Tag

Cve

All articles tagged with #cve

security9 days ago•5 min saved

Azure AKS Backup Privilege Flaw: Silent Patch Suspected, No CVE Issued

Security researcher Justin O'Leary alleges a critical privilege-escalation flaw in Azure Backup for AKS could let a low-privileged user become cluster-admin via Trusted Access; Microsoft rejected the report as expected behavior with no product changes and blocked CVE issuance, while CERT/CC independently validated the bug and assigned VU#284781. After disclosure, Microsoft reportedly changed behavior and added permission checks, suggesting a silent patch; no public advisory or CVE was issued, leaving defenders with limited visibility into exposure and remediation timelines.

via BleepingComputer|

#azure #cve #disclosure

technology10 days ago•11 min saved

Kill Switch for Linux: Quick Patch or New Attack Surface?

The Linux kernel has faced severe CVEs (Copy Fail and Dirty Frag) that enable privilege escalation. NVIDIA engineer Sasha Levin proposed an in-kernel “kill switch” that would intercept calls to affected functions and return a safe value, allowing systems to keep running until patches arrive. Proponents say this could buy time without rebooting; critics warn it would patch the kernel in memory, may require reboots to clear, could create new attack surfaces, and raises concerns about AI-generated patches and how it compares to existing livepatch approaches.

via Hackaday|

#cve #kill-switch #linux

cybersecurity1 month ago•4 min saved

NIST narrows vulnerability scoring to high-risk issues as submissions surge

NIST will stop enriching and rating severities for low-priority vulnerabilities in the NVD due to a 263% rise in submissions; only CVEs meeting KEV criteria, affecting U.S. federal software, or involving critical software will receive added details, while all CVEs stay in the database and others are labeled Not Scheduled; enrichment requests remain possible via [email protected].

via BleepingComputer|

#cve #cybersecurity #nist

security2 months ago•3 min saved

Microsoft March 2026 Patch Tuesday Fixes 77+ Flaws, Highlights AI‑Driven Discovery

Microsoft released March 2026 Patch Tuesday with fixes for at least 77 vulnerabilities across Windows and related software; there are no new zero-days, but several high-severity flaws require attention, including CVE-2026-21262 (SQL Server privilege escalation), CVE-2026-26127 (.NET denial of service), and Office remote-code-execution flaws via the Preview Pane (CVE-2026-26113/26110). Additional privilege-escalation CVEs affect Windows components (CVE-2026-24291/24294/24289/25187). An AI-discovered CVE-2026-21536 in the Microsoft Devices Pricing Program is noted as an example of AI-driven vulnerability research. Microsoft also issued an out-of-band patch for Windows Server 2022 to fix a Windows Hello for Business certificate renewal issue; Adobe and Mozilla separately released updates for their products. For full details, see the SANS ISC Patch Tuesday post.

via Krebs on Security|

#ai #cve #microsoft

technology5 months ago•1 min saved

Linux Kernel's Rust Integration Faces First CVE Amidst Growing Adoption

The Linux kernel's Rust code has received its first CVE vulnerability, related to a race condition in the Android Binder rewrite that can cause system crashes in Linux 6.18 and newer, but no remote code execution or severe issues are reported.

via Phoronix|

#android-binder #cve #linux-kernel

cybersecurity2 years ago•3 min saved

"Windows Systems at Risk: Critical 'BatBadBut' Rust Vulnerability Exposed"

A critical security vulnerability named "BatBadBut" has been found in the Rust standard library on Windows, allowing attackers to execute arbitrary shell commands by bypassing the escaping mechanism when invoking batch files with the Command API. The vulnerability affects versions before 1.77.2 and has a CVSS score of 10.0. The Rust team has released version 1.77.2 with a fix for the issue, and developers are advised to update to mitigate the risk of potential command injection attacks.

via Cyber Kendra|

#command-injection #cve #cybersecurity

cybersecurity2 years ago•1 min saved

"FileCatalyst Transfer Tool Receives Critical RCE Vulnerability Patch from Fortra"

Fortra has patched a critical remote code execution (RCE) vulnerability, tracked as CVE-2024-25153, in its FileCatalyst file transfer solution, which could allow unauthenticated attackers to upload files outside the intended directory and execute code. The flaw was reported in August 2023 and addressed in FileCatalyst Workflow version 5.1.6 Build 114. Another two security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) were also resolved. Users are advised to apply the necessary updates to mitigate potential threats, especially in light of previous exploitation of Fortra's managed file transfer solution by threat actors.

via The Hacker News|

#cve #cybersecurity #filecatalyst

technology2 years ago•3 min saved

"Juniper Networks Issues Urgent Security Bulletin for Critical Vulnerabilities"

Juniper Networks has disclosed and apologized for previously concealed vulnerabilities, following accusations of bending the rules in assigning CVEs. The company has separately disclosed four vulnerabilities reported by a researcher, each with its own distinct CVE, affecting J-Web in Junos OS SRX Series and EX Series. The US Cybersecurity and Infrastructure Security Agency has issued an alert urging users to review Juniper's bulletin and apply necessary updates. Juniper's patch schedule and process for assigning CVEs have raised questions, prompting the company to review its approach and apologize to customers for the error in communication.

via The Register|

#cve #cybersecurity #juniper-networks

technologynetwork-security2 years ago•1 min saved

"Critical Junos OS Updates Address High-Severity Vulnerabilities"

Juniper Networks has released urgent out-of-band updates to address high-severity flaws in SRX Series and EX Series, including missing authentication and cross-site scripting vulnerabilities, impacting all versions of Junos OS. The vulnerabilities, discovered by cybersecurity firm watchTowr Labs, could allow threat actors to take control of susceptible systems. Users are advised to apply the updates or implement temporary mitigations, as two previously disclosed vulnerabilities have been actively exploited.

via The Hacker News|

#cve #cybersecurity #juniper-networks

technology2 years ago•2 min saved

Google Addresses Critical libwebp Bug Exploited in Attacks with New CVE

Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability that was exploited as a zero-day in attacks. Initially disclosed as a Chrome weakness, the flaw has now been recognized as a critical issue in libwebp with a maximum severity rating. The vulnerability involves a heap buffer overflow in WebP, impacting Google Chrome and other projects using the libwebp library. Promptly addressing the security vulnerability is crucial for ensuring data security across various platforms.

via BleepingComputer|

#cve #google #libwebp