Microsoft Makers of the Windows Operating System and hundreds of products that run on it.
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Microsoft product.
RSS Feeds for Microsoft security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Microsoft products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Microsoft Sorted by Most Security Vulnerabilities since 2018
Recent Microsoft Security Advisories
| Advisory | Title | Published |
|---|---|---|
| CVE-2026-35177 | CVE-2026-35177 Path traversal issue with zip.vim in Vim | April 8, 2026 |
| CVE-2026-34982 | CVE-2026-34982 Vim modeline bypass via various options affects Vim < 9.2.0276 | April 8, 2026 |
| CVE-2026-34591 | CVE-2026-34591 Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write | April 7, 2026 |
| CVE-2026-3184 | CVE-2026-3184 Util-linux: util-linux: access control bypass due to improper hostname canonicalization | April 7, 2026 |
| CVE-2026-35386 | CVE-2026-35386 | April 7, 2026 |
| CVE-2026-35385 | CVE-2026-35385 | April 7, 2026 |
| CVE-2026-35387 | CVE-2026-35387 | April 7, 2026 |
| CVE-2026-35388 | CVE-2026-35388 | April 7, 2026 |
| CVE-2026-34743 | CVE-2026-34743 XZ Utils: Buffer overflow in lzma_index_append() | April 7, 2026 |
| CVE-2026-31408 | CVE-2026-31408 Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold | April 7, 2026 |
Known Exploited Microsoft Vulnerabilities
The following Microsoft vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Microsoft SharePoint Deserialization of Untrusted Data Vulnerability |
Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network. CVE-2026-20963 Exploit Probability: 6.0% |
March 18, 2026 |
| Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability |
Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. CVE-2008-0015 Exploit Probability: 80.6% |
February 17, 2026 |
| Microsoft Configuration Manager SQL Injection Vulnerability |
Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database. CVE-2024-43468 Exploit Probability: 85.1% |
February 12, 2026 |
| Microsoft Windows Shell Protection Mechanism Failure Vulnerability |
Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. CVE-2026-21510 Exploit Probability: 3.5% |
February 10, 2026 |
| Microsoft Windows Type Confusion Vulnerability |
Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21519 Exploit Probability: 5.2% |
February 10, 2026 |
| Microsoft Windows Improper Privilege Management Vulnerability |
Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21533 Exploit Probability: 19.6% |
February 10, 2026 |
| Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability |
Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21514 Exploit Probability: 6.3% |
February 10, 2026 |
| Microsoft Internet Explorer Protection Mechanism Failure Vulnerability |
Microsoft Internet Explorer contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. CVE-2026-21513 Exploit Probability: 28.0% |
February 10, 2026 |
| Microsoft Windows NULL Pointer Dereference Vulnerability |
Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally. CVE-2026-21525 Exploit Probability: 13.4% |
February 10, 2026 |
| Microsoft Office Security Feature Bypass Vulnerability |
Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. CVE-2026-21509 Exploit Probability: 6.6% |
January 26, 2026 |
| Microsoft Windows Information Disclosure Vulnerability |
Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally. CVE-2026-20805 Exploit Probability: 3.7% |
January 13, 2026 |
| Microsoft Office PowerPoint Code Injection Vulnerability |
Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. CVE-2009-0556 Exploit Probability: 76.4% |
January 7, 2026 |
| Microsoft Windows Use After Free Vulnerability |
Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally. CVE-2025-62221 Exploit Probability: 3.0% |
December 9, 2025 |
| Microsoft Windows Race Condition Vulnerability |
Microsoft Windows Kernel contains a race condition vulnerability that allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access. CVE-2025-62215 Exploit Probability: 0.6% |
November 12, 2025 |
| Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability |
Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution. CVE-2025-59287 Exploit Probability: 75.7% |
October 24, 2025 |
| Microsoft Windows SMB Client Improper Access Control Vulnerability |
Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. CVE-2025-33073 Exploit Probability: 42.0% |
October 20, 2025 |
| Microsoft Windows Untrusted Pointer Dereference Vulnerability |
Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges. CVE-2025-24990 Exploit Probability: 3.9% |
