All news with #patch release tag

🛡️ Major Linux distributions are rushing to apply fixes after the embargo on a two‑bug kernel exploit, dubbed Dirty Frag, was broken. The flaw chains CVE-2026-43284 (xfrm‑ESP write‑what‑where, CVSS 8.8) and CVE-2026-43500 (RxRPC out‑of‑bounds write, CVSS 7.8) to enable local privilege escalation to root. Researcher Hyunwoo Kim published a proof‑of‑concept after coordinating with maintainers. Vendors recommend temporarily blacklisting esp4/esp6/rxrpc modules and prioritising immediate patching.

🔒 cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could enable privilege escalation, arbitrary code execution, and denial-of-service. The flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, with CVSS scores up to 8.8. Multiple release lines and the WP Squared build are patched, and a direct 110.0.114 update is available for CentOS 6/CloudLinux 6 users. Administrators are advised to apply updates promptly.

🔒 Ivanti is urging customers to patch a high-severity remote code execution flaw (CVE-2026-6973) in Endpoint Manager Mobile (EPMM) after limited zero-day exploitation. The weakness stems from improper input validation and affects on-prem EPMM 12.8.0.0 and earlier; Ivanti released fixes in 12.6.1.1, 12.7.0.1, and 12.8.0.1 and recommends reviewing and rotating admin credentials. The vendor also patched four additional high-severity EPMM issues and noted that Shadowserver currently sees over 850 exposed EPMM hosts online.

⚠ Apache Software Foundation released updates to address CVE-2026-23918, a high-severity (CVSS 8.8) double-free bug in mod_http2 that can cause denial-of-service and potentially remote code execution. The flaw impacts Apache HTTP Server 2.4.66 and is fixed in 2.4.67. Researchers provided an x86_64 proof-of-concept and warned the RCE path is practical on systems using APR with the mmap allocator. Administrators should upgrade or mitigate by disabling mod_http2 or using the prefork MPM until patched.

⚠ ABB reported a vulnerability in B&R Automation Runtime (ANSL-Server) that can be triggered remotely to cause a denial-of-service on affected nodes. The issue (CVE-2025-11044) is fixed in Automation Runtime 6.5 and R4.93. Apply the vendor patch promptly; interim mitigations include longer cycle times, limiting ANSL connections at the control-network firewall, and load testing before commissioning.

⚠️ A critical unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology 10.0 (prior to 20260312) is being actively exploited in the wild. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled parameters can invoke command-execution helpers. Weaver released patches on 2026-03-12; administrators should apply those updates, restrict access to debug/management endpoints, and use published detection scripts to hunt for exposed or compromised instances.

🔒 Researchers observed exploitation of a critical unauthenticated RCE (CVE-2026-22679) in Weaver E-cology 10.0 beginning in mid-March, days after the vendor released a patch and before public disclosure. Attackers abused an exposed debug API that allowed user-supplied parameters to reach backend RPC handlers and be executed as system commands, performing discovery and attempting PowerShell-based payloads and an MSI deployment. The vendor's update (build 20260312) removes the debug endpoint entirely, and administrators are urged to apply the update immediately.

⚠️ Progress Software issued updates for MOVEit Automation to address two vulnerabilities: a critical authentication bypass (CVE-2026-4670, CVSS 9.8) and an improper input validation flaw that could enable privilege escalation (CVE-2026-5174, CVSS 7.7). Affected branches include releases <=2025.1.4, <=2025.0.8, and <=2024.1.7; fixes are available in 2025.1.5, 2025.0.9, and 2024.1.8. Airbus SecLab researchers reported the issues, and Progress states there are no workarounds and no confirmed in-the-wild exploitation; administrators should apply updates promptly and review access to service backend command ports.

🛡️ FreeRTOS 202604 LTS is now available, providing a two-year Long Term Support window with security updates, critical bug fixes, and feature stability for embedded and IoT device manufacturers. The FreeRTOS kernel advances to v11.3.0 with new hardware ports, security hardening, and expanded MPU support that reduces claimed MPU regions and allows reservation of hardware regions for application-specific protection. Core libraries include coreMQTT v5.0.2 (MQTT v5.0 features) and coreSNTP v2.0.0 (year-2038 readiness); the release emphasizes memory safety and MISRA-C compliance, with migration guides and an Extended Maintenance Plan to support upgrades.

🔧 Microsoft has issued a fix for a known issue that caused newly introduced Windows security warnings to render incorrectly when opening Remote Desktop (.rdp) files on multi-monitor systems with differing display scaling. The bug affected all supported Windows versions after the April 2026 cumulative updates and was addressed in the optional Windows 11 preview update KB5083631. The misrendering could hide or misalign dialog buttons and text, preventing users from interacting with the RDP security prompt designed to block risky resource redirections.

