In partnership with
PatchDay Alert: 2026-05-27
|
|
DAILY BRIEF · MAY 27, 2026
|
|
Nothing's on fire yet, but don't sleep on this one. A CVSS 9.1 bug in Go's knownhosts library completely ignores revoked SSH host keys, which means your Go-based SSH clients will trust hosts they shouldn't. Pair that with an NGINX rewrite module bug at 8.1 and a kernel privesc, and you've got a five-patch day that deserves your attention before any of these start getting exploited.
|
|
Clear the most in the fewest moves
4 updates close
multiple CVEs at once. Start here.
|
20
Update the kernel via `tdnf update kernel` and schedule a reboot to load the patched kernel.
· 20 CVEs
|
|
3
Update dnsmasq to the latest patched version in the Azure Linux 3.0 repo via `tdnf update dnsmasq`.
· 3 CVEs
|
|
3
Update curl and all affected packages via `tdnf update curl cmake mysql rust`.
· 3 CVEs
|
|
2
Update NGINX via `tdnf update nginx` and restart the service.
· 2 CVEs
|
|
| |
SECURE BOOT CERTIFICATE DEADLINE
28 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
An attacker can bypass SSH host key verification by presenting a key that should be revoked. The Go knownhosts library doesn't enforce the @revoked status, so your SSH clients built on this library will happily connect to a host whose key you explicitly revoked. CVSS 9.1, not yet exploited in the wild, but the auth bypass is straightforward if you rely on this library for host key checking.
Who's affected: Anyone running Azure Linux 3.0 packages that bundle golang.org/x/crypto/ssh/knownhosts, specifically libcontainers-common, packer, and telegraf
| |
Patch within 24 hours.
Update libcontainers-common, packer, and telegraf to the latest patched versions in the Azure Linux 3.0 repo.
|
NVD
MSRC
|
|
|
CVE-2026-4890
CVSS 7.5
EPSS 0.24%
|
HIGH
|
A vulnerability in dnsmasq with a CVSS of 7.5. The upstream description is sparse, but dnsmasq handles DNS and DHCP for a lot of local networks. A network-level bug here could let an attacker disrupt or poison DNS resolution without authentication. No exploitation in the wild yet.
Affects: Anyone running dnsmasq 2.90-1 on Azure Linux 3.0, especially if it faces untrusted network segments
| |
Patch this week.
Update dnsmasq to the latest patched version in the Azure Linux 3.0 repo via `tdnf update dnsmasq`.
|
ONE UPDATE · 3 CVEs
NVD
MSRC
Ref 1
|
|
CVE-2026-6276
CVSS 7.5
EPSS 0.01%
|
HIGH
|
A stale custom cookie host in curl causes cookies to leak to the wrong server. If your tools or services use curl with custom cookie handling, an attacker who controls or redirects traffic could steal session cookies. CVSS 7.5, no wild exploitation reported. This affects several Azure Linux 3.0 packages that bundle or depend on curl, including cmake, mysql, and rust toolchains.
Affects: Anyone running Azure Linux 3.0 systems with curl 8.11.1-6, cmake 3.30.3-13, mysql 8.0.46-1, or rust 1.75.0-28 / 1.90.0-7
| |
Patch this week.
Update curl and all affected packages via `tdnf update curl cmake mysql rust`.
|
ONE UPDATE · 3 CVEs
NVD
MSRC
Ref 1
|
|
CVE-2026-9256
CVSS 8.1
EPSS 0.13%
|
HIGH
|
A vulnerability in NGINX's ngx_http_rewrite_module lets an attacker exploit rewrite rules to cause unintended behavior. CVSS 8.1, no known exploitation in the wild. If you use rewrite directives in your NGINX configs (and most of you do), this one deserves prompt attention, especially on internet-facing instances.
Affects: Anyone running NGINX 1.28.3-1 on Azure Linux 3.0, particularly internet-facing reverse proxies and web servers
| |
Patch within 24 hours.
Update NGINX via `tdnf update nginx` and restart the service.
|
ONE UPDATE · 2 CVEs
NVD
MSRC
|
|
CVE-2026-46300
CVSS 7.8
EPSS 0.05%
|
HIGH
|
A Linux kernel bug in skbuff coalescing drops the shared-frag marker, which can lead to local privilege escalation or a crash. CVSS 7.8. An attacker with local access could trigger this to escalate privileges on the host. Not exploited in the wild yet, but kernel memory corruption bugs tend to attract exploit development quickly.
