Sponsored by
PatchDay Alert: 2026-05-15
|
|
DAILY BRIEF · MAY 15, 2026
|
|
This one jumps off the page. CVE-2026-20182 is a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN (vSmart and vManage) that lets an unauthenticated remote attacker take over your entire fabric. No credentials, no user interaction. Four more bugs trail behind it in dnsmasq, Go, GnuTLS, and Twisted, but that Cisco flaw is the one to deal with first.
|
| |
SECURE BOOT CERTIFICATE DEADLINE
40 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
A malformed HTTP/2 SETTINGS_MAX_FRAME_SIZE value can send Go's net/http2 library into an infinite loop, effectively hanging any service built on it. An attacker just needs to send a bad HTTP/2 frame to tie up the process. No authentication required, no user interaction needed.
Who's affected: Anyone running Go-based services on Azure Linux 3.0 that use the affected packages: application-gateway-kubernetes-ingress, azcopy, azurelinux-image-tools, cert-manager, or cf-cli.
| |
Patch this week.
Update the affected Azure Linux 3.0 packages (application-gateway-kubernetes-ingress, azcopy, azurelinux-image-tools, cert-manager, cf-cli) to the latest patched versions via tdnf or your package management pipeline.
|
NVD
MSRC
Ref 1
Ref 2
|
|
|
CVE-2026-42010
CVSS 7.1
EPSS 0.13%
|
HIGH
|
GnuTLS mishandles a NUL character in usernames during authentication, allowing an attacker to bypass authentication entirely. If your services rely on GnuTLS for TLS client certificate or SRP authentication, someone could slip past identity checks with a crafted username. CVSS 7.1, not yet exploited in the wild.
Affects: Anyone running GnuTLS 3.8.3-8 on Azure Linux 3.0, especially if you use TLS client certificate authentication or SRP-based auth that passes through GnuTLS.
| |
Patch within 24 hours.
Update gnutls to the latest patched version on Azure Linux 3.0 via `tdnf update gnutls`.
|
NVD
MSRC
|
|
CVE-2026-4892
CVSS 8.4
EPSS 0.01%
|
HIGH
|
A vulnerability in dnsmasq scores CVSS 8.4, though the vendor description is sparse. Dnsmasq handles DNS and DHCP for a huge number of networks, containers, and embedded devices, so any high-severity bug here deserves fast attention. Details are limited, but the score suggests local or adjacent network exploitation with significant impact.
Affects: Anyone running dnsmasq 2.90-1 on Azure Linux 3.0, including container hosts and edge devices that use dnsmasq for local DNS/DHCP.
| |
Patch within 24 hours.
Update dnsmasq to the latest patched version via `tdnf update dnsmasq` and restart the service.
|
NVD
MSRC
|
|
CVE-2026-20182
CVSS 10.0
|
CRITICAL
|
This is as bad as it gets: CVSS 10.0. An unauthenticated remote attacker can bypass peering authentication on Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage), then log in as a high-privileged internal account. From there, the attacker gets NETCONF access and can manipulate your entire SD-WAN fabric configuration. No credentials needed, no user interaction.
Affects: Anyone running Cisco Catalyst SD-WAN Manager (vManage) or SD-WAN Controller (vSmart) in any version. If you have SD-WAN infrastructure, stop reading and start patching.
| |
Patch immediately.
Apply the Cisco security advisory fix for your SD-WAN Manager and Controller version immediately. Check Cisco's May 2026 advisory for the exact fixed release that matches your deployment.
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-42304
CVSS 7.5
EPSS 0.01%
|
HIGH
|
Twisted's DNS resolver (twisted.names) can be crashed with crafted DNS responses that use recursive compression pointer chains. An attacker who can send or spoof DNS replies to a Twisted-based application can cause a denial of service. No authentication required, but the attacker does need to be in a position to deliver DNS responses to the target.
Affects: Anyone running python-twisted 22.10.0-4 on Azure Linux 3.0, particularly if your applications use twisted.names for DNS resolution.
| |
Patch this week.
Update python-twisted to the latest patched version via `tdnf update python-twisted`.
|
NVD
MSRC
|
|
Community Signal Check
|
Fortinet FortiSandbox: unauthenticated GUI access via missing authorization
Fortinet patched CVE-2026-26083, a critical missing-authorization bug in FortiSandbox 5.0, 4.4, Cloud, and PaaS. An unauthenticated attacker can reach the GUI remotely and view sandbox analysis data without credentials. If you run FortiSandbox, patch now.
Fortinet PSIRT
•
vendor_advisory
|
|
Ivanti Virtual Traffic Manager: authenticated RCE via OS command injection
Ivanti disclosed CVE-2026-8051, a critical OS command injection in Virtual Traffic Manager (vTM) before 22.9r4. An attacker with admin creds can run arbitrary OS commands for full RCE. Update to 22.9r4 or later.
Ivanti
•
vendor_advisory
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
In a World of AI Agents: Intent > Identity
AI-powered bots aren’t just logging in anymore. They’re mimicking real users, slipping past identity checks, and scaling attacks faster than ever.
Thousands of companies worldwide trust hCaptcha to protect their online services from automated threats while preserving user privacy.
Now is the time to take control of your security.