October 14, 2025 |
| Microsoft Windows Improper Access Control Vulnerability |
Microsoft Windows contains an improper access control vulnerability in Windows Remote Access Connection Manager which could allow an authorized attacker to elevate privileges locally. CVE-2025-59230 Exploit Probability: 3.7% |
October 14, 2025 |
| Microsoft Windows Privilege Escalation Vulnerability |
Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms. CVE-2021-43226 Exploit Probability: 7.3% |
October 6, 2025 |
| Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability |
Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2010-3962 Exploit Probability: 89.9% |
October 6, 2025 |
Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited Microsoft vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Microsoft Vulnerabilities
Based on the current exploit probability, these Microsoft vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2019-0708 | 94.5% | "BlueKeep" Microsoft Windows Remote Desktop Remote Code Execution Vulnerability |
| 2 | CVE-2019-0604 | 94.4% | Microsoft SharePoint Remote Code Execution Vulnerability |
| 3 | CVE-2017-7269 | 94.4% | Microsft Windows Server 2003 R2 IIS WEBDAV buffer overflow Remote Code Execution vulnerability (COVI |
| 4 | CVE-2020-0796 | 94.4% | Microsoft SMBv3 Remote Code Execution Vulnerability |
| 5 | CVE-2020-0688 | 94.4% | Microsoft Exchange Server Key Validation Vulnerability |
| 6 | CVE-2021-38647 | 94.4% | Microsoft Azure Open Management Infrastructure (OMI) Remote Code Execution Vulnerability |
| 7 | CVE-2017-11882 | 94.4% | Microsoft Office memory corruption vulnerability |
| 8 | CVE-2020-1472 | 94.4% | NetLogon Privilege Escalation Vulnerability |
| 9 | CVE-2023-29357 | 94.4% | Microsoft SharePoint Server Privilege Escalation Vulnerability |
| 10 | CVE-2021-40444 | 94.3% | Microsoft Windows, Server (spec. IE) All Arbitrary Code Execution |
By the Year
In 2026 there have been 908 vulnerabilities in Microsoft with an average score of 7.2 out of ten. Last year, in 2025 Microsoft had 2727 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Microsoft in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.15.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 908 | 7.25 |
| 2025 | 2727 | 7.10 |
| 2024 | 2181 | 7.30 |
| 2023 | 1695 | 7.22 |
| 2022 | 1389 | 7.43 |
| 2021 | 1152 | 7.43 |
| 2020 | 1253 | 7.20 |
| 2019 | 831 | 7.09 |
| 2018 | 661 | 7.03 |
It may take a day or so for new Microsoft vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Microsoft Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-35199 | Apr 06, 2026 |
Apr 2026: SymCrypt SymCryptXmssSign function - Heap overflow via 64->32-bit leaf-count truncationSymCrypt is the core cryptographic function library currently used by Windows. From 103.5.0 to before 103.11.0, The SymCryptXmssSign function passes a 64-bit leaf count value to a helper function that accepts a 32-bit parameter. For XMSS^MT parameter sets with total tree height >= 32 (which includes standard predefined parameters), this causes silent truncation to zero, resulting in a drastically undersized scratch buffer allocation followed by a heap buffer overflow during signature computation. Exploiting this issue would require an application using SymCrypt to perform an XMSS^MT signature using an attacker-controlled parameter set. It is uncommon for applications to allow the use of attacker-controlled parameter sets for signing, since signing is a private key operation, and private keys must be trusted by definition. Additionally, XMSS(^MT) signing should only be performed in a Hardware Security Module (HSM). XMSS(^MT) signing is provided in SymCrypt only for testing purposes. This is a general rule irrespective of this CVE; XMSS(^MT) and other stateful signature schemes are only cryptographically secure when it is guaranteed that the same state cannot be reused for two different signatures, which cannot be guaranteed by software alone. For this reason, XMSS(^MT) signing is also not FIPS approved when performed outside of an HSM. Fixed in version 103.11.0. |
|
| CVE-2026-35177 | Apr 06, 2026 |
Path Traversal Bypass in Vim zip.vim before 9.2.0280 (CVE-2026-35177)Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280. |
|
| CVE-2026-34982 | Apr 06, 2026 |
Vim <9.2.0276 Modeline Sandbox Bypass OS Command ExecVim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue. |
|
| CVE-2026-31410 | Apr 06, 2026 |
