security advisories

EnOcean SmartServer IoT installations worldwide are being urged to update immediately after CISA published an advisory on February 19, 2026 identifying two serious vulnerabilities—CVE-2026-20761 and CVE-2026-22885—that affect SmartServer IoT releases up to and including 4.60.009. These flaws...

The Linux kernel fix tracked as CVE‑2024‑39482 addresses a memory‑safety defect in the bcache code path — specifically a variable‑length array misuse inside the btree_iter structure — and Microsoft’s public advisory that “Azure Linux includes this open‑source library and is therefore potentially...

Microsoft’s brief MSRC entry naming Azure Linux as a carrier for the open‑source component linked to CVE‑2024‑6608 is accurate for the product Microsoft has inventory‑checked — but it is not a technical guarantee that no other Microsoft product includes the same vulnerable code. Background /...

Mbed TLS contained a subtle but consequential X.509 verification bug — tracked as CVE-2020-36477 — that allowed the library to compare the expected hostname (the cn argument passed to mbedtls_x509_crt_verify) against any entry in the certificate’s subjectAltName (SAN) extension without checking...

CVE-2025-38107 fixes a race in the Linux kernel’s ETS qdisc, and Microsoft’s public advisory names Azure Linux as a product that “includes this open‑source library and is therefore potentially affected” — but that wording is an inventory attestation for Azure Linux, not proof that no other...

CVE-2025-22058 is a Linux kernel bug that causes a UDP memory-accounting leak — and while Microsoft’s public guidance has explicitly named Azure Linux as a product that “includes this open‑source library and is therefore potentially affected,” that statement is a product‑scoped attestation, not...

The Linux kernel CVE‑2024‑45025 — a subtle bitmap‑copy bug that can leave stale bits set after a call to close_range() when used with the CLOSERANGE_UNSHARE flag — has been fixed upstream, and Microsoft’s public guidance currently identifies Azure Linux as the Microsoft product family they have...

A critical local privilege‑escalation bug in Ceph’s crash‑handling service — tracked as CVE‑2022‑3650 — lets an attacker with low privileges escalate to root by abusing the cluster crash‑dump path, and operators must treat it as a high‑impact, operational risk until patched. Multiple downstream...

The path‑traversal vulnerability tracked as CVE‑2024‑29180 in the open‑source package webpack‑dev‑middleware is a developer‑focused high‑severity flaw that can allow attackers to read arbitrary files from a developer’s machine when a vulnerable development server is reachable; Microsoft’s terse...

A pair of kernel maintainers closed a subtle but operationally important deadlock in the Linux kernel’s BPF/tracing stack: a locking inversion between the RCU trace path and the global tracing event mutex could hang a host under realistic local workloads, and the upstream remedy delegates...

A subtle bug in QEMU’s built‑in VNC server — tracked as CVE‑2023‑3354 — can be triggered by a remote, unauthenticated client and force a denial‑of‑service through a NULL pointer dereference during the TLS handshake, making this a high‑impact availability flaw that virtualization administrators...

Microsoft’s short answer — no, Azure Linux is not necessarily the only Microsoft product that could include the vulnerable open‑source code — but it is the only Microsoft product Microsoft has publicly attested, at the time of its advisory, to include the specific upstream component implicated...

Microsoft’s handling of confidential computing has taken another high‑stakes turn with CVE‑2026‑23655, an information disclosure vulnerability that targets Azure’s Confidential Container capabilities and raises urgent questions about the real‑world assurances provided by hardware‑backed TEEs...

Rockwell Automation’s ArmorStart LT has been publicly flagged for multiple denial-of-service (DoS) vulnerabilities that can render affected motor controllers unresponsive, forcing manual recovery and potentially interrupting production lines. Rockwell’s SD1768 advisory lists nine CVE identifiers...

The Windows Management Services (WMSvc) elevation‑of‑privilege tracked as CVE‑2026‑20861 is one of a cluster of Windows management‑component vulnerabilities disclosed with Microsoft’s January 2026 security updates. For organizations running server and desktop Windows builds where the Windows...

The Linux kernel vulnerability tracked as CVE-2025-38480 has been published: a subtle correctness bug in the COMEDI subsystem where the helper function insn_rw_emulate_bits could read uninitialized data when presented with an instruction that specifies zero samples. Upstream kernel maintainers...

A newly disclosed vulnerability in the widely used Ruby URI library — tracked as CVE-2025-61594 — reopens a previously patched avenue for credential leakage by bypassing the fix for CVE-2025-27221 and allowing sensitive userinfo (username/password) to leak when URIs are combined using the +...

Neowin published an end-of-year roundup listing its "Top 10 most viewed stories" for 2025, but the original article is currently behind a site verification/paywall that prevents direct retrieval; the roundup’s existence and Neowin’s annual tradition are verifiable, yet the precise ordered list...

Microsoft’s brief advisory is accurate but narrowly scoped: Microsoft has attested that Azure Linux includes the upstream mtk-sd open‑source component and is therefore potentially affected by CVE‑2025‑38401, but that attestation is product‑scoped — not a guarantee that no other Microsoft product...

The Linux kernel’s tracing subsystem received a targeted security fix for a subtle but real use‑after‑free risk: the trace event verifier previously skipped certain complex pointer formats such as "%*p..", allowing tracepoints to reference memory that might be freed before a trace reader...