Category Archives: Projects

May Microsoft Patch Tuesday

Leave a reply

May Microsoft Patch Tuesday

May Microsoft Patch Tuesday. A total of 119 vulnerabilities, approximately 1.5 times fewer than in April. There are currently no vulnerabilities marked as actively exploited in the wild. However, there is one vulnerability with a public exploit:

🔸 EoP - Windows Kernel (CVE-2026-40369). A detailed write-up and exploit for this vulnerability were published on May 14, two days after the May MSPT. The researcher describes exploitation of the vulnerability as follows: "A single syscall from any unprivileged process — including inside Chrome's renderer sandbox — can increment arbitrary kernel memory addresses. No race conditions. No heap spray. No special tokens. 100% deterministic privilege escalation to SYSTEM."

Among the remaining ones, the following stand out:

🔹 RCE - Windows DNS Client (CVE-2026-41096). A ZDI analyst commented on this vulnerability as follows: "This patch fixes a heap-based buffer overflow in the DNS Client triggered by a malicious DNS response. No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise."

🔹 RCE - Windows Netlogon (CVE-2026-41089). The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Exploitation does not require credentials or user interaction, which classifies this vulnerability as wormable. Compromise of a domain controller means full compromise of the organization's entire domain. A Rapid7 analyst added in their commentary: "No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it's not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards."

🔹 RCE - Windows TCP/IP (CVE-2026-40415). Commentary from a ZDI analyst: "This bug in the TCP/IP stack results from a use-after-free (UAF) and could allow a remote, unauthenticated threat actor to execute code without user interaction. That makes this another wormable bug. However, this one is much less likely to be exploited. The target needs to be under sustained low-memory (memory pressure) conditions, which is pretty rare."

🔹 RCE - Microsoft Word (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367). An attacker can exploit these vulnerabilities through social engineering by sending a malicious file to a targeted victim. Successful exploitation would grant the attacker arbitrary code execution. Microsoft researchers note that the Preview Pane is an attack vector for each of these vulnerabilities.

🔹 RCE - Microsoft Office (CVE-2026-40363, CVE-2026-42831). A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Windows GDI (CVE-2026-35421). A heap-based buffer overflow vulnerability in the Windows GDI component may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Microsoft Dynamics 365 On-Premises (CVE-2026-42898). Commentary from a ZDI analyst: "It allows any authenticated user to execute code with a scope change, meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are pretty rare, so if you're running Dynamics 365 On-Prem, definitely test and deploy this patch quickly."

🔹 EoP - Windows Kernel (CVE-2026-33841, CVE-2026-35420, CVE-2026-40369). CVE-2026-33841 and CVE-2026-40369 are rated "Exploitation More Likely". A local attacker can use these vulnerabilities to elevate privileges to SYSTEM level. In the case of CVE-2026-33841, the attacker can elevate privileges to Medium/High integrity level.

🗒 Full Vulristics report

April Linux Patch Wednesday

Leave a reply

April Linux Patch Wednesday

April Linux Patch Wednesday. In April, Linux vendors addressed 1,035 vulnerabilities - nearly twice as many as in March. One might assume that most of these would again be Linux Kernel vulnerabilities, but that's not the case! Linux Kernel vulnerabilities were relatively few - just 209. The remaining vulnerabilities are distributed across more than 200 affected products. Notably, two vulnerabilities show evidence of active exploitation in the wild:

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). Remote code execution is possible via the Jolokia API (/api/jolokia/) with no authentication required. The vulnerability remained hidden in the codebase for 13 years before being discovered using AI. Listed in the CISA KEV since April 16. Numerous exploits are available on GitHub.

🔻 RCE - Chromium (CVE-2026-5281). A use-after-free vulnerability in Dawn (Chromium's graphics layer and WebGPU implementation) affects Google Chrome versions prior to 146.0.7680.178. A remote attacker who has gained control of the rendering process can execute arbitrary code via a specially crafted HTML page. Listed in the CISA KEV since April 1.

Public exploits are available, or signs of their existence have been observed, for another 133 (❗️) vulnerabilities. The most notable ones, in my opinion:

🔸 RCE - Cockpit (CVE-2026-4631). Cockpit is a web‑based tool for server administration in Linux systems, enabling users to manage servers, containers, storage, and network configurations through a browser interface. An attacker with network access to the Cockpit web service can send a single HTTP request to the login page, injecting malicious SSH options or commands and executing code on the Cockpit server - all without valid credentials.

🔸 RCE - CUPS (CVE-2026-34990 + CVE-2026-34980). CUPS (Common UNIX Printing System) is a printing system for Unix‑like operating systems, including Linux and macOS. A chain of these vulnerabilities allows a remote attacker without authentication to overwrite files with root permissions over the network, effectively gaining root access on a typical Linux system.

🔸 RCE - KVM Tool (CVE-2021-45464). KVM Tool is a lightweight tool for running virtual machines based on KVM (Kernel‑based Virtual Machine) in Linux. KVM Tool prior to commit 39181fc contains an out‑of‑bounds write vulnerability, allowing a guest OS user to execute arbitrary code on the host machine.

