< ciso
brief />
Tag Banner

All news with #patch release tag

439 articles · page 11 of 22

Amazon RDS for Oracle: January 2026 Release Update

🔔 Amazon RDS for Oracle now supports the Oracle January 2026 Release Update (RU) for Oracle Database versions 19c and 21c, and the corresponding Spatial Patch Bundle for 19c. The January 2026 RU includes important security updates, while the Spatial Patch Bundle delivers fixes to improve Oracle Spatial and Graph reliability and performance. You can apply these updates via the AWS Management Console, AWS SDK, or CLI, enable Automatic Minor Version Upgrade to apply during maintenance windows, and use AWS Organizations upgrade rollout policy to stagger upgrades across environments.
read more →

Windows Admin Center: Microsoft Patches Privilege Bug

🔒 Microsoft disclosed and patched a high-severity flaw in Windows Admin Center that could allow an attacker to escalate privileges. Tracked as CVE-2026-26119 with a CVSS score of 8.8, Microsoft credited Semperis researcher Andrea Pierini and included the fix in Windows Admin Center version 2511 (Dec 2025). The vendor described the issue as improper authentication and tagged it as Exploitation More Likely; technical details are currently restricted. Administrators are advised to apply the update promptly and restrict access to the management endpoint.
read more →

AWS Certificate Manager shortens public certificate validity

🔒 AWS Certificate Manager (ACM) now issues public certificates with a 198-day maximum validity, replacing the prior 395-day default to comply with the CA/Browser Forum’s 200-day mandate effective 15 March 2026. No customer action is required: new and renewed public certificates default to 198 days while existing longer-lived certificates remain valid until renewal or expiry. ACM continues to auto-renew certificates (now 45 days before expiry); existing longer-term certificates will renew 60 days before expiry and convert to the 198-day term. AWS also reduced prices for exportable public certificates to reflect the shorter validity.
read more →

Notepad++ fixes harden updater, dramatically raising cost

🔐 The author of Notepad++ says the recently released updates have hardened a previously compromised update mechanism so it is now effectively unexploitable. Releases from 8.8.9 through 8.9.2 add layered checks: the updater now verifies both the signed installer and the signed XML manifest with independent cryptographic signatures and aborts on any anomaly. The auto-updater was reinforced, though users can still opt out during installation. The developer warns no system is absolutely unbreakable, but the changes substantially raise attacker cost.
read more →

Critical RCE in Grandstream GXP1600 VoIP Phones Exposed

⚠️ Researchers disclosed an unauthenticated stack-based buffer overflow (CVE-2026-2329) in Grandstream GXP1600-series VoIP phones that can yield remote code execution as root. The flaw lies in the web API endpoint /cgi-bin/api.values.get, where a malformed colon-delimited "request" parameter overruns a 64-byte stack buffer. Affected models include GXP1610/1615/1620/1625/1628/1630; Grandstream released firmware 1.0.7.81 to fix the issue. Rapid7 published a Metasploit module demonstrating exploitation and post-exploitation risks such as credential theft and SIP proxy hijacking.
read more →

Delta Electronics ASDA-Soft Stack Overflow (CVE-2026-1361)

⚠ A stack-based buffer overflow has been identified in Delta Electronics ASDA-Soft when parsing .par files, allowing an attacker to write data past a stack buffer and corrupt a structured exception handler (SEH). The issue affects versions <= 7.2.0.0 (CVE-2026-1361) and is assigned a CVSS v3.1 base score of 7.8 (High). Delta released fixed ASDA-Soft version 7.2.2.0 and published advisory Delta-PCSA-2026-00003; CISA reports no known public exploitation and notes the vulnerability is not remotely exploitable.
read more →

Siemens Simcenter Femap and Nastran File Parsing Flaws

⚠️ Siemens has published updates for Simcenter Femap and Simcenter Nastran addressing multiple file‑parsing vulnerabilities in NDB and XDB formats. If a user opens a specially crafted malicious file, affected versions may crash or allow an attacker to achieve arbitrary code execution. Siemens rates the issues as high severity and recommends updating to V2512 or later and avoiding untrusted NDB/XDB files.
read more →

GE Vernova Enervista UR Setup Vulnerabilities Fixed

🔒 GE Vernova released updates for Enervista UR Setup to address two vulnerabilities. The installer is vulnerable to DLL hijacking (CVE-2026-1762), which could allow administrative code execution when run in directories containing untrusted DLLs. A second issue is a path traversal (CVE-2026-1763) that can overwrite files as the logged-in user. Users should update to version 8.70 or later.
read more →

Exploit Reported for New Chrome Zero-Day in CSS Engine

⚠️ Google warns IT administrators that an exploit for a newly disclosed Chrome zero-day (CVE-2026-2441) is active in the wild. The issue is a use-after-free bug in the browser's CSS engine that can allow remote code execution in the renderer sandbox when a user visits a crafted page. Patches are available — update to 145.0.7632.75/76 on Windows/Mac or 144.0.7559.75 on Linux — and Google is limiting technical details until most users are updated. Administrators should prioritize deploying the fixes and monitor browser versions and endpoints closely.
read more →

Google Issues Patch for In-the-Wild Chrome Zero-Day

🔒 Google has released an urgent security update for Chrome to address CVE-2026-2441, a high-severity zero-day affecting desktop builds on Windows, macOS and Linux. The flaw, rooted in a CSS processing issue, can allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Google confirmed an exploit is already in the wild and credited researcher Shaheen Fazim for reporting the bug on February 11; the company issued the patch on February 13.
read more →