🔔 Microsoft released the optional cumulative preview update KB5083631 for Windows 11, delivering 34 quality improvements and fixes. Highlights include a new Xbox mode that provides a full‑screen gaming interface, improved startup app launch performance, and enhanced batch file/CMD security that prevents scripts from changing during execution. The update is optional and can be installed via Settings → Windows Update or manually from the Microsoft Update Catalog.

⚠️ A newly disclosed Linux kernel logic flaw dubbed Copy Fail (CVE-2026-31431) enables an unprivileged local user to write four deterministic bytes into the page cache of any readable file and gain root. Theori researchers published a 732-byte Python proof-of-concept and reported the bug to the kernel team in March; patches were committed in April. Until distributions publish updates — Arch has released a patch so far — CSOs should inventory multi-tenant and container hosts, monitor for privilege escalation, and apply fixes or temporary kernel parameters where feasible.

⚠️ The April 2026 KB5083769 security update is causing third‑party backup applications to fail on Windows 11 (24H2 and 25H2) by triggering a VSS snapshot timeout. Vendors including Acronis, Macrium, NinjaOne and UrBackup have reported backup operations aborting with VSS timeout errors. Acronis has published guidance confirming failures on Pro and Home editions and recommends uninstalling KB5083769 and pausing updates as a temporary workaround.

⚠️ cPanel has released urgent security updates to remediate an authentication vulnerability affecting all currently supported versions of its control panel. The vendor issued patched builds (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, 11.134.0.20) and advises immediate updating. If you run an unsupported version, cPanel warns you to upgrade as it may also be affected. Hosting provider Namecheap temporarily blocked TCP ports 2083 and 2087 while applying the fixes and is actively deploying the official patches across its servers.

🔒 Apple released out-of-band updates for iPhone and iPad to address a Notification Services flaw that could leave deleted notifications stored on the device. The bug, tracked as CVE-2026-28950, was patched on April 22, 2026 in iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8 and iPadOS 18.7.8. Apple says the issue was resolved through improved data redaction but provided no further technical details or confirmation of exploitation. Users are advised to install the updates promptly.

🔒 Microsoft released an out-of-band fix after an April 14 .NET update (10.0.6) introduced a critical regression in the ASP.NET Core Data Protection NuGet package (CVE-2026-40372, CVSS 9.1). A bug in the ManagedAuthenticatedEncryptor caused HMAC validation tags to be computed with an incorrect offset, allowing forged cookies and tokens to be treated as valid. Developers should upgrade to 10.0.7, rebuild embedded apps (including Docker images), expire affected cookies and tokens, and rotate protection keys to remove potential forgeries.

🔒 Amazon announced its April 2026 quarterly security and critical updates for Amazon Corretto, delivering new builds for LTS and Feature Release OpenJDK distributions. Releases available: Corretto 26.0.1, 25.0.3, 21.0.11, 17.0.19, 11.0.31, and 8u492. This is the final Corretto 8 release that includes JavaFX binaries; JavaFX will be removed starting July 2026. Downloads and repo configuration instructions are provided on the Corretto home page to help administrators apply the updates.

🔒 Microsoft released an out-of-band update to address a high-severity privilege-escalation flaw in ASP.NET Core tracked as CVE-2026-40372 (CVSS 9.1). A regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 allowed the managed encryptor to compute HMAC validation over incorrect payload bytes, enabling forged payloads to pass authenticity checks and potentially grant SYSTEM-level access on non-Windows hosts. Microsoft fixed the issue in ASP.NET Core 10.0.7 and warned tokens issued during the vulnerable window remain valid until the DataProtection key ring is rotated.

🔒 Microsoft has released out-of-band updates to fix a critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in the ASP.NET Core Data Protection APIs. A regression in the Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 packages caused HMAC validation to be computed over the wrong bytes, allowing forged auth cookies and decryption of protected payloads. Developers should update to 10.0.7, redeploy, and rotate DataProtection key rings to invalidate tokens issued during the vulnerable window.

🛡️ Amazon RDS Custom for SQL Server now supports the latest General Distribution Release (GDR) updates from Microsoft for SQL Server 2019 (CU32+GDR KB5077469, RDS version 15.00.4460.4.v1) and SQL Server 2022 (CU23+GDR KB5077464, RDS version 16.00.4240.4.v1). These GDRs remediate vulnerabilities tracked as CVE-2026-21262 and CVE-2026-26115. You can apply the recommended updates using the Amazon RDS Management Console or programmatically via the AWS SDK or CLI; see the Amazon RDS Custom User Guide for upgrade guidance.