🔸 PathTrav - tar (npm) (CVE-2026-31802, CVE-2026-24842). Prior to version 7.5.11, the npm package allowed creating a symbolic link pointing outside the extraction directory, leading to file overwrites.

Other vulnerabilities worth paying attention to:

🔸 RCE - Handlebars (CVE-2026-33937), tiemu (CVE-2017-20225), Netwide Assembler (CVE-2026-6067), openexr (CVE-2026-34545), Axios (CVE-2026-40175), hdf5 (CVE-2026-29043)
🔸 CodeInj - GLPI (CVE-2025-66417), glances (CVE-2026-30930, CVE-2026-32611), Handlebars (CVE-2026-33938, CVE-2026-33940), dynaconf (CVE-2026-33154), icalendar (CVE-2026-33635)
🔸 SFB - ormar (CVE-2026-27953), cpp-httplib (CVE-2026-34441), Safari (CVE-2026-20643), rack (CVE-2026-34835), wolfssl (CVE-2026-5194), Traefik (CVE-2026-32695), glances (CVE-2026-32632, CVE-2026-32634), Vert.x-Web (CVE-2026-1002), ecdsa (CVE-2026-33936), glibc (CVE-2026-4438), incus (CVE-2026-33542), Mongoose (CVE-2026-2968)
🔸 AuthBypass - scitokens_cpp_library (CVE-2026-32725, CVE-2026-32726), Node.js pbkdf2 (CVE-2026-32633), rack-session (CVE-2026-39324), Traefik (CVE-2026-33433), grpc (CVE-2026-33186), nltk (CVE-2026-33231)
🔸 ArbFileWrite - Rust (CVE-2026-33056)
🔸 CmdInj - Netty (CVE-2026-33870), awstats (CVE-2025-63261)
🔸 EoP - Keycloak (CVE-2026-4636), QEMU (CVE-2026-33711), glances (CVE-2026-33641)

🗒 Full Vulristics report

April Microsoft Patch Tuesday

Leave a reply

April Microsoft Patch Tuesday

April Microsoft Patch Tuesday. A total of 167 vulnerabilities, about twice as many as in March. There is one vulnerability already being exploited in the wild:

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). ZDI experts say "Spoofing bugs in SharePoint often manifest as cross-site scripting (XSS) bugs". "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)". There is no info yet about how widely it is being used in attacks, but you should not delay patching, especially if SharePoint is exposed to the Internet.

Formally, there are no public exploits yet. However, there are strong indications that a public exploit may already exist for one vulnerability.

🔸 EoP - Microsoft Defender (CVE-2026-33825). "Insufficient granularity of access control" in Microsoft Defender allows a logged-in attacker to gain higher privileges on a local system. Tenable and ZDI say the bug looks similar to the BlueHammer zero-day, for which a public exploit was released on GitHub on April 3. The researcher who published it, Chaotic Eclipse, criticized Microsoft’s disclosure process. ZDI says the exploit is real, but exploitation is unstable and not always reliable.

Other important issues:

🔹 RCE - Windows Active Directory (CVE-2026-33826). To exploit this, the attacker must have an account. The attacker sends a specially crafted RPC request to a vulnerable server, which can lead to code execution. Microsoft says the attacker must be in the same restricted Active Directory domain as the target system.

🔹 RCE - Windows Internet Key Exchange (IKE) Service Extensions (CVE-2026-33824). ZDI says this vulnerability is wormable, meaning it could allow malware to spread automatically between systems. It affects systems with IKE enabled, which creates a large attack surface. Microsoft recommends blocking UDP ports 500 and 4500 at the network edge. However, attackers inside the network can still use it for lateral movement. Patch quickly if you use IKE.

🔹 RCE - Windows TCP/IP (CVE-2026-33827). ZDI also says this may be wormable, especially on systems using IPv6 and IPSec. A race condition makes it harder to exploit, but similar bugs are often exploited at Pwn2Own, so you should not rely on that difficulty. If you use IPv6, test and deploy the patch quickly before exploits appear.

🔹 EoP - Windows Push Notifications (CVE-2026-26167). This Patch Tuesday includes several sandbox escape vulnerabilities, including in Push Notifications, AFD for Winsock, Windows Management Services, and User Interface Core. CVE-2026-26167 (Push Notifications) is the most important because it is the only one with low attack complexity. The others require winning a race condition (AC:H).

🔹 Spoofing - Remote Desktop (CVE-2026-26151). Weak warnings in the Remote Desktop interface allow a network attacker to trick a user into opening a specially crafted file, leading to spoofing. The issue was found by the UK National Cyber Security Centre (NCSC).

