Microsoft Makers of the Windows Operating System and hundreds of products that run on it.
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Microsoft product.
RSS Feeds for Microsoft security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Microsoft products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Microsoft Sorted by Most Security Vulnerabilities since 2018
Recent Microsoft Security Advisories
| Advisory | Title | Published |
|---|---|---|
| CVE-2026-50292 | CVE-2026-50292 In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution | June 9, 2026 |
| CVE-2026-46272 | CVE-2026-46272 coresight: tmc-etr: Fix race condition between sysfs and perf mode | June 9, 2026 |
| CVE-2026-46250 | CVE-2026-46250 MIPS: Work around LLVM bug when gp is used as global register variable | June 9, 2026 |
| CVE-2026-50031 | CVE-2026-50031 ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a la | June 9, 2026 |
| CVE-2026-50263 | CVE-2026-50263 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free information disclosure in createsaverwindow() | June 9, 2026 |
| CVE-2026-50258 | CVE-2026-50258 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in xkb key types due to unchecked shift levels | June 9, 2026 |
| CVE-2026-50257 | CVE-2026-50257 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free in misyncdestroyfence() | June 9, 2026 |
| CVE-2026-50259 | CVE-2026-50259 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in xkb setmap request via mapwidths indexing | June 9, 2026 |
| CVE-2026-50260 | CVE-2026-50260 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free in freecounter() | June 9, 2026 |
| CVE-2026-50262 | CVE-2026-50262 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: out-of-bounds read/write in glx changedrawableattributes | June 9, 2026 |
Known Exploited Microsoft Vulnerabilities
The following Microsoft vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Microsoft Internet Explorer Use-After-Free Vulnerability |
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2010-0249 Exploit Probability: 88.8% |
May 20, 2026 |
| Microsoft Windows Buffer Overflow Vulnerability |
Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization. CVE-2008-4250 Exploit Probability: 92.1% |
May 20, 2026 |
| Microsoft Defender Denial of Service Vulnerability |
Microsoft Defender contains an unspecified vulnerability that allows for denial of service. CVE-2026-45498 Exploit Probability: 4.1% |
May 20, 2026 |
| Microsoft DirectX NULL Byte Overwrite Vulnerability |
Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file. CVE-2009-1537 Exploit Probability: 53.0% |
May 20, 2026 |
| Microsoft Internet Explorer Use-After-Free Vulnerability |
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2010-0806 Exploit Probability: 87.3% |
May 20, 2026 |
| Microsoft Defender Link Following Vulnerability |
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally. CVE-2026-41091 Exploit Probability: 8.0% |
May 20, 2026 |
| Microsoft Exchange Server Cross-Site Scripting Vulnerability |
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context. CVE-2026-42897 Exploit Probability: 7.9% |
May 15, 2026 |
| Microsoft Windows Protection Mechanism Failure Vulnerability |
Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network. CVE-2026-32202 Exploit Probability: 56.8% |
April 28, 2026 |
| Microsoft Defender Insufficient Granularity of Access Control Vulnerability |
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally. CVE-2026-33825 Exploit Probability: 7.1% |
April 22, 2026 |
| Microsoft Office Remote Code Execution |
Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object. CVE-2009-0238 Exploit Probability: 74.7% |
April 14, 2026 |
| Microsoft SharePoint Server Improper Input Validation Vulnerability |
Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network. CVE-2026-32201 Exploit Probability: 8.9% |
April 14, 2026 |
| Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability |
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution. CVE-2023-21529 Exploit Probability: 27.0% |
April 13, 2026 |
| Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability |
Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution. CVE-2012-1854 Exploit Probability: 3.4% |
April 13, 2026 |
| Microsoft Windows Link Following Vulnerability |
Microsoft Windows contains a link following vulnerability that allows for privilege escalation CVE-2025-60710 Exploit Probability: 20.8% |
April 13, 2026 |