Google patches first Chrome zero-day exploited in attacks

🔧 Google released emergency updates to fix a high-severity Chrome zero-day (CVE-2026-2441) that is being exploited in the wild. The flaw is a use-after-free caused by an iterator invalidation bug in CSSFontFeatureValuesMap, and Google pushed a backported patch across stable branches. Fixes are rolling out to Windows and macOS (145.0.7632.75/76) and Linux (144.0.7559.75); users should update or let Chrome apply updates automatically. Google noted additional related work remains tracked in bug 483936078.
read more →

Google patches Chrome zero-day CVE-2026-2441; active exploit

⚠️ Google released updates for Chrome to patch CVE-2026-2441, a high-severity (CVSS 8.8) use-after-free vulnerability in CSS that has been confirmed as exploited in the wild. Discovered by researcher Shaheen Fazim on Feb 11, 2026, the bug can enable remote code execution inside Chrome's sandbox via a crafted HTML page. Users should update to 145.0.7632.75/76 (Windows/macOS) or 144.0.7559.75 (Linux) and ensure Chromium-based browsers receive equivalent fixes.
read more →

Windows 11 KB5077181 Fixes Boot Failures After Updates

🔧 Microsoft says the February 10, 2026 Patch Tuesday update KB5077181 resolves a bug that left some commercial Windows 11 systems unbootable with an UNMOUNTABLE_BOOT_VOLUME error after failed updates. The problem affected a limited set of physical devices running 25H2 and 24H2 and was linked to an incomplete rollback following a December 2025 security update. An optional preview fix (KB5074105) was released on January 29, 2026 to help prevent further devices from being affected. Systems that became unbootable prior to the February fix may still require manual remediation via Microsoft Support for Business.
read more →

30-Year-Old Heap Overflow Fixed in libpng 1.6.55 Patch

⚠️ Developers patched a nearly 30-year-old heap buffer overflow in the libpng image library—fixed in libpng 1.6.55—that can crash applications processing crafted PNG files and, with careful heap grooming, enable information disclosure or remote code execution. The flaw exists in the png_set_quantize function when called without a histogram and with oversized palettes. A proof-of-concept is public; users and distributors should upgrade promptly.
read more →

CISA: Microsoft ConfigMgr RCE Patch Now Exploited in the Wild

⚠️ CISA has flagged a critical Microsoft Configuration Manager vulnerability (CVE-2024-43468) as actively exploited after Microsoft patched it in October 2024. The flaw is a SQL injection that can allow unauthenticated remote attackers to achieve remote code execution and run commands with elevated privileges on the server or site database. CISA ordered federal agencies to apply the patch or mitigations by March 5 under BOD 22-01 and urged all organizations to secure affected systems immediately.
read more →

Microsoft fixes Family Safety bug blocking Chrome launch

🔧 Microsoft has deployed a service-side fix for a Family Safety bug that prevented Google Chrome and some other browsers from launching or caused them to crash on Windows 10/11 devices. The problem, first reported in late June 2025, was traced to the service's web-filtering and block-list behavior that misidentified updated browser versions. The rollout began in early February 2026 and should reach affected devices in the coming weeks; users should connect to the Internet to receive the update. Those who cannot go online can enable Activity reporting in Family Safety to receive approval requests and allowlist newer browser versions.
read more →

RDS for PostgreSQL: Minor Upgrades and pg_stat_monitor

🔒 Amazon RDS for PostgreSQL now supports minor versions 18.2, 17.8, 16.12, 15.16, and 14.21. We recommend upgrading to these latest minor versions to remediate known security vulnerabilities and benefit from upstream bug fixes. The release also includes the pg_stat_monitor extension for unified query and performance metrics. Upgrades can be automated via scheduled maintenance, AWS Organizations rollout policies, or Blue/Green deployments to minimize downtime.
read more →

Amazon RDS Adds SQL Server 2022 Cumulative Update CU23

🔄 Amazon Relational Database Service now supports the latest Cumulative Update, CU23 (KB5078297), for SQL Server 2022 on Amazon RDS for SQL Server. We recommend that customers upgrade affected RDS instances to apply this update to obtain fixes and improvements. You can perform the upgrade through the Amazon RDS Management Console or programmatically using the AWS SDK or CLI, and consult the Amazon RDS SQL Server User Guide for detailed upgrade instructions.
read more →

Amazon RDS Adds Support for MariaDB Community Minors

🔁 Amazon RDS for MariaDB now supports community minor versions 10.6.25, 10.11.16, 11.4.10, and 11.8.6. We recommend upgrading to the latest minor releases to remediate known security vulnerabilities and gain bug fixes, performance improvements, and new features contributed by the MariaDB community. You can enable automatic minor version upgrades to apply updates during scheduled maintenance windows or use Amazon RDS Managed Blue/Green deployments for safer, lower-risk updates.
read more →

BeyondTrust patches critical unauthenticated RCE flaw

🔒 BeyondTrust has released emergency patches to address a critical unauthenticated remote code execution vulnerability in self-hosted instances of Remote Support and Privileged Remote Access. Tracked as CVE-2026-1731 and discovered in January by Hacktron AI, the flaw is rated 9.9/10. BeyondTrust published Patch BT26-02-RS for RS 21.3–25.3.1 and Patch BT26-02-PRA for PRA 22.1–24.x; PRA 25.1+ are not affected and SaaS tenants were patched server-side. Around 11,000 RS instances are internet-exposed, roughly 8,500 of which are on-premises and need immediate patching.
read more →