All news with #race condition tag

🔒 Researchers disclosed a critical vulnerability in ChromaDB (CVE-2026-45829) that allows unauthenticated attackers to execute arbitrary code and access sensitive data on affected servers. The flaw is a race condition in the FastAPI-based API server that fetches and executes remote embedding model code before performing authentication checks. HiddenLayer says versions 1.0.0 through 1.5.8 are affected and many public instances remain vulnerable; they recommend using the Rust implementation and restricting network access until a patch is available.

⚠️Citrix has released a security bulletin for NetScaler ADC and NetScaler Gateway addressing two vulnerabilities: CVE-2026-3055 (critical out-of-bounds read, CVSS 9.3) and CVE-2026-4368 (race condition, CVSS 7.7). The issues affect customer-managed appliances with specific SAML IDP or Gateway/AAA configurations rather than default installs or Citrix-managed cloud instances. Cloud Software Group recommends immediate installation of the vendor-published patches and notes a temporary Global Deny List mitigation available for select 14.1 builds while upgrades are scheduled.

🔒 Microsoft released its November Patch Tuesday updates addressing over 60 CVEs, including an actively exploited Windows kernel zero-day (CVE-2025-62215). The flaw is a race-condition and double-free that can let low-privileged local attackers corrupt kernel memory and escalate to system privileges, though exploitation requires precise timing and local code execution. Administrators should also prioritise a critical GDI+ RCE (CVE-2025-60724, CVSS 9.8) that can be triggered by parsing specially crafted metafiles. Microsoft additionally issued an out-of-band update (KB5071959) to resolve Windows 10 Consumer ESU enrollment failures.