Microsoft discloses Chromium and jq memory-handling vulnerabilities
Microsoft added three vulnerabilities to its Security Update Guide, including CVE-2026-5874 affecting Chromium and two flaws in jq. The Chromium issue is described as a use-after-free in PrivateAI, a class of memory-safety bug that can lead to crashes or potentially arbitrary code execution depending on exploitability and surrounding mitigations.
The two jq entries, CVE-2026-39979 and CVE-2026-33948, describe input-handling weaknesses in the JSON processor: an out-of-bounds read in jv_parse_sized() error formatting for non-NUL-terminated counted buffers, and an embedded-NUL truncation issue in the CLI JSON input path that can cause prefix-only validation of malformed input. Together, the disclosures highlight memory and parsing risks in widely used software components that may affect systems relying on Chromium-based software or jq for JSON processing.
Timeline
Apr 17, 2026
Microsoft publishes advisory for CVE-2026-33948 in jq
Microsoft added CVE-2026-33948 to its Security Update Guide, describing an embedded-NUL truncation issue in jq CLI JSON input handling that can cause prefix-only validation of malformed input.
Apr 17, 2026
Microsoft publishes advisory for CVE-2026-39979 in jq
Microsoft added CVE-2026-39979 to its Security Update Guide, describing an out-of-bounds read in jq's jv_parse_sized() error formatting for non-NUL-terminated counted buffers.
Jan 1, 2026
Microsoft publishes advisory for CVE-2026-5874 in Chromium PrivateAI
Microsoft listed CVE-2026-5874 in its Security Update Guide as a Chromium vulnerability described as a use-after-free issue in PrivateAI.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Microsoft Discloses Chromium V8 Use-After-Free and Heap Buffer Overflow Flaws
Microsoft published security advisories for two vulnerabilities affecting separate components: **`CVE-2026-5861`**, a *use-after-free* flaw in Chromium's V8 JavaScript engine, and **`CVE-2026-31789`**, a *heap buffer overflow* in hexadecimal conversion logic. The advisories were released through Microsoft's Security Update Guide and identify memory-safety issues that could expose affected software to instability or potential code-execution scenarios depending on how the vulnerable components are reached. The disclosures highlight continued risk from low-level memory corruption bugs in widely used software components, particularly browser engine code and data-conversion routines. Microsoft did not provide detailed public synopses in the referenced advisories, but the vulnerability classifications indicate that organizations should prioritize patch review and deployment for products that incorporate the affected Chromium and Microsoft code paths.
3 weeks ago
Microsoft discloses Chromium, pyOpenSSL, Linux kernel and DNS handling flaws
Microsoft published a new set of security advisories covering multiple third-party and open-source components, led by several **Chromium** vulnerabilities affecting `WebGL`, `WebRTC`, `ANGLE`, `V8`, `PDFium`, the **Digital Credentials API**, and **Extensions**. The issues include out-of-bounds read and write, heap buffer overflow, integer overflow, and use-after-free conditions tracked as `CVE-2026-4440`, `CVE-2026-4463`, `CVE-2026-4464`, `CVE-2026-4447`, `CVE-2026-4446`, `CVE-2026-4456`, `CVE-2026-4452`, `CVE-2026-4455`, `CVE-2026-4450`, and `CVE-2026-4458`. Microsoft also listed `CVE-2026-4437`, a flaw in `gethostbyaddr` and `gethostbyaddr_r` that may incorrectly handle DNS responses. The advisory set also includes **pyOpenSSL** flaws `CVE-2026-27459`, a DTLS cookie callback buffer overflow, and `CVE-2026-27448`, which could allow TLS connection bypass through an unhandled exception in `set_tlsext_servername_callback`. Additional entries cover several **Linux kernel** issues, including a potential NULL pointer dereference in `RDMA/siw` (`CVE-2026-23242`), a refcount bug and potential use-after-free in `perf_mmap` (`CVE-2026-23248`), an infinite loop in `ntfs3` metadata handling (`CVE-2025-71265`), an `io_uring` memory-management flaw (`CVE-2026-23259`), and a divide error in `rivafb` (`CVE-2026-23266`), alongside audit subsystem updates tracked as `CVE-2025-71239` and `CVE-2026-23241`.
1 months ago
Microsoft Flags Multiple Chromium Memory-Safety Flaws in Security Update Guide
Microsoft published Security Update Guide entries for a broad set of **Chromium** vulnerabilities affecting browser components including **WebRTC, ANGLE, Network, Navigation, Blink, Base, V8, Skia,** and **WebAudio**. The listed issues include multiple `use-after-free` bugs such as `CVE-2026-4445`, `CVE-2026-4454`, `CVE-2026-4449`, and `CVE-2026-4441`, as well as a `heap buffer overflow` in `ANGLE` (`CVE-2026-4448`), a `heap buffer overflow` in `WebAudio` (`CVE-2026-4443`), an `out-of-bounds read` in `Skia` (`CVE-2026-4460`), `insufficient validation of untrusted input` in `Navigation` (`CVE-2026-4451`), and an `inappropriate implementation` flaw in `V8` (`CVE-2026-4461`). The same set of advisories also included non-Chromium entries tied to lower-level platform components: `CVE-2026-4438` for `gethostbyaddr` and `gethostbyaddr_r` returning invalid DNS hostnames, `CVE-2025-71267` for an `ntfs3` infinite loop triggered by a zero-sized `ATTR_LIST`, and `CVE-2026-23233` for an `f2fs` fix to avoid mapping the wrong physical block for a swapfile. Together, the disclosures show Microsoft tracking both browser-engine memory-corruption risks and underlying filesystem and networking defects through its update pipeline.
1 months ago