Google has released a major security update for Google Chrome Stable Channel, addressing 151 vulnerabilities, including 22 critical flaws impacting core graphics, networking, media, and user interface components across Windows, macOS, and Linux platforms.
Critical Vulnerabilities Addressed in Chrome Update
Google has patched three Critical-severity vulnerabilities in Google Chrome that could potentially allow attackers to execute arbitrary code or compromise affected systems.
CVE-2026-7896 – An integer overflow vulnerability in the Blink rendering engine. The flaw was reported by an external security researcher on March 18 and was significant enough to receive a $43,000 bug bounty reward from Google.
CVE-2026-7897 – A use-after-free vulnerability affecting the Chrome Mobile component, internally identified by Google on April 18.
CVE-2026-7898 – A use-after-free vulnerability in Chromoting (Chrome Remote Desktop), internally discovered by Google on April 20.
Successful exploitation of these vulnerabilities could lead to memory corruption, application crashes, or remote code execution under certain conditions. Users and organizations are strongly advised to update Chrome to the latest available Stable release immediately.
Fixed Software Versions
Versions Google Chrome 148.0.7778.215 for Android and Linux, 148.0.7778.215/216 for macOS, and 148.0.7778.216/217 for Windows contain the bug fixes, as Google writes in the release announcement. For Android and iOS, Google is also distributing browsers of the 149 version branch in smaller waves.
The update for the Chromium-based web browsers is usually initiated by the version dialog, which is hidden behind “Help” and then “About” or “Info” on the respective browser name in the browser menu (usually an icon with three stacked dots or lines). On Linux, the distribution’s software management is usually responsible for this. However, updates often arrive with a delay in Apple’s and Google’s app stores; acceleration cannot be forced.
Those who use Chrome-based web browsers like Microsoft Edge should also check here whether the manufacturer has already distributed the updates.
Chrome updates:
According to Chrome’s advisory, the detected bugs were uncovered using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL, underscoring the scale of Google’s proactive security testing infrastructure.
Users across Windows, Mac, and Linux should immediately update to Chrome 148.0.7778.96/97 to remediate these vulnerabilities.
The next stable release, Chrome 149, is scheduled for June 2, 2026. Users can update via Settings → Help → About Google Chrome, which triggers an automatic download and install.
The CIFSwitch vulnerability allows any local user without administrator privileges to gain full root access on Linux systems running cifs-utils 6.14 or later with CIFS enabled.
The vulnerability remained hidden in the Linux ecosystem since 2007 and was discovered using AI-based semantic graph analysis instead of traditional manual code review methods.
Security researchers confirmed successful exploitation on multiple Linux distributions, including Linux Mint, Kali Linux, Rocky Linux, AlmaLinux, CentOS Stream 9, and several SUSE Enterprise versions, with a public proof-of-concept (PoC) exploit now available.
CIFSwitch Vulnerability Details:
The newly discovered local privilege escalation (LPE) vulnerability, dubbed CIFSwitch, exposes a critical design flaw in the Linux kernel’s CIFS (Common Internet File System) client that has been latent since 2007.
The bug allows any low-privileged local user to elevate themselves to full root access by exploiting a missing validation check between the kernel CIFS subsystem and the userspace `cifs-utils` helper.
This vulnerability is especially concerning given that it is the fourth major Linux kernel privilege escalation requiring immediate action in just a matter of weeks, following recent flaws like “Copy Fail,” “Dirty Frag,” and “Fragnesia”. With a public Proof-of-Concept (PoC) already released, system administrators must act immediately to prevent unauthorized root access.
The root cause
The kernel lacks a `.vet_description` hook for the cifs_spnego_key_type. This omission means the kernel does not verify whether a request for a `cifs.spnego` key originated from the trusted CIFS subsystem or from a malicious user process.
An attacker can exploit this by calling `request_key()` or `add_key()` directly, forging the key description to include malicious parameters like `pid` and upcall_target.
How the Exploit Works
For exploitation requires a vulnerable kernel, a compatible cifs-utils version, and unprivileged user namespace creation. Many mainstream Linux distributions have been found vulnerable out-of-the-box when cifs-utils is present, while others require adjustments to Linux Security Module (LSM) policies.
Fake Request Creation: An attacker with basic local access creates a fake cifs.spnego request and sends it to the Linux kernel.
Root Privilege Abuse: The kernel automatically launches the cifs.upcall helper tool with root privileges, trusting the request as legitimate.
Namespace Hijacking: By abusing Linux namespace settings, the attacker tricks the root process into operating inside an attacker-controlled environment.
Malicious Code Execution: The attacker places a fake nsswitch.conf file and a malicious shared library inside this environment. When the root process performs a system lookup, it unknowingly loads and executes the attacker’s malicious code as root.
