CVE-2026-27138 Panic in name constraint checking for malformed certificates in crypto/x509

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27138

CVE-2026-27137 Incorrect enforcement of email constraints in crypto/x509

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27137

CVE-2026-3494 MariaDB Server Audit Plugin Comment Handling Bypass

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3494

CVE-2026-3381 Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3381

CVE-2026-31802 node-tar Symlink Path Traversal via Drive-Relative Linkpath

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31802

CVE-2026-26018 CoreDNS Loop Detection Denial of Service Vulnerability

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26018

CVE-2026-26017 CoreDNS ACL Bypass

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26017

Chromium: CVE-2026-3909 Out of bounds write in Skia

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2021) for more information. Google is aware that an exploit for CVE-2026-3909 exists in the wild.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3909

CVE-2026-4105 Systemd: systemd: privilege escalation via improper access control in registermachine d-bus method

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4105

CVE-2026-2673 OpenSSL TLS 1.3 server may choose unexpected key agreement group

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-2673

CVE-2026-4111 Libarchive: infinite loop denial of service in rar5 decompression via archive_read_data() in libarchive

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4111

CVE-2026-23942 SFTP root escape via component-agnostic prefix check in ssh_sftpd

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23942

CVE-2026-32777

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32777

CVE-2026-32778

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32778

CVE-2026-32776

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32776

CVE-2026-32249 NFA regex engine NULL pointer dereference affects Vim < 9.2.0137

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32249

CVE-2025-69648

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-69648

CVE-2025-69647

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-69647

CVE-2026-23943 Pre-auth SSH DoS via unbounded zlib inflate

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23943

CVE-2026-23941 Request smuggling via first-wins Content-Length parsing in inets httpd

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23941

CVE-2026-32775

Information published.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32775