| Microsoft Windows Out-of-Bounds Read Vulnerability |
Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation CVE-2023-36424 Exploit Probability: 9.8% |
April 13, 2026 |
| Microsoft SharePoint Deserialization of Untrusted Data Vulnerability |
Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network. CVE-2026-20963 Exploit Probability: 5.3% |
March 18, 2026 |
| Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability |
Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. CVE-2008-0015 Exploit Probability: 81.6% |
February 17, 2026 |
| Microsoft Configuration Manager SQL Injection Vulnerability |
Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database. CVE-2024-43468 Exploit Probability: 83.1% |
February 12, 2026 |
| Microsoft Internet Explorer Protection Mechanism Failure Vulnerability |
Microsoft Internet Explorer contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. CVE-2026-21513 Exploit Probability: 28.0% |
February 10, 2026 |
| Microsoft Windows NULL Pointer Dereference Vulnerability |
Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally. CVE-2026-21525 Exploit Probability: 9.4% |
February 10, 2026 |
Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 6 known exploited Microsoft vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Microsoft Vulnerabilities
Based on the current exploit probability, these Microsoft vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2019-0708 | 94.5% | "BlueKeep" Microsoft Windows Remote Desktop Remote Code Execution Vulnerability |
| 2 | CVE-2020-0796 | 94.4% | Microsoft SMBv3 Remote Code Execution Vulnerability |
| 3 | CVE-2019-0604 | 94.4% | Microsoft SharePoint Remote Code Execution Vulnerability |
| 4 | CVE-2017-7269 | 94.4% | Microsft Windows Server 2003 R2 IIS WEBDAV buffer overflow Remote Code Execution vulnerability (COVI |
| 5 | CVE-2021-38647 | 94.4% | Microsoft Azure Open Management Infrastructure (OMI) Remote Code Execution Vulnerability |
| 6 | CVE-2020-0688 | 94.4% | Microsoft Exchange Server Key Validation Vulnerability |
| 7 | CVE-2020-1472 | 94.4% | NetLogon Privilege Escalation Vulnerability |
| 8 | CVE-2023-29357 | 94.4% | Microsoft SharePoint Server Privilege Escalation Vulnerability |
| 9 | CVE-2017-11882 | 94.4% | Microsoft Office memory corruption vulnerability |
| 10 | CVE-2021-40444 | 94.3% | Microsoft Windows, Server (spec. IE) All Arbitrary Code Execution |
By the Year
In 2026 there have been 2524 vulnerabilities in Microsoft with an average score of 7.2 out of ten. Last year, in 2025 Microsoft had 2748 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Microsoft in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.17.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2524 | 7.25 |
| 2025 | 2748 | 7.08 |
| 2024 | 2181 | 7.34 |
| 2023 | 1695 | 7.22 |
| 2022 | 1389 | 7.43 |
| 2021 | 1153 | 7.44 |
| 2020 | 1253 | 7.20 |
| 2019 | 831 | 7.08 |
| 2018 | 661 | 7.03 |
It may take a day or so for new Microsoft vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Microsoft Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-49975 | Jun 08, 2026 |
Apache HTTP Server mod_http DoS via Excessive Memory Allocation (2.4.17-2.4.67)Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. |
Http Server
|
| CVE-2026-11463 | Jun 07, 2026 |
USCiLab Cereal <=1.3.2 SharedPtr Handler TypeConf RemoteA vulnerability was determined in USCiLab Cereal up to 1.3.2. Affected is an unknown function of the component Shared Pointer Handler. Executing a manipulation can lead to type confusion. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. |
|
| CVE-2026-10879 | Jun 05, 2026 |
Perl DBI <1.648 Heap Overflow in preparseDBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera. |
|
| CVE-2026-50263 | Jun 05, 2026 |
X.Org X Server AAF in CreateSaverWindow() (Xwayland)A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure. |
|
| CVE-2026-50262 | Jun 05, 2026 |
X.Org XServer Xwayland OOB Read __glXDisp_ChangeDrawableAttributesAn out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default. |
|
| CVE-2026-50261 | Jun 05, 2026 |
UAF in X.Org X Server XWayland SyncChangeCounter()A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
|
| CVE-2026-50260 | Jun 05, 2026 |
Use-after-free in X.Org X Server via SyncCountersA use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
|
| CVE-2026-50259 | Jun 05, 2026 |
Stack Buffer Overflow in X.Org X Server (_XkbSetMapChecks)A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
