In partnership with
PatchDayAlert: 2026-04-29
|
|
DAILY BRIEF · APRIL 29, 2026
|
|
Five CVSS 9.8s dropped today, none exploited in the wild yet, but don't let that make you comfortable. The headliner is a Chrome sandbox escape (CVE-2026-7343) that chains nicely with a WebRTC renderer bug to give attackers a full breakout path. Sandbox escapes get weaponized fast, so push Chrome updates to your fleet now.
|
|
TOP THREAT TODAY
|
|
A use-after-free bug in Chrome's Views component on Windows lets an attacker who already controls the renderer process break out of the sandbox. That's the escalation path from "running code in Chrome's jail" to "running code on the host." CVSS 9.8, not yet exploited in the wild, but sandbox escapes get weaponized fast.
Who's affected: Anyone managing Windows desktops or servers running Google Chrome (or Chromium-based browsers) below version 147.0.7727.138
| |
Patch within 24 hours.
Update Chrome to 147.0.7727.138 or later on all Windows endpoints. If you manage browsers through group policy or an endpoint manager, push the update today and force a relaunch.
|
|
|
|
CVE-2026-7341
CVSS 9.8
|
CRITICAL
|
A use-after-free in Chrome's WebRTC stack lets an attacker run arbitrary code inside the browser sandbox by getting a user to visit a malicious page. The sandbox limits the blast radius, but this still gives an attacker a foothold, and it pairs nicely with CVE-2026-7343 above for a full escape. CVSS 9.8, no known exploitation yet.
Affects: Anyone managing endpoints running Google Chrome or Chromium-based browsers below version 147.0.7727.138, on any OS
| |
Patch within 24 hours.
Update Chrome to 147.0.7727.138 or later. Prioritize this alongside CVE-2026-7343 since the two bugs chain together for a sandbox escape.
|
|
|
CVE-2026-41873
CVSS 9.8
|
CRITICAL
|
The Lua version of Apache Pony Mail has an HTTP request smuggling bug that lets an attacker take over admin accounts. Here's the catch: the project is retired and there will be no fix. The replacement ("Pony Mail Foal," written in Python) isn't affected but also isn't officially released yet. CVSS 9.8.
Affects: Anyone still running the Lua-based Apache Pony Mail instance
| |
Patch immediately.
Take your Pony Mail instance offline or restrict access to trusted users immediately. Migrate to the Python-based Pony Mail Foal or a different mailing list archive tool. No patch will be released for this.
|
|
|
CVE-2026-41446
CVSS 9.8
|
CRITICAL
|
Snap One WattBox 800 and 820 series power distribution units have hidden diagnostic HTTP endpoints that "authenticate" using only the device's MAC address and service tag. Both values are printed on the physical label. Anyone who can read the sticker (or a photo of it) gets root command execution on the device. CVSS 9.8.
Affects: Facilities teams, AV integrators, and MSPs managing Snap One WattBox 800 or 820 series units with firmware below 2.10.0.0
| |
Patch immediately.
Update WattBox firmware to 2.10.0.0 or later. Until you can patch, make sure these devices are not reachable from untrusted networks, and treat any exposed device label information as compromised credentials.
|
|
|
CVE-2026-31669
CVSS 9.8
EPSS 0.07%
|
CRITICAL
|
A use-after-free in the Linux kernel's MPTCP connection lookup code can be triggered over the network. The CVSS is 9.8, but the EPSS score is very low (0.00068, 21st percentile), suggesting real-world exploitation is unlikely right now. Still, kernel-level memory corruption bugs deserve quick attention.
Affects: Teams running Azure Linux 3.0 (kernel 6.6.130.1-3) or CBL Mariner 2.0 (kernel 5.15.202.1-1), and anyone running upstream Linux kernels with MPTCP enabled
| |
Patch this week.
Apply the updated kernel package for your distro and reboot. If you don't use MPTCP, disabling it (sysctl net.mptcp.enabled=0) buys you time until you can schedule the reboot.
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Smart starts here.
You don't have to read everything — just the right thing. 1440's daily newsletter distills the day's biggest stories from 100+ sources into one quick, 5-minute read. It's the fastest way to stay sharp, sound informed, and actually understand what's happening in the world. Join 4.5 million readers who start their day the smart way.
