|
|
|
TODAY'S CALL
Five high-severity CVEs today, none exploited in the wild yet, but a couple deserve your attention before the weekend. The Go SSH known_hosts library is silently ignoring @revoked markers (CVE-2026-42508, CVSS 9.1), which means any host key you thought you revoked still passes validation. If your tooling uses Go's SSH libraries for host trust, that safety net has a hole in it. NGINX's rewrite module also picked up a CVSS 8.1 access-control bypass that's worth patching fast given how many configs touch rewrite rules.
|
|
DO FIRST
| • |
Update libcontainers-common, packer, and telegraf to the patched versions available in the Azure Linux 3.0 repos
(CVE-2026-42508)
|
| • |
Update the nginx package to the patched version via `tdnf update nginx` on Azure Linux 3.0
(CVE-2026-9256)
|
| • |
Update the kernel package via `tdnf update kernel` and reboot
(CVE-2025-71305)
|
| • |
Update the perl package via `tdnf update perl` on Azure Linux 3.0, or upgrade Archive::Tar to 3.08+ from CPAN
(CVE-2026-42496)
|
| • |
Apply the Oracle Critical Patch Update that addresses CVE-2026-46833 for Oracle Database Server 23.x
(CVE-2026-46833)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update the kernel package via `tdnf update kernel` and reboot
|
211
1 critical
|
Patch this week, network-reachable only
|
Endpoint reboot
|
|
Update the perl package via `tdnf update perl` on Azure Linux 3.0, or upgrade Archive::Tar to 3.08+ from CPAN
|
3
1 critical
|
Patch within 24 hours, network-reachable only
|
—
|
|
|
TOP THREAT TODAY
|
|
The Go SSH known_hosts library doesn't enforce @revoked markers, so a host key you explicitly revoked still passes validation. An attacker who controls a revoked key can impersonate a trusted host and intercept SSH sessions without triggering any warning. CVSS 9.1, not yet exploited in the wild, but any Go tooling that relies on known_hosts for SSH trust is silently skipping a critical safety check.
Who's affected: Anyone running Azure Linux 3.0 packages that bundle golang.org/x/crypto/ssh, specifically libcontainers-common 20240213-3, packer 1.9.5-13, or telegraf 1.31.0-19
| |
Patch within 24 hours if internet-facing or otherwise exposed.
Update libcontainers-common, packer, and telegraf to the patched versions available in the Azure Linux 3.0 repos.
Exposure:
Network-reachable systems
|
NVD
MSRC
Ref 1
|
|
|
CVE-2026-9256
CVSS 8.1
EPSS 0.18%
|
HIGH
|
A vulnerability in NGINX's rewrite module (ngx_http_rewrite_module) could let an attacker abuse rewrite rules to bypass access controls or trigger unexpected behavior. Details are sparse, but the CVSS 8.1 and the fact that this sits in the rewrite module, which almost every NGINX config uses, makes it worth patching quickly. Not yet exploited in the wild.
Affects: Anyone running NGINX 1.28.3-1 on Azure Linux 3.0, and anyone else using the same upstream NGINX version with the rewrite module enabled
| |
Patch within 24 hours if internet-facing or otherwise exposed.
Update the nginx package to the patched version via `tdnf update nginx` on Azure Linux 3.0.
Exposure:
Network-reachable systems
·
Op impact:
Service restart
|
NVD
MSRC
Ref 1
|
|
CVE-2025-71305
CVSS 9.8
EPSS 0.02%
|
CRITICAL
|
A missing check for zero VCPI (Virtual Channel Payload Identifier) in the kernel's DisplayPort MST (Multi-Stream Transport) code can cause a crash or memory corruption. Despite the CVSS 9.8, this is a local kernel bug in the display subsystem. You'd need a malicious or buggy MST display device connected to trigger it. If you're running headless Azure Linux VMs with no display hardware, the real-world risk is low.
Affects: Anyone running Azure Linux 3.0 with kernel 6.6.139.1-1, especially systems with DisplayPort MST hardware attached
| |
Patch this week.
Update the kernel package via `tdnf update kernel` and reboot.
Exposure:
Network-reachable systems
·
Op impact:
Endpoint reboot
|
ONE UPDATE · 211 CVEs
1 CRITICAL
NVD
MSRC
|
|
CVE-2026-42496
CVSS 9.1
EPSS 0.04%
|
CRITICAL
|
Archive::Tar for Perl (versions before 3.08) follows symlinks during extraction without validating the target path. An attacker who crafts a malicious tar archive can write or overwrite files anywhere on the filesystem that the extracting process can reach. If any of your automation or CI pipelines extract untrusted tar files using Perl's Archive::Tar, this is a path traversal straight to arbitrary file write.
