PostgreSQL buffer overflow, NGINX rewrite bypass, and a Linux SMB handle hijack

SECURE BOOT CERTIFICATE DEADLINE

37 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026). How to remediate →

TOP THREAT TODAY

When you run `apm install`, the tool follows symlinks placed under `.apm/prompts/` or `.apm/agents/` and copies whatever those links point to into your project tree. An attacker who can commit a crafted symlink to a shared repo could exfiltrate sensitive host files (think SSH keys, cloud credentials, `/etc/shadow`) into the project directory where they become readable or even committed back upstream. Exploitation requires a developer to clone a malicious repo and run `apm install`, so there is a user interaction step.

Who's affected: Developers and CI/CD pipelines using Microsoft APM (installed via pip)

NVD Ref 1 Ref 2

Patch within 24 hours. Update the `postgresql` package to the patched version on Azure Linux 3.0 using `tdnf update postgresql` and restart the service.

Patch within 24 hours. Update NGINX to the patched version on Azure Linux 3.0 via `tdnf update nginx`, then reload the service with `nginx -s reload`.

Patch within 24 hours. Update the kernel package on Azure Linux 3.0 to the patched version via `tdnf update kernel` and reboot. If you can't reboot immediately, consider disabling ksmbd or switching to Samba as a temporary workaround.

Patch this week. Update the gnutls package to the latest patched version through your distribution's package manager.

NGINX CVE-2026-42945 heap buffer overflow exploited in the wild with automated scanning

CVE-2026-42945 is already in today's digest, and now VulnCheck confirms attackers are exploiting it in the wild. Unauthenticated heap buffer overflow in ngx_http_rewrite_module (CVSS 9.2) lets attackers crash NGINX workers or get RCE when ASLR is off. Attackers are using AI-powered scanning tools to find vulnerable instances and drop PHP web shells, so patch NGINX to 1.30.1+ now.

The Hacker News • active_exploitation

Exchange Server CVE-2026-42897 XSS zero-day exploited, no patch yet

Attackers are exploiting CVE-2026-42897 in Exchange Server to run arbitrary JavaScript inside Outlook Web Access sessions. Microsoft confirmed active exploitation but hasn't shipped a patch yet, only temporary mitigations. If you run on-prem Exchange (Subscription Edition, 2016, or 2019), apply the mitigations today and watch for the out-of-band fix.

Security Affairs • active_exploitation

Linux Dirty Frag privilege escalation chain (CVE-2026-43284 + CVE-2026-43500) exploited in the wild

Microsoft Defender caught in-the-wild exploitation of the Dirty Frag chain on May 11. Attackers combined CVE-2026-43284 and CVE-2026-43500 to get root on Linux boxes, then tampered with GLPI LDAP auth files and grabbed PHP session data. If you run Linux hosts with xfrm or RxRPC in your kernel config, prioritize patching and audit for unexpected changes to LDAP configs.

Microsoft Security Blog • active_exploitation

KB5089549 fails at 35% reboot with 0x800f0922 on low EFI partition space

The May 2026 Windows 11 cumulative update (KB5089549) blows up at the reboot phase if your EFI System Partition has 10 MB or less free. You'll see error 0x800f0922 and the install rolls back at about 35%. Microsoft is pushing a Known Issue Rollback fix that auto-propagates to unmanaged devices. If you manage your fleet through Group Policy, you'll need to pull the KIR policy manually.

Microsoft Learn • broken_patch