|
| CVE-2026-50258 | Jun 05, 2026 |
CVE-2026-50258: Stack BOF in X.Org X Server & XwaylandA stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
|
| CVE-2026-50257 | Jun 05, 2026 |
X.Org X Server UAF via miSyncDestroyFence()A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
|
| CVE-2026-50256 | Jun 05, 2026 |
X.Org X Server: Stack Buffer Overflow via Font Alias Length Attack (CVE-2026-50256)A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
|
| CVE-2026-50265 | Jun 05, 2026 |
Root Privilege Elevation via libinput udev Property Injection |
|
| CVE-2026-11332 | Jun 05, 2026 |
ansible-core Role Install Git Flag Injection (CVE-2026-11332)A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install. |
|
| CVE-2026-48579 | Jun 04, 2026 |
Jun 2026: Microsoft Exchange Online Information Disclosure VulnerabilityImproper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network. |
Exchange Online
|
| CVE-2026-47655 | Jun 04, 2026 |
Jun 2026: Microsoft Graph Information Disclosure VulnerabilityExposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network. |
Graph
|
| CVE-2026-47644 | Jun 04, 2026 |
Jun 2026: Copilot Chat (Microsoft Edge) Information Disclosure VulnerabilityImproper neutralization of special elements in output used by a downstream component ('injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network. |
Copilot Chat Edge
|
| CVE-2026-45497 | Jun 04, 2026 |
Jun 2026: Microsoft M365 Copilot Remote Code Execution VulnerabilityImproper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network. |
365 Copilot
|
| CVE-2026-42824 | Jun 04, 2026 |
Jun 2026: M365 Copilot Information Disclosure VulnerabilityImproper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. |
365 Copilot
|
| CVE-2026-48567 | Jun 04, 2026 |
Jun 2026: Azure HorizonDB Elevation of Privilege VulnerabilityAuthentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network. |
Azure Horizondb
|
| CVE-2026-50292 | Jun 04, 2026 |
CVE-2026-50292 libinput<1.30.4/1.31.3 phys output injection -> root execIn libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution |
|
| CVE-2026-40930 | Jun 04, 2026 |
libPNG APNG Header Injection (1.8.0, libpng-apng 1.6.49-1.6.57)LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue. |
|
| CVE-2026-7774 | Jun 04, 2026 |
Python CPython <3.15.0 tarfile.data_filter Path Traversaltarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. |
|
| CVE-2026-50219 | Jun 04, 2026 |
Use-After-Free in libexpat <2.8.2 (XML handler recursion)libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur, |
|
| CVE-2026-8829 | Jun 04, 2026 |
HTML::Entities <=3.84: Heap Read in _decode_entitiesHTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV. |
|
| CVE-2026-46272 | Jun 03, 2026 |
Linux kernel TMC-ETR: race between sysfs & perfIn the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode When trying to run perf and sysfs mode simultaneously, the WARN_ON() in tmc_etr_enable_hw() is triggered sometimes: WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] [..snip..] Call trace: tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] coresight_enable_path+0x1c8/0x218 [coresight] coresight_enable_sysfs+0xa4/0x228 [coresight] enable_source_store+0x58/0xa8 [coresight] dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 kernfs_fop_write_iter+0x120/0x1b8 vfs_write+0x2c8/0x388 ksys_write+0x74/0x108 __arm64_sys_write+0x24/0x38 el0_svc_common.constprop.0+0x64/0x148 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x1ac/0x1b0 ---[ end trace 0000000000000000 ]--- Since the enablement of sysfs mode is separeted into two critical regions, one for sysfs buffer allocation and another for hardware enablement, it's possible to race with the perf mode. Fix this by double check whether the perf mode's been used before enabling the hardware in sysfs mode. mode: [sysfs mode] [perf mode] tmc_etr_get_sysfs_buffer() spin_lock(&drvdata->spinlock) [sysfs buffer allocation] spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() drvdata->etr_buf = etr_perf->etr_buf spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at the perf side spin_unlock(&drvdata->spinlock) With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf. This ensures we verify whether the perf mode's already running before we actually allocate the buffer. Then we can save the time of allocating/freeing the sysfs buffer if race with the perf mode. |
|
| CVE-2026-46250 | Jun 03, 2026 |
