Microsoft discloses Chromium, pyOpenSSL, Linux kernel and DNS handling flaws
Microsoft published a new set of security advisories covering multiple third-party and open-source components, led by several Chromium vulnerabilities affecting WebGL, WebRTC, ANGLE, V8, PDFium, the Digital Credentials API, and Extensions. The issues include out-of-bounds read and write, heap buffer overflow, integer overflow, and use-after-free conditions tracked as CVE-2026-4440, CVE-2026-4463, CVE-2026-4464, CVE-2026-4447, CVE-2026-4446, CVE-2026-4456, CVE-2026-4452, CVE-2026-4455, CVE-2026-4450, and CVE-2026-4458. Microsoft also listed CVE-2026-4437, a flaw in gethostbyaddr and gethostbyaddr_r that may incorrectly handle DNS responses.
The advisory set also includes pyOpenSSL flaws CVE-2026-27459, a DTLS cookie callback buffer overflow, and CVE-2026-27448, which could allow TLS connection bypass through an unhandled exception in set_tlsext_servername_callback. Additional entries cover several Linux kernel issues, including a potential NULL pointer dereference in RDMA/siw (CVE-2026-23242), a refcount bug and potential use-after-free in perf_mmap (CVE-2026-23248), an infinite loop in ntfs3 metadata handling (CVE-2025-71265), an io_uring memory-management flaw (CVE-2026-23259), and a divide error in rivafb (CVE-2026-23266), alongside audit subsystem updates tracked as CVE-2025-71239 and CVE-2026-23241.
Timeline
Mar 27, 2026
Microsoft publishes advisory for Chromium WebGPU use-after-free flaw
Microsoft's Security Update Guide published an advisory for CVE-2026-4678, a Chromium use-after-free vulnerability in WebGPU. The entry adds another Chromium vulnerability to Microsoft's March 2026 disclosure set.
Mar 26, 2026
Microsoft publishes advisory for wifi/libertas use-after-free vulnerability
Microsoft's Security Update Guide published an advisory for CVE-2026-23281 affecting the Linux kernel wifi/libertas subsystem, described as a fix for a use-after-free in lbs_free_adapter(). The entry adds another open-source component vulnerability to Microsoft's March 2026 disclosures.
Mar 26, 2026
Microsoft publishes advisory for SCSI core refcount leak vulnerability
Microsoft's Security Update Guide published an advisory for CVE-2026-23296 affecting the Linux kernel SCSI core, described as a fix for a refcount leak in tagset_refcnt handling. The entry adds another open-source component vulnerability to Microsoft's March 2026 disclosures.
Mar 26, 2026
Microsoft publishes advisory for netfilter nft_set_pipapo vulnerability
Microsoft's Security Update Guide published an advisory for CVE-2026-23351 affecting Linux netfilter, specifically nft_set_pipapo garbage-collection handling. The entry added another open-source component vulnerability to Microsoft's March 2026 disclosures.
Mar 23, 2026
Microsoft publishes batch of Chromium vulnerability advisories
Microsoft's Security Update Guide published multiple Chromium CVE entries covering WebGL, WebRTC, ANGLE, V8, PDFium, Extensions, and the Digital Credentials API. The batch included out-of-bounds read/write, heap buffer overflow, integer overflow, and use-after-free issues.
Mar 22, 2026
Microsoft publishes advisory for gethostbyaddr DNS handling flaw
Microsoft published a Security Update Guide entry for CVE-2026-4437, describing incorrect handling of DNS responses by gethostbyaddr and gethostbyaddr_r. The advisory added another non-Chromium vulnerability to the March disclosures.
Mar 20, 2026
Microsoft publishes advisory for io_uring and rivafb vulnerabilities
Additional Security Update Guide entries were published for Linux kernel flaws in io_uring/rw and fbdev:rivafb, describing memory handling and divide error issues. This expanded the set of disclosed open-source component vulnerabilities tracked by Microsoft.
