Microsoft Makers of the Windows Operating System and hundreds of products that run on it.

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Microsoft product.

RSS Feeds for Microsoft security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Microsoft products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Microsoft Sorted by Most Security Vulnerabilities since 2018

Microsoft Windows 104463 vulnerabilities

Microsoft Windows Server 20164261 vulnerabilities

Microsoft Windows Server 20194234 vulnerabilities

Microsoft Windows Server 20123214 vulnerabilities

Microsoft Windows Server 20082820 vulnerabilities

Microsoft Windows Server 20222541 vulnerabilities

Microsoft Windows 112278 vulnerabilities

Microsoft Windows 71810 vulnerabilities

Microsoft Windows 8.11712 vulnerabilities

Microsoft Windows Rt 8 11592 vulnerabilities

Microsoft Windows 10 15071452 vulnerabilities

Microsoft Windows 11 23h21394 vulnerabilities

Microsoft Windows Server 2022 23h21115 vulnerabilities

Microsoft Windows 11 24h21072 vulnerabilities

Microsoft Windows Server 23h21039 vulnerabilities

Microsoft Windows Server 20251020 vulnerabilities

Microsoft Windows Server 2012 R21006 vulnerabilities

Microsoft Windows931 vulnerabilities

Microsoft Windows Server 2008 R2793 vulnerabilities

Microsoft Windows Server655 vulnerabilities

Microsoft Windows Server 2008 Sp2626 vulnerabilities

Microsoft Office589 vulnerabilities

Microsoft Internet Explorer (IE)528 vulnerabilities
Popular web browser for windows

