windows patching

Siemens and CISA disclosed on May 12–14, 2026, that Siemens gPROMS Web Applications Publisher versions before 3.1.1 are affected by CVE-2026-40175, an Axios-linked vulnerability that can allow remote code execution under specific conditions. The advisory is narrow in product scope but broad in...

CVE-2026-41089 is a Microsoft-disclosed Windows Netlogon remote code execution vulnerability published in the Security Update Guide on May 12, 2026, affecting the authentication plumbing Windows domains use to establish trusted communication between domain-joined machines and domain controllers...

South Staffordshire Plc, parent of South Staffs Water, has been fined £963,900 by the UK Information Commissioner’s Office on May 11, 2026, after a Cl0p ransomware intrusion first begun in September 2020 went undetected until July 2022 and exposed data on 633,887 people. The headline number is...

Microsoft published CVE-2026-7904 for Microsoft Edge on May 7, 2026, after Google fixed a high-severity Chromium font-processing flaw in Chrome 148.0.7778.96 and later, a bug that could let a remote attacker read memory through a crafted HTML page. The short version for Windows users is simple...

Google and Microsoft published CVE-2026-7917 on May 6, 2026, describing a high-severity use-after-free flaw in Chromium’s Fullscreen component on Windows before Chrome 148.0.7778.96 that could help a renderer-compromise chain escape the browser sandbox. The important phrase is not “Fullscreen,”...

CVE-2026-7935 is a medium-severity Chromium flaw disclosed on May 6, 2026, in Google Chrome before version 148.0.7778.96, where an inappropriate implementation in the browser’s Speech component could let a remote attacker spoof user-interface elements through a crafted HTML page. The bug is not...

Google and Microsoft disclosed CVE-2026-7940 on May 6, 2026, a medium-severity Chromium vulnerability in V8 that affects Google Chrome before 148.0.7778.96 and can let a malicious Chrome extension execute arbitrary code inside the browser sandbox. The short version is reassuring only if your...

Google and Microsoft disclosed CVE-2026-7945 on May 6, 2026, describing a medium-severity Chromium flaw in Cross-Origin-Opener-Policy handling that affected Chrome before 148.0.7778.96 and could let an attacker who already compromised the renderer bypass site isolation with crafted HTML. That...

CVE-2026-7947 is a medium-severity Chromium Network flaw disclosed on May 6, 2026, affecting Google Chrome before 148.0.7778.96 and allowing renderer-compromising attackers to spoof browser UI through a crafted HTML page on Windows, macOS, and Linux. That phrasing is dry, but the story is not...

Google disclosed CVE-2026-7972 on May 6, 2026, as a medium-severity Chromium GPU vulnerability fixed in Chrome 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and macOS, with Microsoft tracking the same Chromium flaw through its Security Update Guide. The bug is not the...

Google and Microsoft documented CVE-2026-7980 on May 6–7, 2026, as a Chromium WebAudio use-after-free flaw fixed in Chrome before version 148.0.7778.96 and in current Microsoft Edge builds that ingest the patched Chromium code. The bug is officially “medium” in Chromium’s own severity language...

Google and Microsoft disclosed CVE-2026-7982 on May 6, 2026, as a medium-severity Chromium WebCodecs flaw fixed in Google Chrome before version 148.0.7778.96, allowing a remote attacker to expose potentially sensitive process memory through a crafted HTML page. That is the plain version; the...

Google disclosed CVE-2026-7987 on May 6, 2026, as a WebRTC use-after-free flaw in Chrome before version 148.0.7778.96 that can let a remote attacker run code inside the browser sandbox through a crafted HTML page. That sounds narrow, almost boring, until you notice where the bug lives: WebRTC...

Google and Microsoft disclosed CVE-2026-8007 on May 6, 2026, describing a Cast component input-validation flaw in Chromium-based browsers before Chrome 148.0.7778.96 that could let an attacker escalate privileges after first compromising the renderer process with a crafted web page. The dry...

CVE-2026-34032 is a newly published Apache HTTP Server flaw in mod_proxy_ajp, disclosed on May 4, 2026, affecting Apache HTTP Server versions through 2.4.66 and fixed in Apache HTTP Server 2.4.67. The bug is not a Microsoft vulnerability, despite surfacing through Microsoft’s Security Update...

Google and Microsoft disclosed CVE-2026-7339 on April 28, 2026, as a heap-based buffer overflow in Chromium’s WebRTC component affecting Google Chrome before 147.0.7727.138, with exploitation possible through a crafted HTML page that triggers heap corruption after user interaction. The bug is...

Google published CVE-2026-7346 on April 28, 2026, as a high-severity Chrome vulnerability in Tint, fixed before version 147.0.7727.138, that could let a remote attacker trigger out-of-bounds memory access through a crafted HTML page on desktop browsers. The interesting part is not that Chrome...

Google and Microsoft disclosed CVE-2026-7335 on April 28, 2026, after Chrome’s stable desktop update to 147.0.7727.137/138 fixed a high-severity use-after-free flaw in Chromium’s media component that could let a remote attacker run code inside the browser sandbox through a crafted HTML page. The...

Google and Microsoft disclosed CVE-2026-7354 on April 28, 2026, describing a high-severity out-of-bounds read and write flaw in ANGLE that affects Google Chrome before 147.0.7727.138 and could let a remote attacker attempt a browser sandbox escape through a crafted HTML page. The short version...

Google and Microsoft disclosed CVE-2026-7358 on April 28, 2026, as a high-severity use-after-free flaw in Chrome’s Animation component affecting Google Chrome before version 147.0.7727.138, with exploitation possible through a crafted HTML page that can execute code inside Chrome’s sandbox. The...