Sponsored by
PatchDay Alert: 2026-05-20
|
|
DAILY BRIEF · MAY 20, 2026
|
|
Calm day, nothing on fire. Five patches across the board, all CVSS 7.x, none exploited in the wild. The two worth reading first: a denial-of-service in 389 Directory Server that any unauthenticated attacker can trigger with a single oversized LDAP request, and a Keycloak session fixation bug that can lead to full account takeover, admin accounts included.
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Start here.
|
32
Update Firefox to 151 (or ESR 140.11) and Thunderbird to 151 (or 140.11) across your fleet.
· 32 CVEs, 8 critical
|
|
9
Upgrade Keycloak to the latest patched release and review active sessions for any anomalies.
· 9 CVEs
|
|
| |
SECURE BOOT CERTIFICATE DEADLINE
35 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
An unauthenticated attacker can send a single oversized LDAP request packed with hundreds of thousands of tiny controls, burning through CPU and heap memory on your 389 Directory Server. Under sustained or concurrent requests, this starves worker threads and can crash the process with an out-of-memory kill. No credentials or special config needed: if your LDAP port is reachable, you're exposed.
Who's affected: Anyone running 389-ds-base (Fedora Directory Server, RHEL IdM/FreeIPA, or CentOS Stream LDAP deployments)
| |
Patch this week.
Update the 389-ds-base package to the latest patched version from your distro's repos and restart the directory service.
|
NVD
Ref 1
Ref 2
|
|
|
CVE-2026-7507
CVSS 7.5
EPSS 0.03%
|
HIGH
|
An attacker can set up a Keycloak auth session ahead of time, then send a victim a crafted link. When the victim clicks it, Keycloak's SSO silently authenticates them into the attacker's pre-built session, letting the attacker hijack the post-login flow. This can lead to full account takeover, including admin accounts, without ever needing the victim's password.
Affects: Anyone running Keycloak (self-hosted or containerized), especially with internet-facing login pages
| |
Patch within 24 hours.
Upgrade Keycloak to the latest patched release and review active sessions for any anomalies.
|
ONE UPDATE · 9 CVEs
NVD
Ref 1
Ref 2
|
|
CVE-2026-8970
CVSS 7.3
|
HIGH
|
A privilege escalation bug in Firefox and Thunderbird's Security component lets an attacker gain elevated privileges. Details are thin, but Mozilla fixed it in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. If you're behind on browser updates, this one closes a real escalation path.
Affects: Anyone managing Firefox or Thunderbird deployments (desktops, kiosks, developer workstations)
| |
Patch this week.
Update Firefox to 151 (or ESR 140.11) and Thunderbird to 151 (or 140.11) across your fleet.
|
ONE UPDATE · 32 CVEs
8 CRITICAL
NVD
Ref 1
Ref 2
|
|
CVE-2026-44933
CVSS 7.8
|
HIGH
|
When PluginScript's chroot target is set to `/` (the system root), which is the default in many configurations, the chroot call does nothing. That means plugin scripts can execute any binary on the host, like `/bin/bash`, with root privileges. If you run this with the default `repoManagerRoot` or use the `--root` flag, your plugins have full host access.
Affects: Anyone using PluginScript-based repo managers with default or `--root` configurations on Linux hosts
| |
Patch this week.
Update the affected package to the patched version and verify that repoManagerRoot is set to a non-root path in your configuration.
|
NVD
Ref 1
|
|
CVE-2026-41054
CVSS 7.8
|
HIGH
|
The haveged daemon checks whether a connecting user on its UNIX socket is root, but if the check fails it doesn't actually stop processing the request. Any local unprivileged user can send privileged commands (like MAGIC_CHROOT) to the haveged socket and have them executed. This is a classic "check but don't enforce" bug.
Affects: Anyone running haveged for entropy on Linux systems, especially shared or multi-tenant hosts
| |
Patch this week.
Update the haveged package to the patched version from your distro's repos.
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
PAN-OS Captive Portal RCE exploited in the wild, patch now (CVE-2026-0300)
Palo Alto patched CVE-2026-0300, an unauthenticated buffer overflow in the PAN-OS Captive Portal that gives attackers root-level code execution. Limited exploitation in the wild has already been observed. If you expose a User-ID Authentication Portal on PA-Series or VM-Series firewalls, patch immediately or disable the portal until you can.
Palo Alto Networks
•
active_exploitation
|
|
NGINX heap overflow CVE-2026-42945 (CVSS 9.2) actively exploited for RCE
Attackers are exploiting CVE-2026-42945, a heap buffer overflow in NGINX's ngx_http_rewrite_module, for unauthenticated remote code execution. Every NGINX version from 0.6.27 through 1.30.0 is affected. Scans are automated and followed by PHP webshell drops, so upgrade or pull rewrite rules behind a WAF today.
BleepingComputer
•
active_exploitation
|
|
KB5089549 fails to install on systems with small EFI partitions, KIR available
Microsoft confirmed that KB5089549 (the May 2026 Windows 11 cumulative update) fails with error 0x800f0922 on machines whose EFI System Partition has 10 MB or less free. Installation gets to about 35% during reboot, then rolls back. A Known Issue Rollback policy is available to unblock installs while Microsoft works on a permanent fix.
BleepingComputer
•
broken_patch
|
|
May 12 KB updates break Netwrix Threat Prevention Kerberos and NTLM capture
If you run Netwrix Threat Prevention agents on your DCs, heads up: the May 12 cumulative updates break Kerberos and NTLM event capture and blocking. Update the Netwrix agents first, then apply the KBs. Reversing that order leaves you blind to auth events until you fix the agent.
Netwrix Community
•
regression
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Look Like a Fortune 500 Company. Pay Almost Nothing
Most DIY websites look exactly like that: DIY.
Readdy.ai generates pixel-perfect, mobile-ready websites that make your small business look like a Fortune 500 Company.
And it happens in just a few steps. Just describe your business, let AI build your full site in seconds, and you’re ready to go live.
Built-in SEO, hosting, and e-commerce integrations included.
Agencies charge $5,000+ for this. Readdy charges $15.