Microsoft 365 Apps439 vulnerabilities

Microsoft Sharepoint Server410 vulnerabilities

Microsoft Edge Browser409 vulnerabilities
Web Browser based on Chromium

Microsoft Windows Vista382 vulnerabilities

Microsoft Windows XP326 vulnerabilities

Microsoft Windows 10 1803275 vulnerabilities

Microsoft Windows 10 1909271 vulnerabilities

Microsoft Windows Server 2003262 vulnerabilities

Microsoft Windows Server 2004244 vulnerabilities

Microsoft Windows Server 1903240 vulnerabilities

Microsoft Windows 11 25h2234 vulnerabilities

Microsoft Windows Server 1909223 vulnerabilities

Microsoft Edge Chromium221 vulnerabilities

Microsoft Office Long Term Servicing Channel210 vulnerabilities

Microsoft Windows Server 20h2205 vulnerabilities

Microsoft Excel187 vulnerabilities
Spreadsheet Software

Microsoft Office 2024173 vulnerabilities

Microsoft Office 2021167 vulnerabilities

Microsoft Windows 2003 Server162 vulnerabilities

Microsoft Office 2019161 vulnerabilities

Microsoft Office Macos 2024139 vulnerabilities

Microsoft Office Macos 2021137 vulnerabilities

Microsoft Office Online Server135 vulnerabilities

Microsoft Sql Server 2019133 vulnerabilities

Microsoft Exchange Server132 vulnerabilities

Microsoft Visual Studio 2019121 vulnerabilities

Microsoft Visual Studio 2022119 vulnerabilities

Microsoft Windows 2000112 vulnerabilities

Microsoft Sql Server 2022104 vulnerabilities

Microsoft Windows 11 2h2101 vulnerabilities

Microsoft Windows Server 1803101 vulnerabilities

Microsoft Word98 vulnerabilities

Microsoft SQL Server98 vulnerabilities
Database Server

Microsoft Dynamics 36595 vulnerabilities

Microsoft Windows 10 21h195 vulnerabilities

Microsoft Visual Studio 201793 vulnerabilities

Microsoft Sql Server 201792 vulnerabilities

Microsoft Sql Server 201690 vulnerabilities

Microsoft Office 365 Proplus87 vulnerabilities

Microsoft Visual Studio87 vulnerabilities
Developer IDE

Microsoft Outlook85 vulnerabilities

Microsoft Net80 vulnerabilities

Microsoft Excel 201671 vulnerabilities

Microsoft Windows 11 26h166 vulnerabilities

Microsoft Sharepoint Server 201966 vulnerabilities

Microsoft Sharepoint Server 201665 vulnerabilities

Microsoft Visual Studio Code63 vulnerabilities
VSCode Developer IDE

Microsoft Windows 861 vulnerabilities

Microsoft Office Compatibility Pack61 vulnerabilities

Microsoft Windows Nt57 vulnerabilities

Microsoft Office Web Apps55 vulnerabilities

Microsoft Azure Site Recovery53 vulnerabilities

Microsoft Office 201647 vulnerabilities

Microsoft Windows Rt46 vulnerabilities

Microsoft Office Web Apps Server41 vulnerabilities

Microsoft Azure Devops Server40 vulnerabilities

Microsoft Windows 10 170940 vulnerabilities

Microsoft Powershell37 vulnerabilities

Microsoft 36 vulnerabilities

Microsoft Mysql36 vulnerabilities

Microsoft ASP.NET Core35 vulnerabilities

Microsoft .NET Core34 vulnerabilities

Microsoft Excel Viewer34 vulnerabilities

Microsoft Ole Db Driver For Sql Server31 vulnerabilities

Microsoft Windows 10 170331 vulnerabilities

Microsoft Windows 10 190326 vulnerabilities

Microsoft Windows 10 200426 vulnerabilities

Microsoft Odbc Driver For Sql Server26 vulnerabilities

Microsoft Remote Desktop26 vulnerabilities

Microsoft Teams24 vulnerabilities

Microsoft Word 201623 vulnerabilities

Microsoft .NET Framework22 vulnerabilities

Microsoft Remote Desktop Client22 vulnerabilities

Microsoft Office Word Viewer21 vulnerabilities

Recent Microsoft Security Advisories

Advisory	Title	Published
CVE-2026-4438	CVE-2026-4438 gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames	March 23, 2026
CVE-2026-4437	CVE-2026-4437 gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response	March 23, 2026
CVE-2026-4464	Chromium: CVE-2026-4464 Integer overflow in ANGLE	March 23, 2026
CVE-2026-4463	Chromium: CVE-2026-4463 Heap buffer overflow in WebRTC	March 23, 2026
CVE-2026-4462	Chromium: CVE-2026-4462 Out of bounds read in Blink	March 23, 2026
CVE-2026-4461	Chromium: CVE-2026-4461 Inappropriate implementation in V8	March 23, 2026
CVE-2026-4460	Chromium: CVE-2026-4460 Out of bounds read in Skia	March 23, 2026
CVE-2026-4458	Chromium: CVE-2026-4458 Use after free in Extensions	March 23, 2026
CVE-2026-4457	Chromium: CVE-2026-4457 Type Confusion in V8	March 23, 2026
CVE-2026-4456	Chromium: CVE-2026-4456 Use after free in Digital Credentials API	March 23, 2026

Known Exploited Microsoft Vulnerabilities

The following Microsoft vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability	Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network. CVE-2026-20963 Exploit Probability: 8.0%	March 18, 2026
Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability	Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. CVE-2008-0015 Exploit Probability: 80.6%	February 17, 2026
Microsoft Configuration Manager SQL Injection Vulnerability	Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database. CVE-2024-43468 Exploit Probability: 85.1%	February 12, 2026
Microsoft Windows Shell Protection Mechanism Failure Vulnerability	Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. CVE-2026-21510 Exploit Probability: 2.9%	February 10, 2026
Microsoft Windows Type Confusion Vulnerability	Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21519 Exploit Probability: 4.7%	February 10, 2026
Microsoft Windows Improper Privilege Management Vulnerability	Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21533 Exploit Probability: 5.7%	February 10, 2026
Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability	Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21514 Exploit Probability: 6.3%	February 10, 2026
Microsoft Internet Explorer Protection Mechanism Failure Vulnerability	Microsoft Internet Explorer contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. CVE-2026-21513 Exploit Probability: 6.6%	February 10, 2026
Microsoft Windows NULL Pointer Dereference Vulnerability	Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally. CVE-2026-21525 Exploit Probability: 4.2%	February 10, 2026
Microsoft Office Security Feature Bypass Vulnerability	Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. CVE-2026-21509 Exploit Probability: 6.6%	January 26, 2026
Microsoft Windows Information Disclosure Vulnerability	Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally. CVE-2026-20805 Exploit Probability: 3.2%	January 13, 2026
Microsoft Office PowerPoint Code Injection Vulnerability	Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. CVE-2009-0556 Exploit Probability: 76.4%	January 7, 2026
Microsoft Windows Use After Free Vulnerability	Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally. CVE-2025-62221 Exploit Probability: 3.0%	December 9, 2025
Microsoft Windows Race Condition Vulnerability	Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access. CVE-2025-62215 Exploit Probability: 0.6%	November 12, 2025
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability	Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution. CVE-2025-59287 Exploit Probability: 68.4%	October 24, 2025
Microsoft Windows SMB Client Improper Access Control Vulnerability	Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. CVE-2025-33073 Exploit Probability: 51.4%	October 20, 2025
Microsoft Windows Untrusted Pointer Dereference Vulnerability	Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges. CVE-2025-24990 Exploit Probability: 3.8%	October 14, 2025
Microsoft Windows Improper Access Control Vulnerability	Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally. CVE-2025-59230 Exploit Probability: 3.7%	October 14, 2025
Microsoft Windows Privilege Escalation Vulnerability	Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms. CVE-2021-43226 Exploit Probability: 7.3%	October 6, 2025
Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability	Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2010-3962 Exploit Probability: 88.3%	October 6, 2025