Full Root Access: The public proof-of-concept exploit ultimately adds a NOPASSWD: ALL entry to the sudoers configuration, allowing the attacker to gain unrestricted root access to the Linux system.
Asim Manizada has published the full technical write-up (“CIFSwitch”) and the PoC exploit on GitHub to support defenders, maintainers, and incident responders in verifying mitigations and patch coverage.
Recommendation on security patches
The kernel patch introduces a vet_description hook for the CIFS.Spnego key type to verify that descriptions are requested under the CIFS client’s internal spnego_cred.
This measure prevents unprivileged userspace from posing as the kernel. Additional hardening is advised to ensure cifs-upcall does not blindly trust kernel-originated descriptions.
Administrators should urgently deploy the backported kernel patches and consider defense-in-depth measures such as disabling CIFS where unused, removing cifs-utils, and tightening request-key rules for cifs. spnego, and restricting unprivileged user namespaces.
FortiGuard Labs recently identified a phishing campaign distributing a PureLogs variant designed to collect sensitive data from the victim’s device. The analysis provides an in-depth examination of the campaign, including the phishing emails and the mechanisms by which the JavaScript file operates on the victim’s device
This campaign uses deceptive emails disguised as purchase orders, a tactic commonly used to trick recipients into opening malicious attachments.
Infection Chain
Figure 1 illustrates the infection chain of this phishing email campaign.
(Fortinet)
Step-by-Step Attack Flow of the PureLogs Campaign
This campaign employs a sophisticated multi-stage attack chain that begins with a phishing email delivering a malicious JavaScript file.
The JavaScript decrypts and launches a PowerShell script, which then uses process hollowing to inject a .NET downloader into the legitimate Windows process MsBuild.exe. The downloader communicates with a remote C2 server to fetch and execute additional plugin modules, enabling flexible post-compromise operations.
The attack leverages multiple encryption layers, fileless execution, and process hollowing techniques, making it highly evasive and difficult for traditional signature-based security solutions to detect.
Organizations are advised to strengthen email filtering, restrict unnecessary script execution, and monitor for suspicious PowerShell activity and process hollowing behavior.
The use of multiple encryption layers, fileless execution, and process hollowing techniques makes this campaign highly evasive and difficult for traditional signature-based security solutions to detect. Organizations are advised to enforce email filtering, disable unnecessary script execution, and monitor for anomalous PowerShell activity and process hollowing.
PureLogs Attack scenario
The attack begins with a fake purchase order email. Fortinet observed an attached archive named PO 2026-P0803.rar, which carried a malicious JavaScript file called kpankocrs.js.
When the victim opens the script, it decrypts PowerShell code and writes it to a randomly named .ps1 file in the C:\Temp folder. The script then runs PowerShell with flags that bypass execution policy, hide the window, and avoid loading a user profile.
From there, the PowerShell stage decodes and decrypts more content. It loads .NET modules directly in memory, which helps the campaign reduce obvious files on disk and avoid simpler signature-based detection.
MsBuild.exe Is Useful to Attackers
MsBuild.exe is a legitimate Microsoft build utility commonly used to compile and build applications. Because it is a trusted Windows component frequently seen in enterprise environments, attackers often abuse it to disguise malicious activity under the appearance of normal system operations.
In this campaign, the threat actors leveraged the hardcoded path C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe as the target for process hollowing. According to Fortinet’s analysis, the PowerShell stage creates a suspended MsBuild.exe process and injects malicious .NET code into it before execution resumes.
The abuse of legitimate Windows binaries like MsBuild.exe allows attackers to blend into normal system activity, making detection significantly harder if organizations are not actively monitoring process behavior, parent-child relationships, and suspicious network communications.
Process Hollowing Helps PureLogs Evade Detection
Process hollowing is a stealth-focused process injection technique that allows malware to operate from within a legitimate process. The attacker launches a trusted application in a suspended state, replaces its memory with malicious code, and then resumes execution.
MITRE ATT&CK identifies process hollowing as a common defense evasion technique used to bypass traditional security controls. Fortinet observed several APIs associated with this activity, including CreateProcessA, ZwUnmapViewOfSection, WriteProcessMemory, SetThreadContext, and ResumeThread.
As a result, security tools may only detect a seemingly legitimate MsBuild.exe process, while the malicious payload executes silently within it. This deceptive behavior complicates both automated detection and manual incident analysis.
Information PureLogs Steals
PureLogs is a .NET-based information stealer designed to harvest sensitive system and user data from infected devices. Once deployed through the downloader module, the malware collects, compresses, encrypts, and exfiltrates data to its command-and-control (C2) infrastructure.
The malware gathers extensive host information, including screenshots, antivirus details, operating system data, processor information, usernames, screen resolution, memory size, clipboard contents, and system timestamps.