🗒 Full Vulristics report

March Linux Patch Wednesday

Leave a reply

March Linux Patch Wednesday

March Linux Patch Wednesday. In March, Linux vendors began addressing 575 vulnerabilities, which is 57 fewer than in February. Of these, 93 are in the Linux Kernel (⬇️ a significant decrease - there were 305 in February). There are two vulnerabilities with signs of in-the-wild exploitation:

🔻 RCE - Chromium (CVE-2026-3909, CVE-2026-3910)

Additionally, for 130 (❗️) vulnerabilities, public exploits are available or there are indications of their existence. Notable ones include:

🔸 RCE - Caddy (CVE-2026-27590), NLTK (CVE-2025-14009), Rollup (CVE-2026-27606), GVfs (CVE-2026-28296), SPIP (CVE-2026-27475), OpenStack Vitrage (CVE-2026-28370)
🔸 AuthBypass - Curl (CVE-2026-3783), coTURN (CVE-2026-27624), Libsoup (CVE-2026-3099)
🔸 InfDisc - Glances (CVE-2026-30928, CVE-2026-32596)
🔸 PathTrav - gSOAP (CVE-2019-25355), basic-ftp (CVE-2026-27699)
🔸 EoP - Snapd (CVE-2026-3888), GNU Inetutils (CVE-2026-28372)
🔸 SFB - Caddy (CVE-2026-27585, CVE-2026-27587/88/89), Keycloak (CVE-2026-1529), PyJWT (CVE-2026-32597), Authlib (CVE-2026-27962, CVE-2026-28498, CVE-2026-28802)
🔸 CodeInj - lxml_html_clean (CVE-2026-28350), ormar (CVE-2026-26198)
🔸 SSRF - Libsoup (CVE-2026-3632)

🗒 Full Vulristics report

March Microsoft Patch Tuesday

Leave a reply

March Microsoft Patch Tuesday

March Microsoft Patch Tuesday. A total of 79 vulnerabilities, about one and a half times more than in February. What's truly unusual is that this time there were no vulnerabilities with signs of exploitation in the wild or a public exploit! 🤔 At least not yet. 😏

The following vulnerabilities can be highlighted:

🔹 RCE - Print Spooler (CVE-2026-23669), Office (CVE-2026-26110, CVE-2026-26113), Excel (CVE-2026-26107, CVE-2026-26108, CVE-2026-26109, CVE-2026-26112), SharePoint Server (CVE-2026-26106, CVE-2026-26114)
🔹 EoP - SQL Server (CVE-2026-21262, CVE-2026-26115, CVE-2026-26116), Windows Kernel (CVE-2026-24287, CVE-2026-24289, CVE-2026-26132), Windows Win32k (CVE-2026-24285), SMB Server (CVE-2026-24294, CVE-2026-26128), Windows Graphics Component (CVE-2026-23668), .NET (CVE-2026-26131)
🔹 DoS - .NET (CVE-2026-26127)

🗒 Full Vulristics report

На русском

February Linux Patch Wednesday

Leave a reply

February Linux Patch Wednesday

February Linux Patch Wednesday. In February, Linux vendors addressed 632 vulnerabilities - 1.5× fewer than in January, including 305 in the Linux Kernel. Two vulnerabilities show signs of in-the-wild exploitation:

🔻 RCE - Chromium (CVE-2026-2441)
🔻 InfDisc - MongoDB "MongoBleed" (CVE-2025-14847)

Public exploits are available or suspected for 56 more vulnerabilities. Notable ones include:

🔸 RCE - OpenSSL (CVE-2025-15467, CVE-2025-69421, CVE-2025-11187), pgAdmin (CVE-2025-12762, CVE-2025-13780), DiskCache (CVE-2025-69872), PyTorch (CVE-2026-24747), Wheel (CVE-2026-24049)
🔸 AuthBypass - M/Monit (CVE-2020-36968)
🔸 EoP - Grafana (CVE-2025-41115, CVE-2026-21721), M/Monit (CVE-2020-36969)
🔸 AFR - Proxmox Virtual Environment (CVE-2024-21545)
🔸 SFB - Chromium (CVE-2026-1504), Roundcube (CVE-2026-25916)

🗒 Full Vulristics report

На русском

February Microsoft Patch Tuesday

Leave a reply

February Microsoft Patch Tuesday

February Microsoft Patch Tuesday. A total of 55 vulnerabilities, half as many as in January. There are as many as six (❗️) vulnerabilities being exploited in the wild:

🔻 SFB/RCE - Windows Shell (CVE-2026-21510)
🔻 SFB/RCE - Microsoft Word (CVE-2026-21514)
🔻 SFB - MSHTML Framework (CVE-2026-21513)
🔻 EoP - Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP - Desktop Window Manager (CVE-2026-21519)
🔻 DoS - Windows Remote Access Connection Manager (CVE-2026-21525)

There is also one vulnerability with a public exploit:

🔸 DoS - libjpeg (CVE-2023-2804)

Notable remaining vulnerabilities:

🔹 RCE - Windows Notepad (CVE-2026-20841)
🔹 Spoofing - Outlook (CVE-2026-21511)
🔹 EoP - Windows Kernel (CVE-2026-21231, CVE-2026-21239, CVE-2026-21245), Windows AFD.sys (CVE-2026-21236, CVE-2026-21238, CVE-2026-21241)

🗒 Full Vulristics report

На русском