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 3 known exploited Microsoft vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

Top 10 Riskiest Microsoft Vulnerabilities

Based on the current exploit probability, these Microsoft vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank	CVE	EPSS	Vulnerability
1	CVE-2019-0708	94.5%	"BlueKeep" Microsoft Windows Remote Desktop Remote Code Execution Vulnerability
2	CVE-2019-0604	94.4%	Microsoft SharePoint Remote Code Execution Vulnerability
3	CVE-2017-7269	94.4%	Microsft Windows Server 2003 R2 IIS WEBDAV buffer overflow Remote Code Execution vulnerability (COVI
4	CVE-2020-0796	94.4%	Microsoft SMBv3 Remote Code Execution Vulnerability
5	CVE-2020-0688	94.4%	Microsoft Exchange Server Key Validation Vulnerability
6	CVE-2021-38647	94.4%	Microsoft Azure Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
7	CVE-2017-11882	94.4%	Microsoft Office memory corruption vulnerability
8	CVE-2020-1472	94.4%	NetLogon Privilege Escalation Vulnerability
9	CVE-2023-29357	94.4%	Microsoft SharePoint Server Privilege Escalation Vulnerability
10	CVE-2021-40444	94.3%	Microsoft Windows, Server (spec. IE) All Arbitrary Code Execution

By the Year

In 2026 there have been 656 vulnerabilities in Microsoft with an average score of 7.2 out of ten. Last year, in 2025 Microsoft had 2727 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Microsoft in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.15.

Year	Vulnerabilities	Average Score
2026	656	7.25
2025	2727	7.10
2024	2181	7.30
2023	1695	7.22
2022	1389	7.43
2021	1152	7.43
2020	1253	7.20
2019	831	7.09
2018	661	7.03

