PatchDay Alert: 2026-06-09
|
|
|
TODAY'S CALL
Two high-severity bugs headline a 5-patch Tuesday. A Chrome sandbox escape (CVE-2026-11697, CVSS 9.6) lets attackers run code on the underlying OS with nothing more than a page visit, and a VPN authentication bypass (CVE-2026-50751, CVSS 9.3) hands unauthenticated attackers a full tunnel into your network. Neither is exploited in the wild yet, but both are ugly enough that you shouldn't wait to find out.
|
|
DO FIRST
| • |
Update perl-DBI to version 1.648 or later via your package manager
(CVE-2026-10879)
|
| • |
Update httpd to the patched version via `tdnf update httpd` on Azure Linux, or apply the latest Apache release from your distro's repos
(CVE-2026-49975)
|
| • |
Apply the vendor's patch or hotfix for this CVE immediately
(CVE-2026-50751)
|
| • |
Update the cereal package to a fixed version when available
(CVE-2026-11463)
|
| • |
Update Chrome to version 149.0.7827.103 or later
(CVE-2026-11697)
|
|
|
Clear the most in the fewest moves
1 update closes
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update Chrome to version 149.0.7827.103 or later
|
74
7 critical
|
Patch immediately, internet-facing only
|
Browser relaunch
|
|
|
TOP THREAT TODAY
|
|
A heap overflow in Perl's DBI module triggers when preparsing SQL statements that use more than 9 bind parameters. An attacker who can influence SQL input to a Perl application could potentially crash it or execute code. Exploitation requires the app to accept externally controlled SQL with many binders, which limits the attack surface somewhat.
Who's affected: Anyone running Perl applications that use DBI (versions before 1.648), especially on Azure Linux 3.0 with perl-DBI 1.643-3.
| |
Patch this week.
Update perl-DBI to version 1.648 or later via your package manager.
Exposure:
Network-reachable systems
|
NVD
MSRC
|
|
|
CVE-2026-49975
CVSS 7.5
|
HIGH
|
A denial-of-service bug in Apache HTTP Server's mod_http2 module lets a remote attacker knock your web server offline by sending crafted HTTP/2 requests. No authentication is needed. If you expose httpd with HTTP/2 enabled, you're in the blast radius.
Affects: Anyone running Apache httpd with mod_http2 enabled, particularly Azure Linux 3.0 hosts running httpd 2.4.67-1.
| |
Patch within 24 hours if internet-facing or otherwise exposed.
Update httpd to the patched version via `tdnf update httpd` on Azure Linux, or apply the latest Apache release from your distro's repos. If you can't patch immediately, disable mod_http2 as a temporary workaround.
Exposure:
Network-reachable systems
·
Op impact:
Service restart
|
NVD
MSRC
|
|
CVE-2026-50751
CVSS 9.3
EPSS 0.01%
|
CRITICAL
|
An authentication bypass in Remote Access and Mobile Access VPN using the deprecated IKEv1 key exchange lets an unauthenticated remote attacker establish a full VPN session without a valid password. That means anyone on the internet can tunnel into your network if the affected VPN endpoint is reachable. This is about as bad as VPN bugs get.
Affects: Anyone running a VPN gateway that supports Remote Access or Mobile Access with IKEv1 key exchange. The vendor isn't named explicitly, but the description strongly matches Check Point Security Gateway products.
| |
Patch immediately for internet-facing systems.
Apply the vendor's patch or hotfix for this CVE immediately. If no patch is available yet, disable IKEv1 on your VPN gateway and switch to IKEv2. Audit VPN logs for any unexpected sessions.
Exposure:
Internet-facing systems
·
Op impact:
Service restart
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-11463
CVSS 7.3
EPSS 0.05%
|
HIGH
|
A type confusion bug in the USCiLab Cereal C++ serialization library lets an attacker corrupt shared pointer types during deserialization. If your application deserializes untrusted Cereal archives, an attacker could crash it or potentially execute code. Exploitation requires the app to process attacker-controlled serialized data, which narrows the risk.
Affects: Developers and operators running C++ applications that use the Cereal serialization library (version 1.3.2 or earlier), including Azure Linux 3.0 hosts with cereal 1.3.2-1 installed.
| |
Monitor and patch.
