Category Archives: Vulristics

April Linux Patch Wednesday

Leave a reply

April Linux Patch Wednesday

April Linux Patch Wednesday. In April, Linux vendors addressed 1,035 vulnerabilities - nearly twice as many as in March. One might assume that most of these would again be Linux Kernel vulnerabilities, but that's not the case! Linux Kernel vulnerabilities were relatively few - just 209. The remaining vulnerabilities are distributed across more than 200 affected products. Notably, two vulnerabilities show evidence of active exploitation in the wild:

🔻 RCE - Apache ActiveMQ (CVE-2026-34197). Remote code execution is possible via the Jolokia API (/api/jolokia/) with no authentication required. The vulnerability remained hidden in the codebase for 13 years before being discovered using AI. Listed in the CISA KEV since April 16. Numerous exploits are available on GitHub.

🔻 RCE - Chromium (CVE-2026-5281). A use-after-free vulnerability in Dawn (Chromium's graphics layer and WebGPU implementation) affects Google Chrome versions prior to 146.0.7680.178. A remote attacker who has gained control of the rendering process can execute arbitrary code via a specially crafted HTML page. Listed in the CISA KEV since April 1.

Public exploits are available, or signs of their existence have been observed, for another 133 (❗️) vulnerabilities. The most notable ones, in my opinion:

🔸 RCE - Cockpit (CVE-2026-4631). Cockpit is a web‑based tool for server administration in Linux systems, enabling users to manage servers, containers, storage, and network configurations through a browser interface. An attacker with network access to the Cockpit web service can send a single HTTP request to the login page, injecting malicious SSH options or commands and executing code on the Cockpit server - all without valid credentials.

🔸 RCE - CUPS (CVE-2026-34990 + CVE-2026-34980). CUPS (Common UNIX Printing System) is a printing system for Unix‑like operating systems, including Linux and macOS. A chain of these vulnerabilities allows a remote attacker without authentication to overwrite files with root permissions over the network, effectively gaining root access on a typical Linux system.

🔸 RCE - KVM Tool (CVE-2021-45464). KVM Tool is a lightweight tool for running virtual machines based on KVM (Kernel‑based Virtual Machine) in Linux. KVM Tool prior to commit 39181fc contains an out‑of‑bounds write vulnerability, allowing a guest OS user to execute arbitrary code on the host machine.

🔸 PathTrav - tar (npm) (CVE-2026-31802, CVE-2026-24842). Prior to version 7.5.11, the npm package allowed creating a symbolic link pointing outside the extraction directory, leading to file overwrites.

Other vulnerabilities worth paying attention to:

🔸 RCE - Handlebars (CVE-2026-33937), tiemu (CVE-2017-20225), Netwide Assembler (CVE-2026-6067), openexr (CVE-2026-34545), Axios (CVE-2026-40175), hdf5 (CVE-2026-29043)
🔸 CodeInj - GLPI (CVE-2025-66417), glances (CVE-2026-30930, CVE-2026-32611), Handlebars (CVE-2026-33938, CVE-2026-33940), dynaconf (CVE-2026-33154), icalendar (CVE-2026-33635)
🔸 SFB - ormar (CVE-2026-27953), cpp-httplib (CVE-2026-34441), Safari (CVE-2026-20643), rack (CVE-2026-34835), wolfssl (CVE-2026-5194), Traefik (CVE-2026-32695), glances (CVE-2026-32632, CVE-2026-32634), Vert.x-Web (CVE-2026-1002), ecdsa (CVE-2026-33936), glibc (CVE-2026-4438), incus (CVE-2026-33542), Mongoose (CVE-2026-2968)
🔸 AuthBypass - scitokens_cpp_library (CVE-2026-32725, CVE-2026-32726), Node.js pbkdf2 (CVE-2026-32633), rack-session (CVE-2026-39324), Traefik (CVE-2026-33433), grpc (CVE-2026-33186), nltk (CVE-2026-33231)
🔸 ArbFileWrite - Rust (CVE-2026-33056)
🔸 CmdInj - Netty (CVE-2026-33870), awstats (CVE-2025-63261)
🔸 EoP - Keycloak (CVE-2026-4636), QEMU (CVE-2026-33711), glances (CVE-2026-33641)

🗒 Full Vulristics report

April Microsoft Patch Tuesday

Leave a reply

April Microsoft Patch Tuesday

April Microsoft Patch Tuesday. A total of 167 vulnerabilities, about twice as many as in March. There is one vulnerability already being exploited in the wild:

🔻 Spoofing - Microsoft SharePoint Server (CVE-2026-32201). ZDI experts say "Spoofing bugs in SharePoint often manifest as cross-site scripting (XSS) bugs". "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)". There is no info yet about how widely it is being used in attacks, but you should not delay patching, especially if SharePoint is exposed to the Internet.