It may take a day or so for new Microsoft vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Microsoft Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-4438	Mar 20, 2026	glibc 2.342.43 DNS hostname violation via gethostbyaddr Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
CVE-2026-4437	Mar 20, 2026	glibc 2.342.43 DNS Spec Violation via gethostbyaddr Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.
CVE-2026-23278	Mar 20, 2026	Linux Kernel nf_tables Catchall Element Processing Vulnerability In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch. If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate. Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] [..] __nft_set_elem_destroy+0x106/0x380 [nf_tables] nf_tables_abort_release+0x348/0x8d0 [nf_tables] nf_tables_abort+0xcf2/0x3ac0 [nf_tables] nfnetlink_rcv_batch+0x9c9/0x20e0 [..]
CVE-2026-23277	Mar 20, 2026	Linux Kernel: TEQL Scheduler NULL Deref in iptunnel_xmit In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: get_cpu_ptr(dev->tstats) Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault. BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: <TASK> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206) Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.
CVE-2026-23276	Mar 20, 2026	Linux Kernel: Tunnel XMIT Recursion Stack Overflow (CVE-2026-23276) In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing kernel stack overflow. The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not sufficient because tunnel recursion involves route lookups and full IP output, consuming much more stack per level. Use a lower limit of 4 (IP_TUNNEL_RECURSION_LIMIT) to prevent overflow. Add recursion detection using dev_xmit_recursion helpers directly in iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.). Move dev_xmit_recursion helpers from net/core/dev.h to public header include/linux/netdevice.h so they can be used by tunnel code. BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 Workqueue: mld mld_ifc_work Call Trace: <TASK> __build_flow_key.constprop.0 (net/ipv4/route.c:515) ip_rt_update_pmtu (net/ipv4/route.c:1073) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) mld_sendpack mld_ifc_work process_one_work worker_thread </TASK>
CVE-2026-23274	Mar 20, 2026	Linux Kernel: netfilter IDLETIMER Reuse of ALARM Timer Causing Panic In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.
CVE-2026-23272	Mar 20, 2026	Linux Kernel nf_tables RCU Read/Write Crash Vulnerability In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.
CVE-2026-23271	Mar 20, 2026	Linux Kernel: Race in perf event overflow handling In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.
CVE-2026-4464	Mar 20, 2026	Chrome ANGLE Integer Overflow <146.0.7680.153 Integer overflow in ANGLE in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-4462	Mar 20, 2026	OOB_READ_IN_BLINK_CHROME_PRE_146.0.7680.153 Out of bounds read in Blink in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4463	Mar 20, 2026	Heap overflow in WebRTC of Google Chrome <146.0.7680.153 Heap buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4460	Mar 20, 2026	Chrome Skia OOB Read CVE2026-4460 (pre146.0.7680.153) Out of bounds read in Skia in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4461	Mar 20, 2026	Google Chrome <146.0.7680.153: V8 Engine Heap Corruption Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4458	Mar 20, 2026	Google Chrome <146.0.7680.153: Extension Use-After-Free Use after free in Extensions in Google Chrome prior to 146.0.7680.153 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
CVE-2026-4457	Mar 20, 2026	V8 Type Confusion in Chrome <146.0.7680.153 Heap Corrupt Type Confusion in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4455	Mar 20, 2026	Chrome PDFium Heap Buffer Overflow (<146.0.7680.153) Heap buffer overflow in PDFium in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)
CVE-2026-4456	Mar 20, 2026	Chrome Digital Credentials API UAF before 146.0.7680.153 Use after free in Digital Credentials API in Google Chrome prior to 146.0.7680.153 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4454	Mar 20, 2026	Use-after-free in Chrome Network module before 146.0.7680.153 Use after free in Network in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4452	Mar 20, 2026	ANGLE Integer Overflow in Chrome <146.0.7680.153 on Windows Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4451	Mar 20, 2026	Google Chrome <146.0.7680.153 Navigation Sandbox Escape via Crafted HTML Insufficient validation of untrusted input in Navigation in Google Chrome prior to 146.0.7680.153 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4450	Mar 20, 2026	OOB Write in V8 Engine of Google Chrome < 146.0.7680.153 Out of bounds write in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4449	Mar 20, 2026	Chrome <146.0.7680.153 Blink UAF Heap Corruption Use after free in Blink in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4448	Mar 20, 2026	Chrome ANGLE Heap Buffer Overflow <146.0.7680.153 Heap buffer overflow in ANGLE in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4447	Mar 20, 2026	Chrome V8 RCE Remote via Crafted HTML (before 146.0.7680.153) Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4446	Mar 20, 2026	Use-After-Free in WebRTC in Chrome < 146.0.7680.153 Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4445	Mar 20, 2026	Google Chrome WebRTC Use After Free before 146.0.7680.153 Use after free in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4443	Mar 20, 2026	Google Chrome WebAudio Heap Overflow <146.0.7680.153 Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4444	Mar 20, 2026	WebRTC stack buffer overflow before Chrome 146.0.7680.153 Stack buffer overflow in WebRTC in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-4441	Mar 20, 2026	Use-After-Free in Base in Google Chrome <146.0.7680.153 (Critical) Use after free in Base in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-4440	Mar 20, 2026	Google Chrome WebGL OOB Read/Write <146.0.7680.153 (CVE-2026-4440) Out of bounds read and write in WebGL in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-32766	Mar 20, 2026	AstralTokioTar 0.5.x PAX extensions silently skipped (fixed in 0.6.0) astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malformed GNU long link extension so that a subsequent parser would misinterpret the extension. In practice, exploiting this behavior in astral-tokio-tar requires a secondary misbehaving tar parser, i.e. one that insufficiently validates malformed PAX extensions and interprets them rather than skipping or erroring on them. This vulnerability is considered low-severity as it requires a separate vulnerability against any unrelated tar parser. This issue has been fixed in version 0.6.0.
