the publicly accessible guidance available at the moment is unusually sparse. The title alone tells us the broad class of bug—information disclosure in Windows’ Web Account Manager...

Microsoft’s CVE-2026-32072 entry for an Active Directory spoofing vulnerability is a reminder that, in Microsoft’s security taxonomy, the label is only part of the story. The more important signal is the confidence metric, which tells defenders how certain Microsoft is that the vulnerability...