Italian digital forensics firm Forenser has uncovered a sophisticated zero-click attack campaign thatenables threat actors to covertly compromise WhatsApp accounts while legitimate users remain actively logged in and unaware of the intrusion.
The incidents primarily affected iPhone users running iOS 16, spanning devices from the iPhone 8 through the iPhone 14 series. Victims reported unauthorized WhatsApp messages requesting money transfers being sent from their accounts, despite no unfamiliar sessions or devices appearing within the app’s “Linked Devices” section.
What did researchers identified
Forensics ’ analysis identified unusual “resync” events in iOS unified logs, indicating that both the victim’s device and the attacker’s client were simultaneously competing to maintain control over the same WhatsApp session.
The attack chain combined two separate vulnerabilities to achieve a stealthy WhatsApp account takeover on vulnerable iPhones.
The first flaw, CVE-2025-43300, is an out-of-bounds write vulnerability within Apple’s ImageIO framework, a core iOS component responsible for processing image files.
By exploiting this ImageIO flaw, attackers could potentially execute malicious code on targeted iPhones without requiring any user interaction, making it a true zero-click exploit.
The second vulnerability, CVE-2025-55177, affected WhatsApp’s linked-device synchronization mechanism on iOS devices running versions earlier than iOS 16.7.12.
Attackers reportedly leveraged this WhatsApp synchronization weakness to secretly instantiate and maintain unauthorized WhatsApp sessions on compromised devices. The chained exploitation enabled threat actors to bypass normal WhatsApp security visibility, meaning compromised sessions did not appear under the app’s “Linked Devices” section.
Impact on Users
Attackers can gain full access to a victim’s WhatsApp account without the user clicking any link or opening any file.
Victims may not receive any warning, notification, or suspicious login alert during the compromise.
The hijacked session does not appear under WhatsApp’s “Linked Devices,” making detection extremely difficult.
Cybercriminals can impersonate victims and send fraudulent messages to contacts requesting money transfers or sensitive information.
Personal conversations, shared media, and confidential data may be exposed to attackers.
Users can experience ongoing session instability due to simultaneous access attempts between the legitimate device and the attacker.
Traditional phishing awareness offers limited protection because the exploit requires zero user interaction.
Individuals running outdated or unpatched iOS 16 versions face a significantly higher risk of compromise.
Financial fraud risks increase as attackers exploit trust between victims and their contacts.
Business users may face corporate data exposure, reputational damage, and unauthorized access to sensitive communications.
The attack demonstrates how mobile messaging platforms are increasingly becoming high-value targets for sophisticated cybercriminals. It highlights the critical importance of rapid OS updates, mobile threat monitoring, and secure communication practices.
Reminder for Organization on timely patching
This incident serves as a critical reminder for organizations that making timely patch management and proactive mobile security essential components of enterprise defense strategies.
The importance of adopting proactive threat intelligence, incident response readiness and Zero Trust security principles cannot be neglected.
When it is essential to defend against increasingly advanced attacks targeting communication platforms and sensitive business data in modern cyber warfare.
Key Highlights from Drupal Core SQL Injection Vulnerability: CVE-2026-9082
Severity: Highly Critical
CVSSv3: 6.5 : Medium
CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API
Can be exploited by unauthenticated attackers on sites using PostgreSQL.
No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.
As per Tenable, this vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations. No in-exploitation in the wild reported.
This means older versions of Drupal — specifically Drupal 8.9 and 9.5 — are no longer officially supported and will not receive normal security update packages anymore because they have reached end-of-life (EOL).
Drupal has still released special emergency “hotfix” files for:
Drupal 9.5.11
Drupal 8.9.20
These hotfixes help protect vulnerable websites from the reported security issue. The update also includes security fixes from third-party components used inside Drupal, including:
Symfony
Twig
Even if organizations are not using PostgreSQL databases, Drupal still recommends updating because other security vulnerabilities are also fixed in these releases.
Affected Environments by CVE-2026-9082
The vulnerability only affects certain versions of Drupal when the website uses a PostgreSQL database.
In simple terms:
Vulnerable versions:
Drupal 8.9.0 to 11.3.9
Affected only if:
The site uses PostgreSQL as its database backend
The issue exists in the PostgreSQL-specific code used by Drupal to process database queries.
Websites using: MySQL, MariaDB and SQLite are not affected by this particular vulnerability because they use different database handling code.
Additionally: Drupal 7 is completely unaffected by this issue.
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Drupal estimates that under 5% of installations run on PostgreSQL. Across the hundreds of thousands of public Drupal sites, that still leaves thousands of internet-reachable targets, concentrated in the segments where Drupal adoption is strongest.
Drupal Patches:
Drupal released fixes across all six supported branches on May 20: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. The security team also published exceptional patches for the end-of-life 8.9 and 9.5 branches, given the severity and the volume of legacy installations.