Linux Kernel MIPS $gp Register Restoration Bug via LLVM Global Reg VarIn the Linux kernel, the following vulnerability has been resolved: MIPS: Work around LLVM bug when gp is used as global register variable On MIPS, __current_thread_info is defined as global register variable locating in $gp, and is simply assigned with new address during kernel relocation. This however is broken with LLVM, which always restores $gp if it finds $gp is clobbered in any form, including when intentionally through a global register variable. This is against GCC's documentation[1], which requires a callee-saved register used as global register variable not to be restored if it's clobbered. As a result, $gp will continue to point to the unrelocated kernel after the epilog of relocate_kernel(), leading to an early crash in init_idle, [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000000000, epc == ffffffff81afada8, ra == ffffffff81afad90 [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 6.19.0-rc5-00262-gd3eeb99bbc99-dirty #188 VOLUNTARY [ 0.000000] Tainted: [W]=WARN [ 0.000000] Hardware name: loongson,loongson64v-4core-virtio [ 0.000000] $ 0 : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 [ 0.000000] $ 4 : ffffffff80b80ec0 ffffffff80b53d48 0000000000000000 00000000000f4240 [ 0.000000] $ 8 : 0000000000000100 ffffffff81d82f80 ffffffff81d82f80 0000000000000001 [ 0.000000] $12 : 0000000000000000 ffffffff81776f58 00000000000005da 0000000000000002 [ 0.000000] $16 : ffffffff80b80e40 0000000000000000 ffffffff80b81614 9800000005dfbe80 [ 0.000000] $20 : 00000000540000e0 ffffffff81980000 0000000000000000 ffffffff80f81c80 [ 0.000000] $24 : 0000000000000a26 ffffffff8114fb90 [ 0.000000] $28 : ffffffff80b50000 ffffffff80b53d40 0000000000000000 ffffffff81afad90 [ 0.000000] Hi : 0000000000000000 [ 0.000000] Lo : 0000000000000000 [ 0.000000] epc : ffffffff81afada8 init_idle+0x130/0x270 [ 0.000000] ra : ffffffff81afad90 init_idle+0x118/0x270 [ 0.000000] Status: 540000e2 KX SX UX KERNEL EXL [ 0.000000] Cause : 00000008 (ExcCode 02) [ 0.000000] BadVA : 0000000000000000 [ 0.000000] PrId : 00006305 (ICT Loongson-3) [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000) [ 0.000000] Stack : 9800000005dfbf00 ffffffff8178e950 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81970000 000000000000003f ffffffff810a6528 [ 0.000000] 0000000000000001 9800000005dfbe80 9800000005dfbf00 ffffffff81980000 [ 0.000000] ffffffff810a6450 ffffffff81afb6c0 0000000000000000 ffffffff810a2258 [ 0.000000] ffffffff81d82ec8 ffffffff8198d010 ffffffff81b67e80 ffffffff8197dd98 [ 0.000000] ffffffff81d81c80 ffffffff81930000 0000000000000040 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 000000000000009e ffffffff9fc01000 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81ae86dc ffffffff81b3c741 0000000000000002 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<ffffffff81afada8>] init_idle+0x130/0x270 [ 0.000000] [<ffffffff81afb6c0>] sched_init+0x5c8/0x6c0 [ 0.000000] [<ffffffff81ae86dc>] start_kernel+0x27c/0x7a8 This bug has been reported to LLVM[2] and affects version from (at least) 18 to 21. Let's work around this by using inline assembly to assign $gp before a fix is widely available. |
|
| CVE-2026-3276 | Jun 03, 2026 |
Python unicodedata.normalize() DOS via Long Combining Runsunicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. |
|
| CVE-2026-10722 | Jun 03, 2026 |
cilium eBPF int overflow in LoadCollectionSpec before 0.21.0A vulnerability has been found in cilium ebpf up to 0.21.0. This affects the function loadRawSpec of the file btf/btf.go of the component LoadCollectionSpec/LoadCollectionSpecFromReader. Such manipulation of the argument offset leads to integer overflow. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The name of the patch is 533dfc82fd228bfadf42ea7180c39de7d9af47fa. A patch should be applied to remediate this issue. |
|
| CVE-2026-50031 | Jun 03, 2026 |
FreeIPMI<1.16.18 ipmioem buffer overflow (CVE202650031)ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages. |
|
| CVE-2026-37460 | Jun 03, 2026 |
FRRouting 10.0-10.6 DoS via rfapiRibBi2Ri() BGP UPDATE validation flawMissing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. |
|
| CVE-2026-42504 | Jun 02, 2026 |
High CPU Overuse via Invalid MIME Header in Go mime before 1.25.11/1.26.4Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. |
|
| CVE-2026-42507 | Jun 02, 2026 |
Go net/textproto Error Leakage via Input Data <1.25.11, <1.26.4When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. |