Formally, there are no public exploits yet. However, there are strong indications that a public exploit may already exist for one vulnerability.

🔸 EoP - Microsoft Defender (CVE-2026-33825). "Insufficient granularity of access control" in Microsoft Defender allows a logged-in attacker to gain higher privileges on a local system. Tenable and ZDI say the bug looks similar to the BlueHammer zero-day, for which a public exploit was released on GitHub on April 3. The researcher who published it, Chaotic Eclipse, criticized Microsoft’s disclosure process. ZDI says the exploit is real, but exploitation is unstable and not always reliable.

Other important issues:

🔹 RCE - Windows Active Directory (CVE-2026-33826). To exploit this, the attacker must have an account. The attacker sends a specially crafted RPC request to a vulnerable server, which can lead to code execution. Microsoft says the attacker must be in the same restricted Active Directory domain as the target system.

🔹 RCE - Windows Internet Key Exchange (IKE) Service Extensions (CVE-2026-33824). ZDI says this vulnerability is wormable, meaning it could allow malware to spread automatically between systems. It affects systems with IKE enabled, which creates a large attack surface. Microsoft recommends blocking UDP ports 500 and 4500 at the network edge. However, attackers inside the network can still use it for lateral movement. Patch quickly if you use IKE.

🔹 RCE - Windows TCP/IP (CVE-2026-33827). ZDI also says this may be wormable, especially on systems using IPv6 and IPSec. A race condition makes it harder to exploit, but similar bugs are often exploited at Pwn2Own, so you should not rely on that difficulty. If you use IPv6, test and deploy the patch quickly before exploits appear.

🔹 EoP - Windows Push Notifications (CVE-2026-26167). This Patch Tuesday includes several sandbox escape vulnerabilities, including in Push Notifications, AFD for Winsock, Windows Management Services, and User Interface Core. CVE-2026-26167 (Push Notifications) is the most important because it is the only one with low attack complexity. The others require winning a race condition (AC:H).

🔹 Spoofing - Remote Desktop (CVE-2026-26151). Weak warnings in the Remote Desktop interface allow a network attacker to trick a user into opening a specially crafted file, leading to spoofing. The issue was found by the UK National Cyber Security Centre (NCSC).

🗒 Full Vulristics report

March Linux Patch Wednesday

Leave a reply

March Linux Patch Wednesday

March Linux Patch Wednesday. In March, Linux vendors began addressing 575 vulnerabilities, which is 57 fewer than in February. Of these, 93 are in the Linux Kernel (⬇️ a significant decrease - there were 305 in February). There are two vulnerabilities with signs of in-the-wild exploitation:

🔻 RCE - Chromium (CVE-2026-3909, CVE-2026-3910)

Additionally, for 130 (❗️) vulnerabilities, public exploits are available or there are indications of their existence. Notable ones include:

🔸 RCE - Caddy (CVE-2026-27590), NLTK (CVE-2025-14009), Rollup (CVE-2026-27606), GVfs (CVE-2026-28296), SPIP (CVE-2026-27475), OpenStack Vitrage (CVE-2026-28370)
🔸 AuthBypass - Curl (CVE-2026-3783), coTURN (CVE-2026-27624), Libsoup (CVE-2026-3099)
🔸 InfDisc - Glances (CVE-2026-30928, CVE-2026-32596)
🔸 PathTrav - gSOAP (CVE-2019-25355), basic-ftp (CVE-2026-27699)
🔸 EoP - Snapd (CVE-2026-3888), GNU Inetutils (CVE-2026-28372)
🔸 SFB - Caddy (CVE-2026-27585, CVE-2026-27587/88/89), Keycloak (CVE-2026-1529), PyJWT (CVE-2026-32597), Authlib (CVE-2026-27962, CVE-2026-28498, CVE-2026-28802)
🔸 CodeInj - lxml_html_clean (CVE-2026-28350), ormar (CVE-2026-26198)
🔸 SSRF - Libsoup (CVE-2026-3632)

🗒 Full Vulristics report

March Microsoft Patch Tuesday

Leave a reply

March Microsoft Patch Tuesday

March Microsoft Patch Tuesday. A total of 79 vulnerabilities, about one and a half times more than in February. What's truly unusual is that this time there were no vulnerabilities with signs of exploitation in the wild or a public exploit! 🤔 At least not yet. 😏

