In partnership with
PatchDay Alert: 2026-05-21
|
|
DAILY BRIEF · MAY 21, 2026
|
|
Nothing exploited in the wild yet, but a CVSS 10.0 in Cisco Secure Workload (CVE-2026-20223) deserves your attention right now. An unauthenticated attacker can hit internal REST APIs and grab full Site Admin privileges across tenant boundaries, no credentials, no user interaction. That's joined by a Defender engine RCE and a Chrome sandbox code execution, so don't let the 'no active exploitation' status lull you into waiting.
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Start here.
|
16
Update Chrome to 148.0.7778.179 or later. If you manage browsers via group policy or MDM, push the update now and confirm it landed.
· 16 CVEs
|
|
2
Verify the Malware Protection Engine has auto-updated to the latest version. Run 'Get-MpComputerStatus' in PowerShell and check the AMEngineVersion. If auto-update is blocked by policy, push the engine update manually.
· 2 CVEs
|
|
| |
SECURE BOOT CERTIFICATE DEADLINE
34 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
An unauthenticated remote attacker can hit internal REST APIs on Cisco Secure Workload and get full Site Admin privileges. That means reading sensitive data and changing configuration across tenant boundaries, no credentials required. This is a CVSS 10.0 for good reason: no auth, no user interaction, full cross-tenant control.
Who's affected: Anyone running Cisco Secure Workload (formerly Tetration) on-prem or in their data center
| |
Patch immediately.
Apply the Cisco-provided fix for Secure Workload immediately. If a patch is not yet available, restrict network access to the management interface and REST API endpoints to trusted hosts only.
|
NVD
Ref 1
|
|
|
CVE-2026-9126
CVSS 8.8
|
HIGH
|
A use-after-free bug in Chrome's DOM engine lets an attacker run code inside the browser sandbox if a user visits a malicious page. The attack requires user interaction (visiting a crafted page), and code execution is sandboxed, which limits the blast radius. Still, sandbox escapes get chained regularly, so don't sit on this one.
Affects: Anyone managing Chrome or Chromium-based browsers (Edge, Brave, etc.) on desktops or kiosks
| |
Patch this week.
Update Chrome to 148.0.7778.179 or later. If you manage browsers via group policy or MDM, push the update now and confirm it landed.
|
ONE UPDATE · 16 CVEs
NVD
Ref 1
Ref 2
|
|
CVE-2026-45584
CVSS 8.1
|
HIGH
|
A heap-based buffer overflow in the Microsoft Malware Protection Engine lets an attacker run code over the network without any authentication. Because Defender's engine auto-scans incoming files and network content, a specially crafted payload could trigger this just by being received. No user click needed.
Affects: Anyone running Microsoft Defender (Windows Defender, Defender for Endpoint, or any product using the Microsoft Malware Protection Engine)
| |
Patch within 24 hours.
Verify the Malware Protection Engine has auto-updated to the latest version. Run 'Get-MpComputerStatus' in PowerShell and check the AMEngineVersion. If auto-update is blocked by policy, push the engine update manually.
|
ONE UPDATE · 2 CVEs
NVD
Ref 1
|
|
CVE-2026-42834
CVSS 7.8
|
HIGH
|
A symlink-following bug in Azure Portal's Windows Admin Center lets a local attacker who already has some level of access escalate to higher privileges. This requires local access and an authenticated session, so it's not remotely exploitable on its own. It's a privilege escalation play, most dangerous if an attacker already has a foothold.
Affects: Anyone using Windows Admin Center through the Azure Portal
| |
Patch this week.
Update the Windows Admin Center Azure extension to the latest version through the Azure Portal's extension management page.
|
NVD
Ref 1
|
|
CVE-2026-20239
CVSS 7.5
|
HIGH
|
If a Splunk user has a role with access to the _internal index, they can view session cookies and response bodies containing sensitive data. This is an information disclosure bug that requires an authenticated user with specific index permissions, so it's not open to the internet. That said, stolen session cookies can lead to session hijacking and lateral movement inside Splunk.
Affects: Splunk Enterprise admins running versions below 10.2.2 or 10.0.5, and Splunk Cloud Platform customers on older release tracks
| |
Patch this week.
Upgrade Splunk Enterprise to 10.2.2 or 10.0.5 (or later). For Splunk Cloud, confirm your instance is on 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, or 10.0.2503.13 or newer. In the meantime, audit which roles have access to the _internal index and restrict it to only those who truly need it.
|
NVD
Ref 1
|
|
Community Signal Check
|
KB5089549 fails to install on systems with small EFI partitions
If your Windows 11 24H2 or 25H2 machines have 10 MB or less free on the EFI System Partition, KB5089549 will stall at 35% during reboot and roll back with error 0x800f0922. Microsoft confirmed the issue and published a Known Issue Rollback (KIR) you can push via Group Policy as a temporary fix.
BleepingComputer
•
broken_patch
|
|
NGINX heap buffer overflow CVE-2026-42945 exploited in the wild
Unauthenticated remote code execution in NGINX's rewrite module, CVSS 9.2, already exploited in the wild. Affected versions span 0.6.27 through 1.30.0. If you run NGINX with rewrite rules, patch or update immediately.
The Hacker News
•
active_exploitation
|
|
Exchange Server OWA XSS zero-day CVE-2026-42897 exploited via email
Microsoft confirmed attackers are exploiting a cross-site scripting bug in Outlook Web Access on on-prem Exchange (CVSS 8.1). A crafted email triggers malicious JavaScript the moment someone opens it in OWA. This dropped two days after May Patch Tuesday, so your CU alone won't cover it. Watch for an out-of-band fix.
Security Affairs
•
active_exploitation
|
|
Netwrix Threat Prevention agents break Kerberos capture after May 2026 KBs
If you run Netwrix Threat Prevention, update the agents before you apply the May 12 KBs. Installing the KBs first silently kills Kerberos and NTLM event capture and blocking. Order matters here: Netwrix agent first, then Windows patches.
Netwrix Community
•
regression
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Q1 2026: $20.8B in BDC Redemption Requests. 0.44% Lifetime Net Loss Rate on Percent.
In Q1 2026, the non-traded BDC market hit $20.8B in redemption requests — most investors received roughly half of what they asked for. Moody's revised the U.S. BDC sector outlook to Negative. Investors who thought they owned liquid private credit found out their fund manager decided whether they could get out.
On Percent's marketplace that same quarter: new issuances, scheduled payments, and a 0.44% lifetime net loss rate on asset-based deals that's held since inception.†
The difference is structural. BDCs often own concentrated corporate loans with quarterly redemption windows that close at the manager's discretion. Percent finances specialty lenders against pools of performing receivables — diversified, overcollateralized, short duration.
Track record through 3/31/26:†
14.6% net ABS returns LTM after losses
0.44% lifetime net loss rate since inception (asset-based deals)
$1.62B+ in ABS originations
Deal terms 6–24 months · Starting at $500
Alternative investments are speculative. No assurance can be given that investors will receive a return of their capital. Secondary market transactions are subject to availability and issuer approval; liquidity is not guaranteed. †Past performance is not indicative of future results. Terms apply.
