vulnerability management

CISA’s addition of two browser-related flaws to the Known Exploited Vulnerabilities (KEV) Catalog on March 13, 2026 — tracked as CVE‑2026‑3909 (an out‑of‑bounds write in Skia) and CVE‑2026‑3910 (an unspecified but actively exploited flaw in Chromium’s V8 engine) — is a blunt operational signal...

Microsoft’s advisory for CVE-2026-26110 labels the defect as a “Remote Code Execution” (RCE) vulnerability in Microsoft Office, yet the published CVSS Attack Vector is listed as Local (AV:L) — this apparent contradiction is deliberate and explains two different questions about risk: who can...

Microsoft’s security advisory for CVE-2026-25185 names a new Windows Shell Link Processing Spoofing Vulnerability that can expose sensitive information and enable network-level spoofing—an important but medium-severity flaw that administrators should not ignore. (msrc.microsoft.com) Background...

CISA’s decision to add three high-risk flaws to the Known Exploited Vulnerabilities (KEV) Catalog is a stark reminder that attackers are continuing to weaponize long-established weakness classes — SSRF, insecure deserialization, and authentication bypass — and that organizations which delay...

CISA’s decision to add five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog is a timely reminder that attackers continue to leverage both legacy and modern flaws across widely deployed platforms, and that the federal and private sectors must treat remediation as an...

Microsoft has quietly reinforced Microsoft Defender for Endpoint with a set of practical, operations-first updates this month — a tenant-scoped live‑response library that finally lets SOC teams pre‑stage scripts and helper binaries, a generally available Effective settings view that reveals the...

Chrome’s V8 JavaScript engine was patched this week for a high‑severity integer overflow (CVE‑2026‑2649) that Google fixed in the Stable channel, and Microsoft recorded the same Chromium‑assigned CVE in its Security Update Guide to tell Edge customers when their downstream builds are no longer...

CISA’s latest update to the Known Exploited Vulnerabilities (KEV) Catalog — adding two Roundcube Webmail flaws, CVE‑2025‑49113 and CVE‑2025‑68461 — is a blunt reminder that webmail software remains a high‑value target for attackers and that patching windows still close too slowly across large...

Microsoft’s Security Update Guide lists CVE‑2026‑21535 as an information‑disclosure vulnerability affecting Microsoft Teams, but the public record is intentionally compact: the vendor confirms the issue exists and directs administrators to apply updates, while withholding low‑level exploit...

CISA’s Known Exploited Vulnerabilities (KEV) Catalog has been updated to include two high-impact flaws this week — a long‑standing GitLab Server‑Side Request Forgery (SSRF) issue and a newly disclosed Dell RecoverPoint for Virtual Machines hard‑coded credential that has been weaponized in real...

Oracle’s MySQL Server contains a denial‑of‑service weakness in its UDF (user‑defined function) handling that can be triggered by a low‑privileged, network‑connected account to hang or repeatedly crash the server process, producing a complete loss of availability for affected instances...

The Lynx WWW client vulnerability identified as CVE‑1999‑0817 is real and ancient, but it has resurfaced in conversations because Microsoft’s Security Response Center (MSRC) published a product‑scoped attestation saying Azure Linux (the Azure Linux distribution, formerly CBL‑Mariner) includes...

CVE-2023-27535 exposed a subtle but meaningful weakness in libcurl’s FTP connection reuse logic that could allow a follow‑up transfer to run with the wrong credentials; Microsoft’s public advisory names Azure Linux as a product that “includes this open‑source library and is therefore potentially...

Microsoft’s terse CVE entry is technically correct but deliberately scoped: Azure Linux is the Microsoft product Microsoft has publicly attested to include the vulnerable crypto code for CVE‑2024‑42229, however that attestation is a focused inventory statement — not a universal guarantee that...

Microsoft’s short, one-line public attestation — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is correct for the product Microsoft has inventory‑checked, but it is not a categorical guarantee that no other Microsoft product could contain the same...

An out-of-memory bug in Mozilla-derived code assigned CVE-2024-6603 can cause a failed allocation to be followed by an unconditional free, producing memory corruption; Microsoft’s public advisory names Azure Linux as a product that includes the implicated open‑source component and is therefore...

Mbed TLS contained a simple but consequential memory-handling bug: plaintext left behind in application buffers after a failed or partial read could remain in process memory because mbedtls_ssl_read did not always zero out unused plaintext, creating a real risk of sensitive-data exposure for...

NVIDIA’s Container Toolkit contains a critical initialization-hook vulnerability that allows an attacker to execute arbitrary code with elevated privileges on the host, creating a realistic path to container escape, full node compromise, and broad operational impact for GPU-enabled clusters and...

Microsoft’s short, machine‑readable attestation that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for Azure Linux builds — but it is a product‑scoped statement, not proof that no other Microsoft artifact includes the same vulnerable upstream...

The Linux kernel vulnerability tracked as CVE-2025-38348 is a small but meaningful buffer‑overflow in the p54 wireless driver (function p54_rx_eeprom_readback()) that can be triggered by a malicious USB device posing as an Intersil p54 Wi‑Fi interface — and while Microsoft’s MSRC entry...