The following vulnerabilities can be highlighted:

🔹 RCE - Print Spooler (CVE-2026-23669), Office (CVE-2026-26110, CVE-2026-26113), Excel (CVE-2026-26107, CVE-2026-26108, CVE-2026-26109, CVE-2026-26112), SharePoint Server (CVE-2026-26106, CVE-2026-26114)
🔹 EoP - SQL Server (CVE-2026-21262, CVE-2026-26115, CVE-2026-26116), Windows Kernel (CVE-2026-24287, CVE-2026-24289, CVE-2026-26132), Windows Win32k (CVE-2026-24285), SMB Server (CVE-2026-24294, CVE-2026-26128), Windows Graphics Component (CVE-2026-23668), .NET (CVE-2026-26131)
🔹 DoS - .NET (CVE-2026-26127)

🗒 Full Vulristics report

На русском

February Linux Patch Wednesday

Leave a reply

February Linux Patch Wednesday

February Linux Patch Wednesday. In February, Linux vendors addressed 632 vulnerabilities - 1.5× fewer than in January, including 305 in the Linux Kernel. Two vulnerabilities show signs of in-the-wild exploitation:

🔻 RCE - Chromium (CVE-2026-2441)
🔻 InfDisc - MongoDB "MongoBleed" (CVE-2025-14847)

Public exploits are available or suspected for 56 more vulnerabilities. Notable ones include:

🔸 RCE - OpenSSL (CVE-2025-15467, CVE-2025-69421, CVE-2025-11187), pgAdmin (CVE-2025-12762, CVE-2025-13780), DiskCache (CVE-2025-69872), PyTorch (CVE-2026-24747), Wheel (CVE-2026-24049)
🔸 AuthBypass - M/Monit (CVE-2020-36968)
🔸 EoP - Grafana (CVE-2025-41115, CVE-2026-21721), M/Monit (CVE-2020-36969)
🔸 AFR - Proxmox Virtual Environment (CVE-2024-21545)
🔸 SFB - Chromium (CVE-2026-1504), Roundcube (CVE-2026-25916)

🗒 Full Vulristics report

На русском

February Microsoft Patch Tuesday

Leave a reply

February Microsoft Patch Tuesday

February Microsoft Patch Tuesday. A total of 55 vulnerabilities, half as many as in January. There are as many as six (❗️) vulnerabilities being exploited in the wild:

🔻 SFB/RCE - Windows Shell (CVE-2026-21510)
🔻 SFB/RCE - Microsoft Word (CVE-2026-21514)
🔻 SFB - MSHTML Framework (CVE-2026-21513)
🔻 EoP - Windows Remote Desktop Services (CVE-2026-21533)
🔻 EoP - Desktop Window Manager (CVE-2026-21519)
🔻 DoS - Windows Remote Access Connection Manager (CVE-2026-21525)

There is also one vulnerability with a public exploit:

🔸 DoS - libjpeg (CVE-2023-2804)

Notable remaining vulnerabilities:

🔹 RCE - Windows Notepad (CVE-2026-20841)
🔹 Spoofing - Outlook (CVE-2026-21511)
🔹 EoP - Windows Kernel (CVE-2026-21231, CVE-2026-21239, CVE-2026-21245), Windows AFD.sys (CVE-2026-21236, CVE-2026-21238, CVE-2026-21241)

🗒 Full Vulristics report

На русском

I released Vulristics 1.0.11: added Server-Side Request Forgery (SSRF) as a distinct vulnerability type

Leave a reply

I released Vulristics 1.0.11: added Server-Side Request Forgery (SSRF) as a distinct vulnerability type

I released Vulristics 1.0.11: added Server-Side Request Forgery (SSRF) as a distinct vulnerability type. I try to use a very small set of base vulnerability types (around 20) in Vulristics and map everything else to them. With a few exceptions, these are the same types Microsoft uses - and Microsoft doesn't like SSRF.

SSRF is a vulnerability that allows an attacker to make network requests to arbitrary destinations.

Microsoft usually classifies SSRFs as EoP, Information Disclosure, or RCE. 🤯

I used to map SSRF to Command Injection, based on the logic that crafting a request can be considered a form of command execution. But, of course, that's... questionable. 🙄

So I decided to add a dedicated SSRF type (with a severity of 0.87) and stopped doing mental gymnastics. 🙂 For the icon, I drew an anvil (a play on words with "forge"). I also uploaded the icon to avleonov.com so that Vulristics HTML reports render correctly.

На русском