patch management

CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog — a Qualcomm graphics integer‑overflow affecting many Android devices (CVE‑2026‑21385) and a command‑injection flaw in VMware Aria Operations tracked as CVE‑2026‑22719 — forcing federal...

Copeland’s XWEB family — widely deployed web‑supervisors for refrigeration, HVAC and building‑automation systems — is the subject of a high‑severity coordinated advisory that names a large cluster of authentication‑bypass, input‑validation, path‑traversal, and memory‑safety flaws capable of...

A newly disclosed flaw in Windows Admin Center (WAC) creates a dangerous escalation path from low‑privileged, authenticated users to the administrative context that runs the management plane — a weakness that demands immediate action from anyone who runs WAC in production. The vulnerability...

A newly disclosed flaw in Windows Admin Center (WAC) — tracked as CVE‑2026‑26119 and carrying a CVSS score reported as 8.8 — creates a real and immediate risk: an authenticated but low‑privileged user could escalate their privileges across an enterprise management plane and inherit the authority...

Chromium’s recently cataloged vulnerability CVE-2026-2314 — a heap buffer overflow in the Codecs component — is an urgent but patchable reminder that media-processing paths remain a high-value attack surface for browsers and for downstream products built on Chromium, and administrators should...

A subtle design choice in QUIC’s path‑validation code turned into a practical denial‑of‑service lever: CVE‑2023‑49295 lets a remote peer drive a quic‑go server into memory exhaustion by abusing PATH_CHALLENGE/PATH_RESPONSE exchanges, and the problem—disclosed in late 2023 and published with...

Oracle’s MySQL Server contains a denial‑of‑service weakness in its UDF (user‑defined function) handling that can be triggered by a low‑privileged, network‑connected account to hang or repeatedly crash the server process, producing a complete loss of availability for affected instances...

Oracle's MySQL Server contains a denial‑of‑service weakness in the Server: Optimizer component (tracked as CVE‑2024‑20971) that can be triggered by a threat actor with already‑elevated database privileges and network access, producing a repeatable hang or crash of the mysqld process and a...

Oracle’s MySQL Server was assigned CVE‑2024‑20969 — a medium‑severity flaw in the Server: DDL component that lets an attacker with already high‑privilege network access cause sustained outages and limited data modification in affected releases, and operators must treat it as an urgent...

A stack‑overflow bug in the widely used asynchronous DNS library c‑ares — tracked as CVE‑2022‑4904 — allows unbounded input to overflow a local stack buffer during sortlist parsing, creating a denial‑of‑service condition and a limited confidentiality/integrity exposure; the defect was fixed...

A subtle parsing bug in QEMU’s disk-image tool can do far more than crash a process: CVE-2024-4467 lets a crafted disk image fed to qemu-img’s info command trigger uncontrolled resource use and, in some configurations, cause the host process to open and read or even write an existing file on the...

The Linux kernel vulnerability tracked as CVE-2023-52340 exposes a subtle but powerful availability risk: a flaw in the IPv6 route-caching logic can be driven into a denial-of-service condition by repeated IPv6 traffic patterns (for example, packets sent in a loop from a raw socket or floods of...

The Linux kernel received a targeted fix this summer for a subtle but real availability bug in the Video for Linux (V4L) asynchronous notifier code: notifier list entries were not being re‑initialised after unregister, leaving dangling list pointers that can crash the kernel and produce a local...

An encoding flaw in Apache HTTP Server’s mod_proxy can let crafted requests slip past intended authentication checks and reach backend services, potentially exposing protected resources — operators should treat this as an urgent configuration and patch-management issue and update affected...

The Linux kernel fix addressing CVE-2024-39476 — a deadlock in the md/raid5 subsystem where raid5d() could wait for itself to clear MD_SB_CHANGE_PENDING — is an important stability patch that has rippled through distributions and cloud images. Microsoft’s public guidance has confirmed that Azure...

A deep parsing bug in polkit’s XML policy handler can be triggered by a crafted .policy file with unusually deep nesting (32 or more elements), producing an out‑of‑bounds write that can crash polkit’s daemon and — in the worst case — might be leveraged toward code execution; vendors and upstream...

A denial‑of‑service flaw in Oracle’s MySQL Server (tracked as CVE‑2025‑50101) lets an attacker who already holds high‑privilege MySQL credentials trigger optimizer and stored‑procedure code paths that cause mysqld to hang or crash repeatedly, producing a sustained or persistent loss of...

The Linux kernel fix tracked as CVE-2025-38158 addresses a subtle but consequential DMA address assembly bug in the Hisilicon VFIO accelerator driver (hisi_acc_vfio_pci) that can leave guest kernel‑mode encryption services broken after live migration — and Microsoft’s short MSRC attestation that...

The Linux kernel patch that closed CVE-2025-38111 — a bounds‑check defect in net/mdiobus — is small in code but large in operational impact: it removes a user‑supplied MDIO address from an unchecked ioctl path that could be used to read or write beyond the kernel’s mdiobus statistics array, and...

The PHP pgsql extension’s escaping logic failed a simple but critical safety check: it didn't always verify whether the PostgreSQL client library reported an error when escaping identifiers and strings. The result, tracked as CVE-2025-1735, is an availability- and stability-focused vulnerability...