CVE-2025-69645 Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-69645

CVE-2025-69652 GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-69652

CVE-2025-69646 Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-69646

CVE-2026-3731 libssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-bounds

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3731

CVE-2026-26018 CoreDNS Loop Detection Denial of Service Vulnerability

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26018

CVE-2026-26017 CoreDNS ACL Bypass

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26017

CVE-2026-26148 Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability

Acknowledgement Updated

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26148

Chromium: CVE-2026-3537 Object lifecycle issue in PowerVR

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2021) for more information.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3537

CVE-2026-3784 wrong proxy connection reuse with credentials

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3784

CVE-2026-1965 bad reuse of HTTP Negotiate connection

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-1965

CVE-2026-23240 tls: Fix race condition in tls_sw_cancel_work_tx()

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23240

CVE-2026-23239 espintcp: Fix race condition in espintcp_close()

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23239

CVE-2026-3783 token leak with redirect and netrc

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3783

CVE-2026-23868

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23868

CVE-2026-25679 Incorrect parsing of IPv6 host literals in net/url

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25679

CVE-2025-61724 Excessive CPU consumption in Reader.ReadResponse in net/textproto

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61724

CVE-2025-58186 Lack of limit when parsing cookies can cause memory exhaustion in net/http

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58186

CVE-2025-61725 Excessive CPU consumption in ParseAddress in net/mail

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61725

CVE-2025-58183 Unbounded allocation when parsing GNU sparse map in archive/tar

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58183

CVE-2025-58188 Panic when validating certificates with DSA public keys in crypto/x509

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58188

CVE-2025-61727 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61727