|
|
DAILY BRIEF · APRIL 30, 2026
|
|
Two 9.8s and a 9.0 showed up today, none exploited in the wild yet, but don't let that make you comfortable. A buffer calc bug in ksmbd (the in-kernel SMB3 server) is the headliner: unauthenticated, remote, and likely RCE if you expose it on any network. Right behind it, an authenticated Wazuh cluster peer can chain a path traversal into full code execution on other nodes.
|
|
TOP THREAT TODAY
|
|
An authenticated Wazuh cluster peer can use a path traversal bug in the cluster sync routine to write arbitrary files on other cluster nodes. Because the attacker can overwrite Python modules Wazuh loads, this escalates straight to code execution in the Wazuh service context. If your cluster daemon runs with elevated privileges, that means full system compromise.
Who's affected: Anyone running Wazuh clusters on versions 4.4.0 through 4.14.3
| |
Patch immediately.
Upgrade Wazuh to version 4.14.4 on every cluster node tonight.
|
|
|
|
CVE-2026-31478
CVSS 9.8
EPSS 0.09%
|
CRITICAL
|
A buffer calculation bug in ksmbd (the in-kernel SMB3 server) can be triggered remotely. The CVSS 9.8 score signals unauthenticated remote exploitation is likely possible, though the terse commit message leaves exact impact unclear. If you expose ksmbd on any network, treat this as a potential remote code execution path.
Affects: Teams running Azure Linux 3.0 with kernel 6.6.130.1-3 or CBL Mariner 2.0 with kernel 5.15.202.1-1 that have ksmbd enabled
| |
Patch within 24 hours.
Update the kernel package to the latest patched version via your distro's package manager, then reboot. If you don't need ksmbd, disable or unload the ksmbd module now as a quick mitigation.
|
|
|
CVE-2018-25318
CVSS 9.8
|
CRITICAL
|
Tenda FH303/A300 routers on firmware V5.07.68_EN don't properly validate session cookies. An unauthenticated attacker on the network can send a crafted request to the DNS settings endpoint and redirect all client traffic through a malicious DNS server. No login required.
Affects: Anyone running Tenda FH303 or A300 routers with firmware V5.07.68_EN
| |
Patch this week.
Check Tenda's support site for a firmware update. If no patch is available, restrict management interface access to a trusted VLAN or replace the device with a supported router.
|
|
|
CVE-2018-25317
CVSS 9.8
|
CRITICAL
|
Tenda W3002R, A302, and W309R routers on firmware V5.07.64_en have the same broken session validation as CVE-2018-25318. An unauthenticated attacker can forge an admin cookie and rewrite the router's DNS settings, redirecting all user traffic to attacker-controlled DNS servers.
Affects: Anyone running Tenda W3002R, A302, or W309R routers with firmware V5.07.64_en
| |
Patch this week.
Check Tenda's support site for a firmware update. If none exists, isolate the management interface to a trusted network segment or replace the hardware.
|
|
|
CVE-2026-28387
CVSS 8.1
EPSS 0.03%
|
HIGH
|
A use-after-free bug exists in OpenSSL's DANE client verification code. An attacker who controls a malicious server (or sits in a network position to manipulate TLS handshakes) could trigger this to crash or potentially execute code in any application using OpenSSL's DANE validation. CVSS 8.1 but no known exploitation yet, and the EPSS score is very low at 0.00032.
Affects: Teams running Azure Linux 3.0 with OpenSSL 3.3.5-4, Node.js 24.x packages (24.13.0-3 through 24.14.1-2), or cloud-hypervisor 48.0.246-4
| |
Patch this week.
Update OpenSSL, Node.js 24, and cloud-hypervisor packages to the latest patched versions in the Azure Linux 3.0 repos. If you don't use DANE for TLS certificate verification, your exposure is lower, but still patch promptly.
|
|
|
Community Signal Check
|
SonicWall SonicOS auth bypass: unauthenticated access to management interface (CVE-2026-0204)
SonicWall dropped patches for three SonicOS bugs across Gen 6 through Gen 8 firewalls. The worst is CVE-2026-0204, a HIGH-rated authentication bypass that lets unauthenticated attackers hit the management interface directly. Until you can flash the new firmware, disable HTTP/HTTPS management and SSL-VPN, and lock access down to SSH only.
SonicWall PSIRT
•
vendor_advisory
|
|
Linux kernel local privilege escalation "Copy Fail" (CVE-2026-31431): public exploit, trivial root
CVE-2026-31431 is a local privilege escalation in the Linux kernel affecting kernels 4.13 and newer, so basically every modern distro. A 732-byte Python script gives any unprivileged user root with no race conditions or version tweaks. It also enables container escape and modifies the page cache in-memory, which means file integrity monitoring won't catch it. Check your distro's patch tracker and prioritize this one hard.
Bugcrowd
•
active_exploitation
|
|
Microsoft Defender "BlueHammer" zero-day (CVE-2026-33825) exploited since April 10
Huntress confirmed attackers are exploiting CVE-2026-33825, a TOCTOU race condition in Microsoft Defender that escalates to SYSTEM. They're using it post-initial-access after popping SSL VPN accounts. Microsoft patched BlueHammer in the April release, but two more Defender zero-days (RedSun and UnDefend) remain unpatched. Apply the April cumulative update and keep an eye on those other two.
The Hacker News
•
active_exploitation
|
|
KB5082063 causes domain controller reboot loops, BitLocker recovery prompts on Windows Server
The April cumulative update KB5082063 is causing LSASS crashes and reboot loops on some domain controllers, plus BitLocker recovery prompts on Server 2025 boxes where PCR7 validation is configured. Microsoft shipped out-of-band fixes: KB5091157 for Server 2025, KB5091571 for 23H2, KB5091575 for 2022, KB5091573 for 2019, and KB5091572 for 2016. If you haven't deployed KB5082063 to DCs yet, grab the OOB fix first and test in a staged rollout.
Windows Forum / BleepingComputer
•
broken_patch
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