Affects: Anyone running Azure Linux 3.0 with kernel 6.6.139.1-1
| |
Patch this week.
Update the kernel via `tdnf update kernel` and schedule a reboot to load the patched kernel.
|
ONE UPDATE · 20 CVEs
NVD
MSRC
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
9.0
CVE-2026-45721 · algernon is a small self-contained pure-go web server.
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that…
|
8.5
CVE-2026-4480
A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the…
|
8.1
CVE-2026-8994 · microsoft:exchange
The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including,…
|
9.9
CVE-2026-7374 · a flaw was found in kubevirt's virt-handler component. this vulnerability
A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with…
|
7.2
CVE-2026-42785 · openkm
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute…
|
8.2
CVE-2026-42013
A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the…
|
7.8
CVE-2026-48864
A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled…
|
7.8
CVE-2026-24193 · nvidia display driver for windows and linux
NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker could cause an out-of-bounds…
|
7.8
CVE-2026-24191 · nvidia display driver for windows
NVIDIA Display Driver for Windows contains a vulnerability where an attacker could cause a time-of-check time-of-use…
|
7.5
CVE-2025-14713 · browser:edge
An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before…
|
7.1
CVE-2026-42012
A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted…
|
8.0
CVE-2026-3012
A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is…
|
8.1
CVE-2026-48695 · fastnetmon community edition through
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router…
|
9.9
CVE-2026-46624
Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in…
|
9.8
CVE-2026-42758
Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows…
|
9.8
CVE-2026-42731
Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification…
|
9.8
CVE-2026-8760 · cms:wordpress
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including,…
|
9.3
CVE-2026-42761
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active…
|
9.3
CVE-2026-42755
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777…
|
9.3
CVE-2026-42747
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi…
|
9.3
CVE-2026-42740
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan…
|
9.3
CVE-2026-42727
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active…
|
Plus 36 more this window. See
NVD
for the full list.
|
|
Community Signal Check
|
Microsoft Defender privilege escalation and DoS bugs exploited in the wild, CISA sets June 3 deadline
Attackers are exploiting two Defender bugs right now: CVE-2026-41091 (privilege escalation via improper link resolution) and CVE-2026-45498 (denial of service). Both are patched in Defender versions 1.1.26040.8 and 4.18.26040.7. CISA added them to the KEV catalog with a June 3 federal deadline, so treat that as your own.
The Hacker News
•
active_exploitation
|
|
KB5089549 fails to install on low EFI partition space, rolls back at 35%
If your Windows 11 boxes are failing the May cumulative update with error 0x800f0922 around the 35% reboot mark, check EFI System Partition free space. Devices with 10 MB or less hit a rollback loop. Microsoft pushed a Known Issue Rollback for consumer machines automatically, but you'll need to deploy a Group Policy to fix managed endpoints.
BleepingComputer
•
broken_patch
|
|
Cisco Secure Workload auth bypass gives unauthenticated Site Admin access
CVE-2026-20223 lets a remote attacker skip authentication entirely and land Site Admin privileges on Cisco Secure Workload. No credentials needed. Upgrade to 3.8.1.2 (3.8.x branch) or 3.9.0.3 (3.9.x branch) before someone finds your instance first.
Anavem
•
vendor_advisory
|
|
|
Recent from the blog
Microsoft patched a SYSTEM bug in 2020. It still works in 2026.
A pseudonymous researcher published MiniPlasma, a working PoC for CVE-2020-17103, and the only thing standing between you and a SYSTEM shel…
SonicWall patched CVE-2024-12802 and left the bug in place on Gen6
The firmware update closes the code path but does not rewrite the LDAP config the exploit actually uses. On Gen6, that distinction is the w…
The patch window went negative. Now what?
Mandiant's mean time-to-exploit is negative seven days. NVD gave up on enriching most of the catalog. Here's what the next 24 months of pat…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Get what you want from TV advertising
When growth is often measured at the last click, you’re paying to compete for demand that was created somewhere else.
Reach people in the purchase planning phase before your competitors know these customers even exist.
With high-intent Pinterest signals on Performance TV you can reach audiences earlier where they watch the most.
