vulnerability management

GitProtect.io said on June 1, 2026, that major DevOps platforms patched 236 vulnerabilities during 2025 across GitHub, GitLab, Azure DevOps, Jira, and Bitbucket, with 140 of those flaws rated high or critical and activity accelerating sharply in the second half. That is not just another annual...

CVE-2026-46234 is a newly published Linux kernel vulnerability, received by NVD from kernel.org on May 28, 2026, that fixes a vsock buffer-size clamping bug where a misordered minimum and maximum check could let a socket buffer exceed its configured maximum. It is not, at least from the public...

CVE-2026-46172 is a newly published Linux kernel vulnerability from kernel.org, added to NVD on May 28, 2026, involving an IPv6 XFRM receive path that can leak route destination references when repeated encapsulated packets hit an error route. It is not yet scored by NVD, and that absence is the...

CVE-2026-45836 is a newly published Linux kernel Bluetooth vulnerability, disclosed by kernel.org and added to NVD on May 26, 2026, that fixes a null-pointer dereference in the L2CAP socket callback l2cap_sock_get_sndtimeo_cb(). The important part is not that this is a spectacular...

CVE-2026-46005 is a Linux kernel XFS vulnerability published by NVD on May 27, 2026, after kernel.org assigned a CVE to a fixed resource leak in xfs_alloc_buftarg() where an error path failed to release a DAX device reference. The patch is tiny, but the lesson is not. This is the kind of kernel...

CVE-2026-4890 is a high-severity dnsmasq denial-of-service vulnerability disclosed on May 11, 2026, in which a remote attacker can use a crafted DNS packet against DNSSEC validation to make the resolver unavailable, affecting Linux distributions, appliances, and embedded network products that...

CVE-2026-4893 is a medium-severity information disclosure vulnerability in dnsmasq, published on May 11, 2026, that allows a remote unauthenticated attacker to bypass source checks by sending a crafted DNS packet containing RFC 7871 EDNS Client Subnet information. The bug is not a...

On 7 May 2026, the UK Information Commissioner’s Office fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 after a cyber-attack exposed personal data belonging to roughly 633,887 people, including customers, employees, and some vulnerable service users. The headline number...

CVE-2026-3593 is a high-severity heap use-after-free vulnerability disclosed on May 20, 2026, in the DNS-over-HTTPS implementation of BIND 9, affecting BIND 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and the supported preview 9.20.9-S1 through 9.20.22-S1. ISC says crafted HTTP/2 traffic...

CISA added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog on May 20, 2026, including five legacy Microsoft and Adobe flaws from 2008 through 2010 and two 2026 Microsoft Defender vulnerabilities, after determining that all seven have evidence of active exploitation. The...

Siemens and CISA disclosed on May 12 and May 14, 2026, respectively, that Ruggedcom ROX devices before version 2.17.1 contain CVE-2025-40948, an authenticated remote file-read vulnerability in the web server’s JSON-RPC interface affecting multiple MX5000, RX1400, RX1500, RX1510, RX1524, RX1536...

Microsoft’s May 2026 Patch Tuesday, released on May 12, delivered fixes for at least 118 documented vulnerabilities across Windows, Office, Azure, Dynamics, SQL Server, Edge, Teams, SharePoint, and related products, while major vendors including Apple, Google, Mozilla, and Oracle also pushed...

Microsoft has listed CVE-2026-40357 as a Microsoft SharePoint Server remote code execution vulnerability in its Security Update Guide, and the key signal in the advisory is not merely the RCE label but Microsoft’s confirmation metric describing confidence in the flaw’s existence and technical...

Microsoft disclosed CVE-2026-32175, a .NET Core tampering vulnerability, in its Security Update Guide on May 12, 2026, as part of the May Patch Tuesday cycle, identifying the issue as a confirmed flaw in Microsoft’s cross-platform application runtime rather than a speculative third-party report...

Microsoft has disclosed CVE-2026-41100 as a spoofing vulnerability in Microsoft 365 Copilot for Android, with the advisory appearing in the Microsoft Security Response Center update guide on May 12, 2026, and with public detail currently centered on the vulnerability’s existence rather than a...

Microsoft disclosed CVE-2026-40415, a Windows TCP/IP remote code execution vulnerability, in its Security Update Guide on May 12, 2026, framing the issue as a network-stack flaw whose risk depends not only on severity but on how confidently defenders can trust the available technical details...

CVE-2026-40377 is a Microsoft Cryptographic Services elevation-of-privilege vulnerability listed in Microsoft’s Security Update Guide on May 12, 2026, affecting Windows systems where the vulnerable cryptographic service component is present and requiring administrators to treat the vendor entry...

Microsoft published CVE-2026-35428 on May 7, 2026, describing a critical Azure Cloud Shell spoofing vulnerability caused by command-injection weakness, already mitigated by Microsoft, requiring no customer action, and assessed with confirmed report confidence but no public disclosure or...

Google Chrome on Windows prior to version 148.0.7778.96 is affected by CVE-2026-7973, a medium-severity Chromium vulnerability in Dawn that may allow a remote attacker to escape the browser sandbox through a crafted HTML page. The vulnerability arrived in public trackers on May 6, 2026, as part...

Google published CVE-2026-7990 on May 6, 2026 for a Windows-only Chrome Updater flaw fixed in Chrome 148.0.7778.96, and NVD’s initial configuration models it as Google Chrome before that version running on Microsoft Windows. That is probably not a missing CPE so much as an awkward but defensible...