security patch

A carefully placed mutex change in the Qualcomm MSM display driver (drm/msm/dpu) fixed a subtle — but high-impact — race that could let unprivileged code crash the kernel by toggling vblank handling from multiple threads, and the fix should be treated as a high-priority kernel update for any...

The Linux kernel has closed a small but consequential memory‑safety gap in the HFS driver: CVE‑2025‑40243 fixes a KMSAN‑reported uninitialized‑value read in hfs_find_set_zero_bits by ensuring the HFS volume bitmap is allocated zeroed (kzalloc) instead of with kmalloc, removing a source of...

A recently disclosed Linux kernel vulnerability, tracked as CVE‑2025‑40251, stems from a small but consequential oversight in devlink’s rate node teardown logic: the function devl_rate_nodes_destroy failed to clear the devlink_rate->parent pointer after decrementing the parent's reference count...

A newly disclosed Linux kernel vulnerability, tracked as CVE-2025-40219, fixes a long-standing race and locking gap in the kernel’s PCI I/O virtualization (PCI/IOV) SR-IOV code: enabling and disabling SR-IOV did not take the global PCI “rescan‑remove” serialization lock, allowing concurrent...

A small, surgical patch landed upstream this month to fix CVE-2023-53248 — a Linux kernel flaw in the AMDGPU DRM driver that could let the kernel hit a NULL dereference when waiting on page-table update fences, producing a denial-of-service condition on affected systems; the remediation is...

A critical unauthenticated data-injection flaw in Fluent Bit’s forward input plugin has been publicly cataloged as CVE-2025-12969; the bug lets an attacker who can reach a Fluent Bit forward listener send unauthenticated records by bypassing the configured security.users control, enabling forged...

A newly disclosed high‑severity vulnerability in the popular JavaScript cryptography library node‑forge (tracked as CVE‑2025‑66031) enables unbounded ASN.1 recursion that can be trivially abused to crash Node.js processes parsing untrusted DER inputs — and the fix landed quickly in node‑forge...

OpenPrinting’s CUPS received a security update on November 27–29, 2025 after a stack-based out‑of‑bounds write (CWE‑124 / CWE‑129) was found in the cupsd configuration parser that lets a local lpadmin user inject a malicious IPv6 fragment into cupsd.conf through the web UI — an input‑validation...

A new Microsoft Security Response Center advisory published on November 11, 2025, documents CVE‑2025‑59510 — a local denial‑of‑service (DoS) vulnerability in Windows Routing and Remote Access Service (RRAS) that stems from improper link resolution (symlink or "link following") before file...

Microsoft has recorded CVE-2025-62213 as a use‑after‑free elevation‑of‑privilege in the Windows Ancillary Function Driver for WinSock (afd.sys), a kernel‑mode networking component, and administrators are urged to apply the vendor's security update immediately to close a local post‑compromise...

Microsoft’s advisory for a spoofing vulnerability affecting Dynamics 365 Field Service (online) is terse, dynamically rendered in the Microsoft Security Update Guide, and — as currently available in public mirrors — leaves important technical details unconfirmed; administrators must treat the...

Microsoft has published an advisory for CVE-2025-47179, a Configuration Manager elevation‑of‑privilege issue that affects on‑premises Microsoft Configuration Manager installations and requires immediate attention from administrators responsible for management‑plane infrastructure. Overview...

Microsoft’s advisory listing for CVE-2025-62216 describes a Microsoft Office vulnerability that can result in remote code execution when a crafted Office document is processed on an endpoint — a serious finding that demands immediate, prioritized mitigation across both corporate and consumer...

The Linux kernel received a small but important defensive patch addressing CVE-2025-40033: a potential NULL-pointer dereference in the remoteproc PRU driver’s pru_rproc_set_ctable that, if triggered on an affected system, can cause a kernel oops and an availability outage. The fix is a surgical...

The Linux kernel has received a small but important defensive fix for a potential NULL‑pointer dereference in the pin control (pinctrl) subsystem: CVE‑2025‑40030 corrects a missing NULL check when calling the pinmux_ops::get_function_name callback so that a returned NULL pointer cannot be passed...

The Linux kernel received a surgical but important fix for a subtle BPF verifier bug that could cause verifier failures and kernel warnings when eBPF programs accessed an implicit padding field inside the bpf_sock_addr context; the upstream patch explicitly tightens validation in...

Microsoft has released an out‑of‑band emergency patch to fix a critical remote code execution vulnerability in Windows Server Update Services (WSUS) — tracked as CVE‑2025‑59287 — and every WSUS host must be treated as a top‑tier remediation priority until it is patched or isolated. The flaw is a...

A newly reported elevation‑of‑privilege issue tied to Azure’s notification infrastructure — tracked as CVE‑2025‑59500 in some community notes — has raised urgent operational questions for administrators and security teams, but the public evidence for this exact CVE number is limited and the...

Microsoft has released emergency fixes for a severe ASP.NET Core vulnerability — a Kestrel HTTP request‑smuggling/security‑feature bypass tracked as CVE‑2025‑55315 and flagged with a near‑maximum CVSS v3.1 score of 9.9 — and developers and operators are being urged to patch immediately, assess...

Microsoft has confirmed CVE-2025-59260 as a local information‑disclosure vulnerability in the Microsoft Failover Cluster virtual driver that can write sensitive cluster state into log files or otherwise expose privileged configuration data to low‑privileged local actors, and Microsoft has...