Linux Kernel kSmbd FS_OBJECT_ID ID use of volume UUID flawIn the Linux kernel, the following vulnerability has been resolved: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION Use sb->s_uuid for a proper volume identifier as the primary choice. For filesystems that do not provide a UUID, fall back to stfs.f_fsid obtained from vfs_statfs(). |
|
| CVE-2026-31408 | Apr 06, 2026 |
Linux Kernel Bluetooth SCO UAF via missing sock_holdIn the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths. |
|
| CVE-2026-31407 | Apr 06, 2026 |
Linux kernel netfilter conntrack netlink OOB read via SCTPIn the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN. |
|
| CVE-2026-27456 | Apr 03, 2026 |
util-linux SUID mount TOCTOU before v2.41.4util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. |
|
| CVE-2026-34980 | Apr 03, 2026 |
CUPS 2.4.16-: unauthenticated PrintJob privilege escalation (OpenPrinting)OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches. |
|
| CVE-2026-34979 | Apr 03, 2026 |
CUPS 2.4.16- Prior Heap Overflow in Scheduler Filter OptionsOpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches. |
|
| CVE-2026-34978 | Apr 03, 2026 |
CUPS 2.4.16: RSS Notifier Path Traversal Deletes Job CacheOpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches. |
|
| CVE-2026-34990 | Apr 03, 2026 |
CUPS 2.4.16- Prior: Local Auth Abuse Enables Root File OverrideOpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches. |
|
| CVE-2026-27447 | Apr 03, 2026 |
CUPS 2.4.16 Auth Bypass via caseinsensitive username comparisonOpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches. |
|
| CVE-2026-3184 | Apr 03, 2026 |
util-linux login(1) Hostname Canonicalization flaw bypassing PAM accessA flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. |
|
| CVE-2026-32186 | Apr 03, 2026 |
Apr 2026: Microsoft Bing Elevation of Privilege VulnerabilityServer-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network. |
Bing
|
| CVE-2026-31394 | Apr 03, 2026 |
Linux kernel: NULL deref in ieee80211_chan_bw_change AP_VLAN stationsIn the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter] |
|
| CVE-2026-23473 | Apr 03, 2026 |
Linux Kernel io_uring/Poll multishot recv hang due to missing EOFIn the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix multishot recv missing EOF on wakeup race When a socket send and shutdown() happen back-to-back, both fire wake-ups before the receiver's task_work has a chance to run. The first wake gets poll ownership (poll_refs=1), and the second bumps it to 2. When io_poll_check_events() runs, it calls io_poll_issue() which does a recv that reads the data and returns IOU_RETRY. The loop then drains all accumulated refs (atomic_sub_return(2) -> 0) and exits, even though only the first event was consumed. Since the shutdown is a persistent state change, no further wakeups will happen, and the multishot recv can hang forever. Check specifically for HUP in the poll loop, and ensure that another loop is done to check for status if more than a single poll activation is pending. This ensures we don't lose the shutdown event. |
|
| CVE-2026-23472 | Apr 03, 2026 |
Linux Kernel: Infinite loop in handle_tx() for PORT_UNKNOWNIn the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can write: while (tty_write_room(tty) > 0) { written = tty->ops->write(...); // written is always 0, loop never exits } For example, caif_serial's handle_tx() enters an infinite loop when used with PORT_UNKNOWN serial ports, causing system hangs. Fix by making uart_write_room() also check xmit_buf and return 0 if it's NULL, consistent with uart_write(). Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13 |
|
| CVE-2026-23468 | Apr 03, 2026 |
Linux Kernel AMDGPU BO list overflow (CVE-2026-23468)In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which is more than sufficient for any realistic use case (e.g., a single list containing all buffers in a large scene). This prevents memory exhaustion attacks and ensures predictable performance. Return -EINVAL if the requested entry count exceeds the limit (cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332) |
|
| CVE-2026-23444 | Apr 03, 2026 |
Linux Kernel mac80211 Skb Freeing Bug Fix (CVE-2026-23444)In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc. |
|
| CVE-2026-23442 | Apr 03, 2026 |
Linux Kernel: Potential NULL Pointer Deref in IPv6 SRv6 PathsIn the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences. |
|
| CVE-2026-35535 | Apr 03, 2026 |
Sudo Priv Esc via non-fatal setuid failure pre-3e474c2 before 1.9.17p2In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation. |
|
| CVE-2026-32211 | Apr 02, 2026 |
Apr 2026: Azure MCP Server Information Disclosure VulnerabilityMissing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network. |
