|
|
|
TODAY'S CALL
Heads up: attackers are actively crashing SolarWinds Serv-U file transfer servers with a single unauthenticated HTTP request (CVE-2026-28318, CVSS 7.5). If you run Serv-U, patch it before your morning coffee. The rest of the day is 4 more CVSS 7.5 denial-of-service bugs across Comodo, Go, Perl, and FRRouting, none exploited yet, but the Comodo kernel crash from a single IPv6 packet deserves a look too.
|
|
DO FIRST
| • |
Update Serv-U to the latest patched version now
(CVE-2026-28318)
|
| • |
Update Comodo Internet Security to the latest version that fixes the Inspect.sys driver
(CVE-2026-49494)
|
| • |
Update Go to 1.25.10-1 or 1.26.3-1 (or later) on Azure Linux 3.0
(CVE-2026-42504)
|
| • |
Update perl-HTML-Parser to version 3.84 or later
(CVE-2026-8829)
|
| • |
Update FRR to a patched release beyond 10.6
(CVE-2026-37460)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update Comodo Internet Security to the latest version that fixes the Inspect.sys driver
|
12
2 critical
|
Patch within 24 hours, internet-facing only
|
Endpoint reboot
|
|
Update Go to 1.25.10-1 or 1.26.3-1 (or later) on Azure Linux 3.0
|
3
|
Patch this week, network-reachable only
|
—
|
|
|
TOP THREAT TODAY
|
|
CVE-2026-28318
HIGH
EXPLOITED
|
|
An attacker can crash your SolarWinds Serv-U file transfer service by sending a specially crafted POST request with a deflate content encoding. No authentication needed, no user interaction, just one HTTP request and the service goes down. This is already exploited in the wild, and the EPSS score (0.07, 91st percentile) confirms real-world attack activity is elevated.
Who's affected: Anyone running SolarWinds Serv-U, especially version 15.5.4 or earlier, exposed to the internet.
| |
Patch immediately given active exploitation.
Update Serv-U to the latest patched version now. If you can't patch immediately, apply the mitigation steps from the SolarWinds Trust Center to limit exposure.
Exposure:
Active exploitation (KEV)
|
NVD
KEV
Ref 1
Ref 2
|
|
|
CVE-2026-49494
CVSS 7.5
|
HIGH
|
A single crafted IPv6 packet can blue-screen any Windows machine running Comodo Internet Security, even if all ports are blocked. The firewall's kernel driver (Inspect.sys) botches the math on IPv6 extension header lengths, causing an integer underflow that leads to an out-of-bounds read or oversized memory copy at kernel level. No authentication, no open ports, no user interaction required: if the host receives the packet, it crashes.
Affects: Anyone running Comodo Internet Security with the Inspect.sys firewall driver on Windows, particularly systems reachable over IPv6.
| |
Patch within 24 hours for internet-facing systems.
Update Comodo Internet Security to the latest version that fixes the Inspect.sys driver. If no patch is available yet, disable IPv6 on affected hosts or add an upstream filter to drop malformed IPv6 packets as a temporary workaround.
Exposure:
Internet-facing systems
·
Op impact:
Endpoint reboot
|
ONE UPDATE · 12 CVEs
2 CRITICAL
NVD
Ref 1
Ref 2
|
|
CVE-2026-42504
CVSS 7.5
EPSS 0.04%
|
HIGH
|
A bug in Go's mime package lets an attacker trigger quadratic CPU consumption by sending a specially crafted MIME header. Any Go service that parses email-style MIME headers (or anything using WordDecoder.DecodeHeader) could get pinned at high CPU, causing a denial of service. The EPSS score is very low (0.0004), so real-world exploitation is unlikely right now, but it's an easy fix.
Affects: Teams running Go applications that parse MIME headers, and Azure Linux 3.0 users running the affected golang, gcc, or tensorflow/tensorboard packages.
| |
Patch this week.
Update Go to 1.25.10-1 or 1.26.3-1 (or later) on Azure Linux 3.0. For other distros, upgrade to the Go release that includes the mime package fix.
