security patch

A logic error in libarchive’s RAR5 decoder can be driven into an infinite loop when a specially crafted RAR5 archive contains a trailing compressed block that produces no output; the loop occurs inside the RAR5 read path and can hang processes that call archive_read_data(), producing a...

A newly assigned vulnerability identifier, CVE-2026-32249, calls attention to a NULL pointer dereference in Vim’s NFA regular expression engine that affects versions prior to 9.2.0137. The flaw can be triggered by crafted input handled by the NFA engine and may cause performance degradation or...

Microsoft released an out‑of‑band hotpatch on March 13, 2026 that fixes a set of remote network‑service vulnerabilities in the Windows Routing and Remote Access Service (RRAS) management tool — and, crucially for enterprises, the package is delivered as a restartless hotpatch to devices enrolled...

The Linux kernel has received a small but important patch that fixes a timing (race) bug in the kernel TLS implementation: CVE-2026-23240 addresses a race in tls_sw_cancel_work_tx() where a worker can be scheduled after the kernel believes the delayed work has been cancelled, allowing the worker...

Microsoft’s security tracking shows CVE-2026-26121 as a server‑side request forgery (SSRF) / spoofing vulnerability in Azure IoT Explorer, and the vendor has flagged it as a real, actionable issue that administrators should treat with urgency. Multiple independent vulnerability aggregators and...

Microsoft released an important security update on March 10, 2026, to address CVE-2026-26105 — a high‑severity spoofing (cross‑site scripting, CWE‑79) vulnerability affecting on‑premises Microsoft SharePoint Server. The flaw allows an unauthenticated remote actor to deliver specially crafted...

Microsoft released an important security update on March 10, 2026, that addresses CVE-2026-25177 — an Active Directory Domain Services (AD DS) elevation-of-privilege vulnerability that Microsoft rates as Important with a CVSS v3.1 base score of 8.8 and that, if left unpatched, can let an...

Microsoft’s February 2026 security updates closed a sensitive gap in Azure’s Confidential Container offering after the vendor recorded an information‑disclosure flaw that could expose secret tokens and cryptographic keys used by Azure Container Instances (ACI) Confidential Containers. The...

The Linux kernel received a small but important defensive patch that closes CVE-2026-23237 — a NULL-pointer robustness bug in the Classmate laptop (cmpc) platform driver — by adding defensive checks to several sysfs and input paths, preventing a kernel oops that could otherwise be triggered if...

The Linux kernel received a narrowly scoped but operationally meaningful security fix this week: a resource-accounting leak in the in‑kernel SMB server (ksmbd) was corrected to ensure the per‑transport connection counter active_num_conn is decremented on connection setup failures, closing...

The Linux kernel received a targeted, surgical fix on 23 January 2026 for a bounds‑checking bug in the Ceph client library (libceph) that could allow an out‑of‑bounds read during authentication processing; the issue has been assigned CVE‑2026‑22984 and is addressed by an explicit check on the...

The Linux kernel’s scheduler subsystem received a targeted fix this month for a subtle-but-real concurrency bug tracked as CVE‑2026‑23225: a logic error in sched/mmcid where code assumed a Concurrency ID (CID) was “CPU‑owned” during a mode transition, producing an out‑of‑bounds access (reported...

A subtle but dangerous weakness has been disclosed in the TFTP implementation shipped with Erlang/OTP: CVE-2026-21620 is a relative path traversal flaw in the tftp_file module that can allow remote clients to read from or write to files outside the intended document root. The issue arises from...

Werkzeug’s safe_join() has a new Windows‑specific wrinkle: a recently assigned CVE shows the function can still resolve paths that end with legacy Windows device names when those names are embedded inside multi‑segment paths, allowing a remote request handled by send_from_directory() to open a...

A race in the Linux kernel’s Direct Rendering Manager (DRM) stack — tracked as CVE‑2023‑51043 — can let a nonblocking atomic modeset commit touch freed kernel memory when it races with a driver unload, producing a use‑after‑free that can crash or destabilize systems and has been fixed upstream...

A straightforward NULL-pointer bug in the Linux NFC stack — fixed upstream in the 6.5.9 stable release — created a local denial‑of‑service risk that could crash kernels handling Near‑Field Communication traffic; the defect was tracked as CVE‑2023‑46343 and closed by a one‑line defensive check in...

OpenSSH’s keystroke obfuscation feature, introduced to make interactive typing over SSH harder to observe, contained a logic error in versions 9.5 through 9.7 that undermined its protections and re-exposed limited keystroke timing information — including during echo-off password prompts such as...

A subtle bug in wolfSSL’s OpenSSL compatibility layer has quietly exposed a classic fork‑safety failure: under certain conditions, calls to RAND_bytes() in a child process could produce predictable values because the pseudo‑random generator state was inherited unchanged across fork(). The issue...

The Linux kernel CVE-2025-38173 has been assigned to a small but consequential fix in the Marvell CESA crypto driver: the kernel now explicitly handles zero‑length skcipher requests by returning 0 instead of dereferencing memory it shouldn't touch. The change is tiny in code — a defensive check...

The Linux kernel received a surgical fix for a subtle JFS bug that could trigger a shift-out-of-bounds in the dbDiscardAG routine — a condition that, if exercised on vulnerable kernels, can cause kernel instability and denial-of-service. The problem is small in code footprint but meaningful in...