Mar 18, 2026
Microsoft publishes advisories for Linux kernel and pyOpenSSL CVEs
Microsoft's Security Update Guide published multiple vulnerability entries affecting Linux kernel components and pyOpenSSL, including issues in audit, ntfs3, RDMA/siw, perf/core, and TLS/DTLS handling. These advisories document the vulnerabilities and associated fixes or affected components.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
5 more from sources like msrc security advisories
Related Stories
Microsoft discloses multiple Linux kernel flaws affecting filesystems, networking, and drivers
Microsoft published a batch of Security Update Guide entries for Linux kernel vulnerabilities spanning core subsystems including `ext4`, `xfs`, memory management, networking, virtualization, and device drivers. The listed issues include memory-safety and stability flaws such as a use-after-free in `ext4` tracked as **CVE-2026-31446**, an `smc` double-free in **CVE-2026-31507**, a teardown-order use-after-free in the `spi-fsl-lpspi` driver in **CVE-2026-31485**, and a Bluetooth `L2CAP` bug in **CVE-2026-31498** that could trigger an infinite loop. Additional entries cover fixes in `af_key`, `netfilter` `ctnetlink`, `nfc` `nci`, `perf`, and memory-management code paths. The disclosures also include filesystem and virtual networking fixes such as **CVE-2026-31452** in `ext4`, **CVE-2026-31454** in `xfs`, and two `openvswitch` issues, **CVE-2026-31678** and **CVE-2026-31679`, addressing tunnel device release handling and MPLS payload-length validation. Microsoft further listed **CVE-2026-31601** in `vfio/xe` and **CVE-2026-31589** in the kernel MM subsystem, indicating broad exposure across Linux environments that rely on affected kernel components. The set of advisories points to patch activity focused on preventing use-after-free, double-free, locking, validation, and resource-lifecycle errors in widely deployed kernel code.
5 days ago
Microsoft Flags Multiple Chromium Memory-Safety Flaws in Security Update Guide
Microsoft published Security Update Guide entries for a broad set of **Chromium** vulnerabilities affecting browser components including **WebRTC, ANGLE, Network, Navigation, Blink, Base, V8, Skia,** and **WebAudio**. The listed issues include multiple `use-after-free` bugs such as `CVE-2026-4445`, `CVE-2026-4454`, `CVE-2026-4449`, and `CVE-2026-4441`, as well as a `heap buffer overflow` in `ANGLE` (`CVE-2026-4448`), a `heap buffer overflow` in `WebAudio` (`CVE-2026-4443`), an `out-of-bounds read` in `Skia` (`CVE-2026-4460`), `insufficient validation of untrusted input` in `Navigation` (`CVE-2026-4451`), and an `inappropriate implementation` flaw in `V8` (`CVE-2026-4461`). The same set of advisories also included non-Chromium entries tied to lower-level platform components: `CVE-2026-4438` for `gethostbyaddr` and `gethostbyaddr_r` returning invalid DNS hostnames, `CVE-2025-71267` for an `ntfs3` infinite loop triggered by a zero-sized `ATTR_LIST`, and `CVE-2026-23233` for an `f2fs` fix to avoid mapping the wrong physical block for a swapfile. Together, the disclosures show Microsoft tracking both browser-engine memory-corruption risks and underlying filesystem and networking defects through its update pipeline.
1 months ago
Microsoft Discloses Broad Set of Linux Kernel Vulnerabilities
Microsoft published a broad batch of Security Update Guide entries for Linux kernel flaws affecting memory management, networking, virtualization, device drivers, and subsystem input validation. The listed issues include use-after-free, NULL dereference, integer underflow, refcount underflow, information disclosure, and bounds-checking failures tracked as **`CVE-2026-31496`**, **`CVE-2026-31458`**, **`CVE-2026-31689`**, **`CVE-2026-31615`**, **`CVE-2026-31664`**, **`CVE-2026-31656`**, **`CVE-2026-31611`**, **`CVE-2026-31671`**, **`CVE-2026-31612`**, and others. Affected components span `nf_conntrack_expect`, `damon`, `edac_mc`, `renesas_usb3`, `xfrm`, `drm/i915`, `ksmbd`, `stmmac`, `tipc`, `mptcp`, `NFC`, `HID`, `KVM`, `mmc`, `x86/CPU`, `PCI endpoint`, `blk-cgroup`, `media/as102`, and `altera-tse`. Several entries point to bugs that could lead to kernel crashes, memory corruption, or data leakage if triggered through malformed input, protocol handling, or device interaction. Notable examples include a slab use-after-free in `mptcp`, information leaks in `xfrm_user` and `xfrm`, validation flaws in `ksmbd`, endpoint index handling in `usb: gadget: renesas_usb3`, and multiple underflow and teardown-ordering bugs across networking and driver code. The disclosures indicate a coordinated publication of upstream Linux kernel fixes through Microsoft's advisory channel, underscoring the need for organizations running Linux workloads in Microsoft-connected environments to review affected kernel versions and apply vendor patches promptly.
3 days ago