Update the cereal package to a fixed version when available. In the meantime, ensure your applications never deserialize Cereal archives from untrusted sources.
Exposure:
Network-reachable systems
|
NVD
MSRC
|
|
CVE-2026-11697
CVSS 9.6
|
CRITICAL
|
A sandbox escape in Google Chrome caused by insufficient input validation in the browser UI. An attacker can exploit this by luring a user to a crafted web page, potentially breaking out of Chrome's sandbox and running code on the underlying system. No special privileges needed, just a click.
Affects: Anyone running Google Chrome or Chromium-based browsers (Edge, Brave, etc.) on versions prior to 149.0.7827.103.
| |
Patch immediately for internet-facing systems.
Update Chrome to version 149.0.7827.103 or later. For managed fleets, push the update through your browser management tool today.
Exposure:
Internet-facing systems
·
Op impact:
Browser relaunch
|
ONE UPDATE · 74 CVEs
7 CRITICAL
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
Cisco SD-WAN Manager zero-day exploited in the wild, no patch available (CVE-2026-20245)
Cisco confirmed CVE-2026-20245, a command injection in Catalyst SD-WAN Manager's CLI, is exploited in the wild. Authenticated local attackers with netadmin privileges can run commands as root. There's no patch yet. Cisco says to upgrade to versions that fix CVE-2026-20182 as a partial mitigation.
Cisco PSIRT
•
active_exploitation
|
|
Windows Netlogon RCE (CVE-2026-41089) now exploited in attacks
Attackers are exploiting CVE-2026-41089, a CVSS 9.8 stack-based buffer overflow in Windows Netlogon that gives unauthenticated RCE on every supported Windows Server version. No user interaction required. If you run Windows Server and haven't applied June patches yet, this is your reason to stop reading and start patching.
BleepingComputer
•
active_exploitation
|
|
KB5087537 breaks domain controller lookups and RDP on Windows Server 2016
KB5087537 (May 2026 security update) is causing AD domain controller lookup failures and RDP authentication breakage on Windows Server 2016. Sysadmins report frozen RDP sessions and DFS Namespace errors. Microsoft confirmed the regression and offers a fix through Known Issue Rollback or the May OOB update.
BleepingComputer
•
broken_patch
|
|
Windows Update driver policy cache bug silently overrides Intune settings
A Windows Update caching bug has been quietly ignoring your Intune driver-block policies, pushing driver updates you explicitly blocked. Admins started noticing in late May: printers dying, VPN clients breaking, random BSODs from unexpected driver installs. Audit your driver update policies now and check for unauthorized driver changes on managed endpoints.
windowsnews.ai
•
regression
|
|
|
SECURE BOOT ·
15 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
7.8
CVE-2026-8795
A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6.
|
7.2
CVE-2026-11577 · identity:keycloak
A flaw was found in Keycloak.
|
7.3
CVE-2026-11618
A vulnerability was determined in DTStack Taier up to 1.4.0.
|
9.8
CVE-2026-27671
Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP…
|
8.8
CVE-2026-8365 · cms:wordpress
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution…
|
8.1
CVE-2026-41855
In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter…
|
7.5
CVE-2026-40519
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code…
|
9.9
CVE-2026-44748
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges…
|
9.8
CVE-2026-44631
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
|
9.0
CVE-2026-40128
SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP…
|
Plus 16 more this window. See
NVD
for the full list.
|
|
Recent from the blog
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.5 denial-of-service bug in SolarWinds Serv-U, the kind that usually waits. CISA listed it on KEV two days after the f…
Two AWS bugs you'd never have heard about, and the fix was yours
AWS disclosed two SageMaker SDK flaws on its own bulletins page. They may carry a CVE ID with no CVSS, they'll never hit CISA KEV, and patc…
One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.
An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essential…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Claude is not just a chatbot anymore. Is your security team ready?
Claude.ai is one thing. Claude Cowork with MCP connections, running agentic workflows, taking actions across your data with ungoverned skills? That is a different conversation entirely, and most security teams are not equipped to govern it.
Harmonic Security is built to secure everything Claude offers. Full browser controls for Claude.ai, deep governance over agentic MCP workflows, and real-time visibility into what Claude is doing across your organization. So your CISO can say yes to the tools your business is already demanding.
