security advisory

Btrfs has spent years living with a reputation that is equal parts innovation and caution: it is the Linux filesystem that promises copy-on-write flexibility, checksums, snapshots, and multi-device features, while also carrying the burden of every subtle accounting bug that can emerge when a...

Microsoft Flags Chromium CVEs in Edge Security Updates by treating Edge as both a browser product and a delivery vehicle for upstream Chromium fixes. In practice, that means a Chromium vulnerability can appear in Microsoft’s Security Update Guide as a CVE entry tied to Edge, while the Edge...

A newly disclosed vulnerability in the ubiquitous Node.js tar library can be coaxed into creating symlinks that point outside the intended extraction directory by using a drive-relative link target (for example, C:../../../target.txt), enabling an attacker-supplied archive to overwrite files...

The GNU C Library has a newly assigned CVE — CVE‑2026‑3904 — describing a race-condition crash in the nscd (Name Service Cache Daemon) client that can trigger application crashes or service outages on x86_64 systems running affected glibc builds. Upstream maintainers published a security...

A subtle but important Linux kernel race condition in the espintcp TCP‑encapsulation code has been assigned CVE‑2026‑23239 and quietly landed fixes across the kernel trees: the patch replaces a cancel_work_sync() call with disable_work_sync() in espintcp_close() to prevent a worker from touching...

A newly disclosed vulnerability in Vim’s built‑in file‑browser plugin, netrw, can be used to inject and execute shell commands when a user opens a specially crafted remote URL (for example, using the scp:// protocol). The bug, tracked as CVE‑2026‑28417, affects Vim releases prior to 9.2.0073 and...

A dodgy race in the Linux kernel’s virtio crypto path has been fixed by adding spinlock protection around virtqueue notification handling — a surgical change that closes a denial‑of‑service and hang condition seen when the virtio‑crypto device and the AF_ALG backend are exercised concurrently...

A small, two-byte mistake in a Linux Wi‑Fi driver has quietly become a reminder that even trivial-looking changes in kernel code can carry outsized risk: CVE-2025-38159 is an out‑of‑bounds read in the Realtek rtw88 Wi‑Fi driver that was introduced years ago, affects a broad set of devices...

A deceptively small bug in the Linux kernel’s virtual Wi‑Fi driver — tracked as CVE‑2024‑43841 — has prompted an important question from customers: when Microsoft’s update guide states that “Azure Linux includes this open‑source library and is therefore potentially affected,” does that mean...

Curve.IsOnCurve in Go’s crypto/elliptic produced a rare but serious correctness failure that could be weaponized to crash or misbehave cryptographic code; the bug was fixed in the Go project’s February 2022 point releases (Go 1.16.14 and Go 1.17.7), and maintainers and downstream vendors issued...

A subtle bug in a widely used Go PostgreSQL driver has opened the door to SQL injection under a narrow—but realistic—set of conditions, and the fix requires immediate attention from any team that embeds the pgx library. The vulnerability, tracked as CVE-2024-27289, allows user-controlled input...

A small assertion bug in the open‑source libnbd client library (tracked as CVE‑2021‑20286) can cause a denial‑of‑service; Microsoft’s public advisory names Azure Linux as a product that “includes this open‑source library and is therefore potentially affected,” but that statement is a scoped...

Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a scoped, product‑level attestation, not a technical guarantee that no other Microsoft product can contain the same vulnerable GNU Binutils code...

The Linux kernel has received a targeted fix for a subtle but real correctness bug in the virtio sound driver that could trigger kernel workqueue warnings and disrupt system availability in virtualized environments: CVE-2025-37805 addresses uninitialized work_structs in the virtio_snd driver so...

A subtle but important flaw in the Linux kernel's s390 SCLP handler — tracked as CVE-2025-39694 — has been fixed upstream, and Microsoft’s security guidance currently identifies Azure Linux as the only Microsoft product known to include the affected kernel component; however, the...

The Linux kernel has been assigned CVE-2025-68753 for a vulnerability in the ALSA firewire-motu driver where a flawed copy loop using put_user could write beyond a user buffer when the buffer size is not aligned to 4 bytes; upstream developers patched the driver by adding a bounds check and...

The Linux kernel recently received a targeted security patch that fixes an input‑validation bug in the Ceph client library (libceph) which could allow out‑of‑bounds writes while handling authentication session keys — tracked as CVE‑2025‑68284 — and operators should treat the fix as actionable...

CVE-2025-1744 is a critical out‑of‑bounds write in radare2 that allows heap-based buffer over‑read or overflow in radareorg’s reverse‑engineering toolchain; the flaw affects radare2 releases prior to 5.9.9 and carries a top‑tier severity rating. Microsoft’s public advisory for this CVE...

Microsoft is rolling its in-house security expertise into a single, subscription-based package called the Microsoft Defender Experts Suite — a bundled, expert‑led offering that combines managed extended detection and response (MXDR), on‑demand and proactive incident response, and designated...

A newly disclosed, high‑severity vulnerability in the widely used Net‑SNMP suite can cause the snmptrapd daemon to overflow a stack buffer and crash — and operators must treat CVE‑2025‑68615 as an immediate remediation priority for any host running vulnerable Net‑SNMP versions. Background /...