Exposure:
Network-reachable systems
|
ONE UPDATE · 3 CVEs
NVD
MSRC
Ref 1
|
|
CVE-2026-8829
CVSS 7.5
EPSS 0.03%
|
HIGH
|
The Perl HTML::Entities module before version 3.84 reads freed heap memory when decoding HTML entities. This is a use-after-free bug that could lead to crashes or, in theory, information leaks in any Perl application that processes untrusted HTML. Exploitation probability is very low (EPSS 0.0003).
Affects: Anyone running Perl applications that use HTML::Parser (specifically HTML::Entities) to process untrusted HTML, including Azure Linux 3.0 users on perl-HTML-Parser 3.82-1.
| |
Patch this week.
Update perl-HTML-Parser to version 3.84 or later. On Azure Linux 3.0, run 'tdnf update perl-HTML-Parser'.
Exposure:
Network-reachable systems
|
NVD
MSRC
|
|
CVE-2026-37460
CVSS 7.5
EPSS 0.04%
|
HIGH
|
A crafted BGP UPDATE message can crash FRRouting (FRR) versions 10.0 through 10.6 due to missing input validation in the RFAPI RIB code. If you peer with untrusted BGP neighbors or run FRR on internet-facing routers, an attacker can take down your routing daemon. Exploitation requires the ability to send BGP UPDATEs to an affected peer.
Affects: Network engineers running FRRouting 10.0 through 10.6, including Azure Linux 3.0 users with frr 10.5.4-1.
| |
Patch this week.
Update FRR to a patched release beyond 10.6. On Azure Linux 3.0, run 'tdnf update frr'. Review your BGP peering configuration and restrict sessions to trusted peers where possible.
Exposure:
Network-reachable systems
|
NVD
MSRC
|
|
Community Signal Check
|
Cisco SD-WAN Manager zero-day CVE-2026-20245 exploited in the wild, no patch available
Attackers are exploiting CVE-2026-20245 to get root on Cisco Catalyst SD-WAN Manager. No patch exists yet. If you run SD-WAN Manager, lock down netadmin access and watch for crafted file uploads pushing config changes to edge devices.
BleepingComputer
•
active_exploitation
|
|
Windows Netlogon RCE CVE-2026-41089 now exploited in the wild
Belgium's CCB confirmed attackers are exploiting CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that gives unauthenticated remote code execution on domain controllers. Microsoft patched this in May 2026. If you haven't applied that update to your DCs yet, stop reading and go do it.
BleepingComputer
•
active_exploitation
|
|
PAN-OS GlobalProtect auth bypass CVE-2026-0257 under active exploitation
Unit 42 is seeing active exploitation of CVE-2026-0257, an authentication bypass in GlobalProtect portal and gateway components. Unauthenticated attackers can bypass security controls and attempt VPN connections. CISA added it to the KEV catalog on May 29, so patch your PAN-OS devices now if you haven't already.
Unit 42
•
active_exploitation
|
|
KB5089549 fails to install on systems with small EFI partitions
The May 2026 Windows 11 security update KB5089549 fails at about 35% during restart and rolls back if your EFI System Partition has 10 MB or less free. Error code is 0x800f0922. Microsoft says to install KB5089573 as the fix, or use Known Issue Rollback.
BleepingComputer
•
broken_patch
|
|
|
SECURE BOOT ·
16 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
8.8
CVE-2026-11108 · browser:chrome
Inappropriate implementation in NFC in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker…
|
7.8
CVE-2026-50264
An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat.
|
7.8
CVE-2026-50261
A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter().
|
7.8
CVE-2026-50260
A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter().
|
7.8
CVE-2026-50259
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland.
|
7.8
CVE-2026-50258
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland.
|
7.8
CVE-2026-50257
A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence().
|
7.8
CVE-2026-50256
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland.
|
7.5
CVE-2026-3238
A flaw was found in Samba’s WINS server component when running as an Active Directory Domain Controller.
|
7.4
CVE-2026-50752
A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated…
|
Plus 17 more this window. See
NVD
for the full list.
|
|
Recent from the blog
Two AWS bugs you'd never have heard about, and the fix was yours
AWS disclosed two SageMaker SDK flaws on its own bulletins page. They may carry a CVE ID with no CVSS, they'll never hit CISA KEV, and patc…
One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.
An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essential…
Three June 30 Microsoft 365 retirements that fail silently
A printer stops scanning to email, a conference-room keyboard's mute key dies, a town hall won't schedule. None of these will announce them…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
