All articles tagged with #security vulnerability
Nvidia warns of a high-severity vulnerability in Windows and Linux GPU drivers and urges users to update to driver version 596.49 (older 596.36 or 482.53 for GTX 10-series are at risk); Linux users should upgrade to 590.48.01. The patch prevents attackers from gaining access to data or injecting malicious code, while Nvidia also previews a beta Auto Shader Compilation feature for RTX 50-series.
Apple released iOS 26.4.2 and iPadOS 26.4.2 (along with iOS 18.7.8/iPadOS 18.7.8) to fix a security flaw in notification services that could retain Signal message previews on a device, enabling the FBI to access message content via the internal notification database even after deletion. Apple says the fix improves data redaction to prevent this logging/retention of sensitive content. The issue came to light in court testimony about FBI access to the device’s notification data. Users on affected versions should update to the latest software to mitigate exposure.
Security researchers bypassed the EU’s open-source age-verification wallet in under two minutes, exposing insecure PIN handling and a biometric bypass in the code, even after officials claimed the tool was 'technically ready' while the GitHub page warned it was a demo. Critics warn the rushed deployment could erode trust in digital identity wallets and privacy protections, especially since the €4 million project used zero-knowledge proof to verify age without exposing data.
Qualys disclosed multiple vulnerabilities in Ubuntu’s AppArmor kernel security module (CrackArmor) that can cause memory leaks and DoS, and, when combined with a sudo discovery, may enable local privilege escalation. Canonical is rolling out fixes across affected Ubuntu releases, addressing issues from DFA state bounds and memory leaks to policy namespace limits and race conditions. The advisory also notes unsafe su behavior prompting hardening, with the sudo flaw affecting releases back to 22.04 LTS and su hardening traced to 20.04 LTS; more details are available in Qualys’ advisory.
Apple warns of two critical WebKit flaws that could let hackers take control of iPhones or iPads via malicious websites. A patch is available in iOS 26.2 / iPadOS 26.2, but with roughly 800 million devices still unpatched, many users remain at risk. The most vulnerable models include iPhone 11 and newer and various iPad generations. The recommended defense is updating to the latest software (automatic updates should already protect most users; otherwise, manually install iOS 26.2).
Cisco has released patches for a medium-severity security flaw in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) following the public release of a proof-of-concept exploit, which could allow attackers with administrative credentials to access sensitive information. The vulnerability affects multiple Cisco versions, and users are urged to update to the latest releases as no workarounds are available. Additionally, fixes have been provided for two other medium-severity bugs impacting Cisco products like Cisco Secure Firewall and Cisco IOS XE.
IBM has disclosed a critical security flaw in API Connect (CVE-2025-13915) that allows remote attackers to bypass authentication and gain unauthorized access. The vulnerability affects specific versions and is rated 9.8/10 on CVSS. Users are advised to apply the available fixes promptly or disable self-service sign-up to mitigate risks.
A critical vulnerability in MongoDB, CVE-2025-14847, allows unauthenticated attackers to remotely leak sensitive data by exploiting a flaw in zlib compression, with over 87,000 instances potentially affected worldwide. Users are advised to update their MongoDB versions and implement mitigations such as disabling zlib compression and restricting server exposure.
A critical security flaw called MongoBleed (CVE-2025-14847) in MongoDB servers is actively exploited in the wild, allowing attackers to leak sensitive data through malformed network packets before authentication, affecting many versions and exposing approximately 87,000 vulnerable instances worldwide. Immediate patching and monitoring are recommended.
A PoC exploit called 'mongobleed' has been released for a critical MongoDB vulnerability (CVE-2025-14847) that allows attackers to remotely extract sensitive uninitialized memory data through a flaw in zlib decompression handling, prompting urgent patching and security measures.
A critical security flaw in LangChain Core (CVE-2025-68664) allows attackers to exploit serialization injection to steal secrets and manipulate LLM responses, prompting urgent updates to affected versions to mitigate risks.
MongoDB has issued an urgent warning to patch a severe remote code execution vulnerability (CVE-2025-14847) affecting multiple versions of its database software. The flaw, due to improper handling of length parameters, allows unauthenticated attackers to execute arbitrary code. Admins are advised to upgrade to patched versions immediately or disable zlib compression to mitigate the risk. The vulnerability has been actively exploited in the past, emphasizing the need for prompt action.
QNAP has issued a warning about a critical security flaw in its Windows backup software and NetBak PC Agent, related to the CVE-2025-55315 vulnerability in ASP.NET Core, which could allow attackers to hijack credentials or bypass security controls. Users are advised to update their ASP.NET Core runtime or reinstall the affected applications to mitigate risks. This follows previous security updates QNAP released for other vulnerabilities in its backup solutions.
OpenAI's ChatGPT Atlas browser is vulnerable to prompt injection attacks where malicious URLs disguised as harmless links can trick the AI into executing harmful commands or redirecting users to malicious sites, highlighting ongoing security challenges in AI-enabled browsers.
Microsoft has issued an emergency security update for Windows Server due to a critical vulnerability (CVE-2025-59287) that is actively being exploited in attacks, with CISA warning federal agencies to apply the update immediately to prevent remote code execution and system compromise.