CVE-2026-26017 CoreDNS ACL Bypass

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26017

CVE-2026-26148 Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability

Acknowledgement Updated

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26148

Chromium: CVE-2026-3537 Object lifecycle issue in PowerVR

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2021) for more information.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3537

CVE-2026-3784 wrong proxy connection reuse with credentials

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3784

CVE-2026-1965 bad reuse of HTTP Negotiate connection

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-1965

CVE-2026-23240 tls: Fix race condition in tls_sw_cancel_work_tx()

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23240

CVE-2026-23239 espintcp: Fix race condition in espintcp_close()

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23239

CVE-2026-3783 token leak with redirect and netrc

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3783

CVE-2026-23868

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23868

CVE-2026-25679 Incorrect parsing of IPv6 host literals in net/url

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25679

CVE-2025-61724 Excessive CPU consumption in Reader.ReadResponse in net/textproto

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61724

CVE-2025-58186 Lack of limit when parsing cookies can cause memory exhaustion in net/http

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58186

CVE-2025-61725 Excessive CPU consumption in ParseAddress in net/mail

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61725

CVE-2025-58183 Unbounded allocation when parsing GNU sparse map in archive/tar

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58183

CVE-2025-58188 Panic when validating certificates with DSA public keys in crypto/x509

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58188

CVE-2025-61727 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61727

CVE-2025-61729 Excessive resource consumption when printing error string for host certificate validation in crypto/x509

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-61729

CVE-2026-26133 M365 Copilot Information Disclosure Vulnerability

Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133

CVE-2026-26030 GitHub: CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable

Acknowledgement added. This is an informational change only.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26030

CVE-2026-20841 Windows Notepad App Remote Code Execution Vulnerability

To comprehensively address CVE-2026-20841, Microsoft has released February 2026 security updates for the Windows Notepad App. Microsoft recommends that customers install the update to be fully protected from the vulnerability.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

CVE-2026-3805 use after free in SMB connection reuse

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3805