In partnership with
PatchDay Alert: 2026-05-19
|
|
DAILY BRIEF · MAY 19, 2026
|
|
Nothing's on fire, but one of these deserves your attention fast. CVE-2026-43870 is a CVSS 9.4 in Apache Thrift's Node.js server component: remote, unauthenticated, no interaction required. If you expose that anywhere, bump it to the front of your queue. The rest are solid 7.5-7.8 fixes across the Linux kernel, curl, Go on Windows, and FRRouting. No active exploitation on any of them right now.
|
| |
SECURE BOOT CERTIFICATE DEADLINE
36 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
A race condition in the Linux kernel's USB gadget HID function driver lets a local attacker trigger use-after-free memory corruption. Because the list and spinlock weren't initialized early enough, an attacker with local access could escalate privileges or crash the system. Exploitation requires local access to a system using USB gadget mode, which limits the blast radius.
Who's affected: Azure Linux 3.0 operators running kernel 6.6.134.1-2, especially on devices using USB gadget functionality
| |
Patch this week.
Update the azl3 kernel package to the patched version via your Azure Linux package manager.
|
NVD
MSRC
Ref 1
|
|
|
CVE-2026-43870
CVSS 9.4
EPSS 0.03%
|
CRITICAL
|
Apache Thrift's Node.js web_server.js has multiple vulnerabilities that let a remote, unauthenticated attacker compromise the service. With a CVSS of 9.4, this is near the top of the scale. If you expose Thrift's Node.js server component to the network, treat this as urgent.
Affects: Anyone running Apache Thrift 0.15.0 on Azure Linux 3.0 or Ceph 16.2.10 on CBL Mariner 2.0 that bundles Thrift's Node.js server
| |
Patch within 24 hours.
Update the thrift package on azl3 (0.15.0-5) and the ceph package on cbl2 (16.2.10-11) to patched versions via your package manager.
|
NVD
MSRC
|
|
CVE-2026-5773
CVSS 7.5
EPSS 0.03%
|
HIGH
|
A bug in curl causes it to incorrectly reuse an existing SMB connection for a different target. An attacker could exploit this to redirect SMB traffic or leak credentials to the wrong server. This matters most if your environment uses curl for SMB operations, which is uncommon but not unheard of in scripted workflows.
Affects: Azure Linux 3.0 operators running curl 8.11.1-6, particularly if any automation or tooling uses curl's SMB support
| |
Patch this week.
Update the curl package to the patched version via `tdnf update curl`.
|
NVD
MSRC
|
|
CVE-2026-39836
CVSS 7.5
EPSS 0.02%
|
HIGH
|
Go's `net` package panics when it encounters a NUL byte in Dial or LookupPort calls on Windows. An attacker who can feed crafted input to a Go application's network dialing code can crash the process. This primarily affects Go applications running on Windows, but the Azure Linux packages include Go toolchain and Go-built dependencies like TensorFlow/TensorBoard.
Affects: Azure Linux 3.0 operators running golang 1.25.9-1 or 1.26.2-1, gcc 13.2.0-7, python-tensorboard 2.16.2-6, or tensorflow 2.16.1-11
| |
Patch this week.
Update golang, gcc, python-tensorboard, and tensorflow packages via `tdnf update`, then rebuild any Go binaries compiled with the affected toolchain.
|
NVD
MSRC
|
|
CVE-2026-37459
CVSS 7.5
EPSS 0.05%
|
HIGH
|
An integer underflow in FRRouting lets a remote attacker crash the BGP daemon by sending a crafted BGP UPDATE message. If your routers peer with untrusted or semi-trusted BGP neighbors, an attacker can take down your routing plane. This affects FRR stable/10.0 through stable/10.6.
Affects: Azure Linux 3.0 operators running FRRouting 10.5.0-3, especially on systems that accept BGP sessions from external peers
| |
Patch within 24 hours.
Update the frr package via `tdnf update frr` and restart the BGP daemon. Review your BGP peer list and ensure prefix filters are tight while you patch.
|
NVD
MSRC
|
|
Community Signal Check
|
Cisco SD-WAN Controller auth bypass gives unauthenticated attackers admin access (CVE-2026-20182)
Unauthenticated attackers can bypass peering authentication on Cisco vSmart, vManage, and vBond controllers and land with full admin privileges. Cisco has fixed versions out, including 20.15.506. Upgrade all 3 control components and open a TAC case if you suspect compromise.
Cisco PSIRT
•
vendor_advisory
|
|
NGINX heap buffer overflow (CVE-2026-42945) exploited in the wild
Attackers are actively exploiting a heap buffer overflow in ngx_http_rewrite_module (NGINX 0.6.27 through 1.30.0) to crash workers or get RCE. VulnCheck confirmed in-the-wild exploitation, with attackers scanning from Chinese IPs and dropping PHP web shells. If you run NGINX, update past 1.30.0 now.
The Hacker News
•
active_exploitation
|
|
Windows 11 KB5089549 fails to install when EFI partition is low on space
The May 2026 Windows 11 cumulative update stalls around 35% and rolls back with error 0x800f0922 if your EFI System Partition has less than 10 MB free. Microsoft confirmed the bug and pushed a Known Issue Rollback fix server-side. If you're still hitting it, make sure KIR policies have synced to the affected machines.
BleepingComputer
•
broken_patch
|
|
Windows 10 KB5087544 triggers unexpected BitLocker recovery prompts
If your Windows 10 fleet uses BitLocker with TPM PCR7 validation and the Windows UEFI CA 2023 certificate in Secure Boot, KB5087544 may throw users into the BitLocker recovery screen. Before you deploy, set the TPM platform validation Group Policy to "Not Configured" to avoid helpdesk chaos.
Windows Latest
•
regression
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Fast browsing. Faster thinking.
Your browser gets you to a page. Norton Neo gets you to the answer. The first safe AI-native browser built by Norton moves with you from idea to action without slowing you down. Magic Box understands your intent before you finish typing. AI that works inside your flow, not beside it. No prompting. No copy-pasting. No switching apps.
Built-in AI, instantly and for free. Privacy handled by Norton. Built-in VPN and ad blocking protect you by default. No configuration. No extra apps. Nothing to think about.
Fast. Safe. Intelligent. That's Neo.