|
| CVE-2026-27145 | Jun 02, 2026 |
Go crypto/x509 VerifyHostname DNS SAN quadratic overhead(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. |
|
| CVE-2026-5419 | Jun 01, 2026 |
GnuTLS PKCS#7 Padding Timing SideChannel Info DisclosureA flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure. |
|
| CVE-2026-47294 | Jun 01, 2026 |
Jun 2026: Microsoft SharePoint Server Remote Code Execution VulnerabilityDeserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
Sharepoint Server 2016
Sharepoint Server 2019
Sharepoint Server
And others... |
| CVE-2026-43958 | Jun 01, 2026 |
rrdtool rrdcached Buffer Overflow via Oversized CREATEA flaw was found in rrdcached, a component of rrdtool. A local attacker with access to a rrdcached socket can exploit a stack-based buffer overflow by sending an oversized CREATE request. This vulnerability can lead to a denial of service by crashing the daemon or potentially allow for arbitrary code execution, impacting the integrity and confidentiality of data. |
|
| CVE-2026-8643 | Jun 01, 2026 |
Pip console_scripts path flaw enables entry point out-of-dirpip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory. |
|
| CVE-2026-46242 | May 30, 2026 |
Linux Kernel epoll UAF via ep_remove during file releaseIn the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays. |
|
| CVE-2026-40528 | May 29, 2026 |
OpenSC <0.27.0 PKCS#15 Init BufOv via Crafted ProfileOpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns. |
|
| CVE-2026-40510 | May 29, 2026 |
OpenSC <0.27.0-rc1 Stack Buffer Overflow in PIV smart card handlingOpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in piv_process_history() in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longer than 118 bytes in the Key History Object ASN.1 response. |
|
| CVE-2026-6324 | May 29, 2026 |
libsoup Signed-to-Unsigned Conversion Out-of-Bounds in HTTP Stream RCEA flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access. |
|
| CVE-2026-10028 | May 28, 2026 |
Glib-Networking GnuTLS Cert Verification Infinite Loop DoSA flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker. |
|
| CVE-2026-41184 | May 28, 2026 |
Calico install-cni leaks ServiceAccount bearer token via stdoutIn Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001. |
|
| CVE-2026-42250 | May 28, 2026 |
bzip2 bzip2recover Off-by-One OOB in 1.0.8 and earlierbzip2 contains an offbyone error in the bzip2recover utility. When processing a specially crafted file, the application performs an outofbounds write to a global buffer, resulting in memory corruption and a crash (denial of service). This issue was fixed in bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 |
|
| CVE-2026-46241 | May 28, 2026 |
Linux Kernel SPI mpc52xx UAF on Reg FailIn the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on registration failure Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak. This issue was flagged by Sashiko when reviewing a controller deregistration fix. |
|
| CVE-2026-46238 | May 28, 2026 |
LINUX Kernel BAT IV Neigh Node Pointer Leak in batman-advIn the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. [sven: avoid bonding logic for outgoing OGM] |
|
| CVE-2026-46236 | May 28, 2026 |
Linux Kernel: Xbox Remote DMA Coherency Violation in Buffer HandlingIn the Linux kernel, the following vulnerability has been resolved: media: rc: xbox_remote: heed DMA restrictions The buffer for IO must not be part of the device structure because that violates the DMA coherency rules. |
|
| CVE-2026-46235 | May 28, 2026 |
Linux Kernel Null Deref via ioremap in saa7164In the Linux kernel, the following vulnerability has been resolved: media: saa7164: add ioremap return checks and cleanups Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV. This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures. |
|
| CVE-2026-46234 | May 28, 2026 |
Linux Kernel vsock Buffer Size Clamping Order FlawIn the Linux kernel, the following vulnerability has been resolved: vsock: fix buffer size clamping order In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint. This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size. Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size. |
|
| CVE-2026-46233 | May 28, 2026 |
Kernel batadv: Stop NULLptr in claim purge (CVE202646233)In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: only purge non-released claims When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of. |