Azure Web Apps
|
| CVE-2026-32173 | Apr 02, 2026 |
Apr 2026: Azure SRE Agent Information Disclosure VulnerabilityImproper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. |
Azure Sre Agent Gateway Signalr Hub
|
| CVE-2026-26135 | Apr 02, 2026 |
Apr 2026: Azure Custom Locations Resource Provider (RP) Elevation of Privilege VulnerabilityServer-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network. |
Azure Custom Locations Resource Provider
|
| CVE-2026-33105 | Apr 02, 2026 |
Apr 2026: Microsoft Azure Kubernetes Service Elevation of Privilege VulnerabilityImproper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. |
Azure Kubernetes Service
|
| CVE-2026-33107 | Apr 02, 2026 |
Apr 2026: Azure Databricks Elevation of Privilege VulnerabilityServer-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. |
Azure Databricks
|
| CVE-2026-32213 | Apr 02, 2026 |
Apr 2026: Azure AI Foundry Elevation of Privilege VulnerabilityImproper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. |
Azure Ai Foundry
|
| CVE-2026-34743 | Apr 02, 2026 |
XZ Utils v<5.8.3 Buffer Overflow via lzma_index_decoderXZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3. |
|
| CVE-2026-34591 | Apr 02, 2026 |
Poetry 1.4.02.3.3 Unrestricted File Write via Wheel Path TraversalPoetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3. |
|
| CVE-2026-35414 | Apr 02, 2026 |
OpenSSH 10.2 Principals Option Misparse via Commas in CAOpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. |
|
| CVE-2026-35388 | Apr 02, 2026 |
OpenSSH <10.3: Missing confirmation in proxymode multiplexingOpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. |
|
| CVE-2026-35387 | Apr 02, 2026 |
OpenSSH <10.3 Unintended ECDSA via PubkeyAcceptedAlgorithmsOpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. |
|
| CVE-2026-35386 | Apr 02, 2026 |
OpenSSH <=10.2: Cmd Exec via Metachar Username on CLIIn OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. |
|
| CVE-2026-35385 | Apr 02, 2026 |
OpenSSH <10.3 Setuid/Gid Escalation via SCP -O (no -p)In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). |
|
| CVE-2026-5292 | Apr 01, 2026 |
Google Chrome WebCodecs OOB Read <146.0.7680.178Remote HTML AttackOut of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) |
|
| CVE-2026-5291 | Apr 01, 2026 |
Chrome WebGL Process Memory Disclosure (<146.0.7680.178)Inappropriate implementation in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) |
|
| CVE-2026-5290 | Apr 01, 2026 |
Chrome < 146: Use-after-free in Compositing allows sandbox escapeUse after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5289 | Apr 01, 2026 |
Chrome Navigation USEAF 146.0.7680.178 sandbox escapeUse after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5273 | Apr 01, 2026 |
UAFree in Chrome CSS (146.0.7680.178) Remote Code ExecutionUse after free in CSS in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5287 | Apr 01, 2026 |
Chrome <146.0.7680.178 PDF UAF: Arbitrary Code ExecUse after free in PDF in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) |
|
| CVE-2026-5286 | Apr 01, 2026 |
Chrome <146.0.7680.178 Useafterfree in Dawn engineUse after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5285 | Apr 01, 2026 |
UA-FREE in WebGL of Chrome <146.0.7680.178 Enables Remote Code ExecutionUse after free in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5284 | Apr 01, 2026 |
Use-after-free in Dawn (Chrome <146.0.7680.178)Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5283 | Apr 01, 2026 |
ANGLE in Chrome <146 Cross-Origin Data Leak via Crafted PageInappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5272 | Apr 01, 2026 |
Chrome GPU Heap Buffer Overflow <146.0.7680.178: RCE via HTMLHeap buffer overflow in GPU in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5281 | Apr 01, 2026 |
Use After Free in Dawn (Chrome <146.0.7680.178)Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5279 | Apr 01, 2026 |
Object corruption in V8 (Chrome <146.0.7680.178) Remote code execObject corruption in V8 in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5280 | Apr 01, 2026 |
Chrome 146 WebCodecs Use-After-Free Remote Code ExecUse after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5276 | Apr 01, 2026 |
CVE-2026-5276: WebUSB Policy Bypass in Chrome <146.0 to Leak MemoryInsufficient policy enforcement in WebUSB in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) |
|
| CVE-2026-5277 | Apr 01, 2026 |
Integer overflow in ANGLE for Chrome <146.0.7680.178 Enables OOB writeInteger overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) |