CVE-2026-32194	Mar 19, 2026	Mar 2026: Microsoft Bing Images Remote Code Execution Vulnerability Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.	Bing Images
CVE-2026-26137	Mar 19, 2026	Mar 2026: Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerability Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network.	365 Copilot Business Chat
CVE-2026-24299	Mar 19, 2026	Mar 2026: M365 Copilot Information Disclosure Vulnerability Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.	365 Copilot
CVE-2026-26136	Mar 19, 2026	Mar 2026: Microsoft Copilot Information Disclosure Vulnerability Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network.	Copilot
CVE-2026-23659	Mar 19, 2026	Mar 2026: Azure Data Factory Information Disclosure Vulnerability Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network.	Azure Data Factory
CVE-2026-26120	Mar 19, 2026	Mar 2026: Microsoft Bing Tampering Vulnerability Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.	Bing
CVE-2026-23658	Mar 19, 2026	Mar 2026: Azure DevOps: msazure Elevation of Privilege Vulnerability Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.	Azure Devops Msazure
CVE-2026-26138	Mar 19, 2026	Mar 2026: Microsoft Purview Elevation of Privilege Vulnerability Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.	Office Purview
CVE-2026-32191	Mar 19, 2026	Mar 2026: Microsoft Bing Images Remote Code Execution Vulnerability Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.	Bing Images
CVE-2026-26139	Mar 19, 2026	Mar 2026: Microsoft Purview Elevation of Privilege Vulnerability Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.	Office Purview
CVE-2026-32169	Mar 19, 2026	Mar 2026: Azure Cloud Shell Elevation of Privilege Vulnerability Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.	Azure Cloud Shell
CVE-2026-3479	Mar 18, 2026	CPython pkgutil.get_data Path Traversal (before 3.15.0) pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
CVE-2026-27135	Mar 18, 2026	nghttp21.68.1: assertion fail via FRAME_SIZE_ERROR after session termination nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
CVE-2026-23269	Mar 18, 2026	Linux Kernel AppArmor OOB Read via DFA Start State in unpack_pdb In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue.
CVE-2026-23268	Mar 18, 2026	Linux Kernel AppArmor Local User Can Acquire Policy Management In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check.
CVE-2026-23267	Mar 18, 2026	Linux Kernel f2fs IS_CHECKPOINTED Flag Inconsistency in Atomic Commit In the Linux kernel, the following vulnerability has been resolved: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The issue occurred under the following scenario Thread A Thread B f2fs_ioc_commit_atomic_write - f2fs_do_sync_file // atomic = true - f2fs_fsync_node_pages : last_folio = inode folio : schedule before folio_lock(last_folio) f2fs_write_checkpoint - block_operations// writeback last_folio - schedule before f2fs_flush_nat_entries : set_fsync_mark(last_folio, 1) : set_dentry_mark(last_folio, 1) : folio_mark_dirty(last_folio) - __write_node_folio(last_folio) : f2fs_down_read(&sbi->node_write)//block - f2fs_flush_nat_entries : {struct nat_entry}->flag \|= BIT(IS_CHECKPOINTED) - unblock_operations : f2fs_up_write(&sbi->node_write) f2fs_write_checkpoint//return : f2fs_do_write_node_page() f2fs_ioc_commit_atomic_write//return SPO Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has already been written once. However, the {struct nat_entry}->flag did not have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and write last_folio again after Thread B finishes f2fs_write_checkpoint. After SPO and reboot, it was detected that {struct node_info}->blk_addr was not NULL_ADDR because Thread B successfully write the checkpoint. This issue only occurs in atomic write scenarios. For regular file fsync operations, the folio must be dirty. If block_operations->f2fs_sync_node_pages successfully submit the folio write, this path will not be executed. Otherwise, the f2fs_write_checkpoint will need to wait for the folio write submission to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the situation where f2fs_need_dentry_mark checks that the {struct nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has already been submitted, will not occur. Therefore, for atomic file fsync, sbi->node_write should be acquired through __write_node_folio to ensure that the IS_CHECKPOINTED flag correctly indicates that the checkpoint write has been completed.
CVE-2026-23266	Mar 18, 2026	Kernel rivafb: divide-by-zero in nv3_arb() In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
CVE-2026-23265	Mar 18, 2026	Linux kernel f2fs node footer sanity check bug (CVE-2026-23265) In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer in {read,write}_end_io -----------[ cut here ]------------ kernel BUG at fs/f2fs/data.c:358! Call Trace: <IRQ> blk_update_request+0x5eb/0xe70 block/blk-mq.c:987 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1149 blk_complete_reqs block/blk-mq.c:1224 [inline] blk_done_softirq+0x107/0x160 block/blk-mq.c:1229 handle_softirqs+0x283/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050 </IRQ> In f2fs_write_end_io(), it detects there is inconsistency in between node page index (nid) and footer.nid of node page. If footer of node page is corrupted in fuzzed image, then we load corrupted node page w/ async method, e.g. f2fs_ra_node_pages() or f2fs_ra_node_page(), in where we won't do sanity check on node footer, once node page becomes dirty, we will encounter this bug after node page writeback.
CVE-2026-23259	Mar 18, 2026	Linux Kernel io_uring iovec memory leak on cache put failure In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: free potentially allocated iovec on cache put failure If a read/write request goes through io_req_rw_cleanup() and has an allocated iovec attached and fails to put to the rw_cache, then it may end up with an unaccounted iovec pointer. Have io_rw_recycle() return whether it recycled the request or not, and use that to gauge whether to free a potential iovec or not.