Affects: Anyone running Perl 5.38.2-509 on Azure Linux 3.0, and anyone using Archive::Tar < 3.08 in scripts or automation that process untrusted archives
| |
Patch within 24 hours if internet-facing or otherwise exposed.
Update the perl package via `tdnf update perl` on Azure Linux 3.0, or upgrade Archive::Tar to 3.08+ from CPAN.
Exposure:
Network-reachable systems
|
ONE UPDATE · 3 CVEs
1 CRITICAL
NVD
MSRC
|
|
CVE-2026-46833
CVSS 9.0
|
CRITICAL
|
An unauthenticated attacker with network access via TLS can potentially take over the Oracle Database Net Service component, and successful exploitation can pivot to affect other products (scope change). The catch: it's rated high complexity, meaning it's hard to pull off. Still, a CVSS 9.0 with no auth required on a network-facing database listener is not something to sit on.
Affects: Oracle Database Server operators running versions 23.4.0 through 23.26.2 with Net Service exposed on the network
| |
Patch within 24 hours for internet-facing systems.
Apply the Oracle Critical Patch Update that addresses CVE-2026-46833 for Oracle Database Server 23.x.
Exposure:
Internet-facing systems
|
NVD
Ref 1
|
|
Community Signal Check
|
Two Microsoft Defender bugs exploited in the wild, CISA deadline June 3
Attackers are exploiting CVE-2026-41091 (privilege escalation to SYSTEM via improper link resolution) and CVE-2026-45498 (denial of service) in Microsoft Defender. Both are in CISA's KEV catalog with a June 3 patch deadline. If you run Defender on Windows endpoints, confirm your definitions and platform updates are current.
The Hacker News
•
active_exploitation
|
|
NGINX heap overflow CVE-2026-42945 (CVSS 9.2) exploited days after disclosure
VulnCheck confirmed active exploitation of CVE-2026-42945, an 18-year-old heap buffer overflow in ngx_http_rewrite_module. Unauthenticated attackers are sending crafted HTTP requests to crash workers or get RCE, then dropping PHP web shells. If you expose NGINX to the internet, patch or update your build immediately.
The Hacker News
•
active_exploitation
|
|
KB5089549 Windows 11 May 2026 update fails with 0x800f0922 on small EFI partitions
KB5089549 fails to install and rolls back on Windows 11 machines with 10 MB or less free on the EFI System Partition, dying at about 35% during reboot. Microsoft shipped a Known Issue Rollback that auto-fixes consumer and unmanaged business devices. If you manage devices through Group Policy, you need to deploy the KIR policy manually.
BleepingComputer
•
broken_patch
|
|
CISA orders 4-day patch window for LiteSpeed cPanel plugin CVE-2026-48172
CVE-2026-48172 is a privilege escalation in LiteSpeed's cPanel plugin (versions 2.3 through 2.4.4) that lets a regular cPanel user run scripts as root. It's exploited in the wild, and CISA gave federal agencies until May 29 to patch. If you host on cPanel with the LiteSpeed plugin, update to 2.4.5+ now.
BleepingComputer
•
active_exploitation
|
|
|
SECURE BOOT ·
26 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
7.5
CVE-2026-10056
CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default…
|
7.5
CVE-2026-46835
Vulnerability in the Net Service component of Oracle Database Server.
|
7.5
CVE-2026-46834
Vulnerability in the Net Service component of Oracle Database Server.
|
7.5
CVE-2026-10044
Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET…
|
7.8
CVE-2026-47333
Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size…
|
7.8
CVE-2026-47331
Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list.
|
7.4
CVE-2026-46579
A flaw was found in the OpenShift Router.
|
10.0
CVE-2026-46840
Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service).
|
10.0
CVE-2026-43898 · nyariv:sandboxjs
Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback.
|
9.8
CVE-2026-3655 · cms:wordpress
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60.
|
Plus 29 more this window. See
NVD
for the full list.
|
|
Recent from the blog
Palo Alto's third edge zero-day in two years rhymes with the first two
CISA's federal deadline for CVE-2026-0300 landed four days before a patch existed. The deadline is not the story. The third PAN-OS portal z…
NGINX Rift: four places apt upgrade doesn't reach
The host patch for CVE-2026-42945 shipped on day one. The container images, the App Protect WAF in front of it, the downstream forks, and t…
GlassWorm's botnet is down, but the technique it proved still works
CrowdStrike, Google, and Shadowserver knocked out all four C2 channels at once. That ends the infrastructure, not the playbook. Three primi…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|