The advisory recommends upgrading to the patched release matching the current branch (11.3.x to 11.3.10, 11.2.x to 11.2.12, 11.1.x or 11.0.x to 11.1.10, 10.6.x to 10.6.9, 10.5.x to 10.5.10, 10.4.x or earlier to 10.4.10). Drupal 8 and 9 sites should treat the exceptional patches as a stopgap rather than a long-term position, because other unpatched issues remain in those branches.
Defenders should verify patch status directly with their hosting provider rather than assume any specific platform-level fix is in place.
Federal agencies and organizations are required to remediate the issue by May 27, 2026, under Binding Operational Directive (BOD) 22-01.
Conclusion: Because of improper input validation, attackers can insert harmful SQL commands into input fields such a application. If unchecked or not sanitized on time, user input before sending it to the database, attackers may manipulate backend database operations potentially bypassing authentication controls. This may lead to accessing sensitive database information and modify or delete data.
If patching is not applicable or not matching with application, organizations should consider temporarily turning off affected services until mitigation measures are in place. The active exploitation of CVE-2026-9082 underscores the ongoing risk posed by SQL injection vulnerabilities in widely used platforms such as Drupal.
Overview: PinTheft vulnerability originates from improper memory reference handling inside the Linux kernel’s RDS zerocopy implementation
A newly disclosed Linux privilege escalation vulnerability named PinTheft allows local unprivileged users to gain full root access on vulnerable systems. Modern Linux systems use “zerocopy” operations to improve performance by avoiding unnecessary memory duplication during network transfers. In this case, failed RDS zerocopy operations improperly release memory references multiple times.
The flaw combines a long-standing issue in the Linux kernel’s RDS (Reliable Datagram Sockets) zerocopy functionality with io_uring to overwrite SUID-root binaries directly in memory and spawn a root shell.
Impact of PinTheft Vulnerability:
The issue primarily impacts systems where RDS modules are enabled and loadable, along with io_uring support. Researchers confirmed default exposure on Arch Linux, while several enterprise Linux distributions mitigate the risk by disabling or blocking RDS modules by default.
What makes PinTheft particularly dangerous is that the exploit modifies SUID-root binaries only in memory, leaving the original files on disk untouched.
PinTheft demonstrates how older kernel flaws can become highly exploitable when combined with newer Linux subsystems such as io_uring.
The vulnerability also highlights:
The increasing complexity of Linux kernel attack surfaces
Risks associated with performance-oriented kernel optimizations
The importance of minimizing unnecessary kernel modules in production environments
For enterprise security teams, systems allowing untrusted local workloads should be prioritized for immediate mitigation and monitoring.
The vulnerability impacts Linux kernels dating back to version 4.17, first released in 2018, highlighting how long-standing kernel flaws can remain dormant until newer features enable reliable exploitation techniques
Affected environments:
Researchers confirmed that:
Arch Linux systems were vulnerable by default
Some distributions ship RDS modules disabled or blacklisted
Certain enterprise Linux distributions are not affected because RDS is absent or io_uring is disabled by default
PoC Released
The release of a public proof-of-concept significantly increases operational risk for organizations running affected Linux environments.
Unlike remote vulnerabilities, PinTheft requires local access. However, once an attacker gains even limited user-level execution, the exploit provides a reliable path to full root compromise.
The vulnerability also highlights increasing complexity of Linux kernel attack surfaces and risks associated with performance-oriented kernel optimizations, importance of minimizing unnecessary kernel modules in production environments.
RakshaOne from Intrucept
RakshaOne can play a significant role in detecting and responding to the PinTheft Linux privilege escalation vulnerability. Since the exploit abuses kernel-level behavior and enables local users to gain root access while leaving minimal traces on disk, traditional security tools may struggle to identify the attack. RakshaOne helps security analysts and SOC teams gain centralized visibility across Linux servers, workloads, and enterprise infrastructure, allowing them to quickly understand the scope and context of suspicious activity.
By combining threat intelligence, behavioral analytics, and automated alert correlation, RakshaOne can detect abnormal privilege escalation attempts, suspicious SUID binary execution, unusual kernel activity, and unauthorized module loading associated with PinTheft exploitation.
The platform also simplifies incident response by automatically prioritizing high-risk alerts and correlating related events, helping organizations identify both known and unknown threats faster.
This becomes especially important for multi-tenant Linux environments, CI/CD runners, container hosts, and shared infrastructure where local privilege escalation vulnerabilities can rapidly lead to full system compromise.
Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.
As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.
CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.
(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.
CVE ID
Affected Product
Vulnerability Description
Potential Impact
Severity Rating
CVE-2026-41091
Microsoft Malware Protection Engine
Vulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning engine
Privilege escalation allowing attackers to gain SYSTEM-level access
🔴 Critical
CVE-2026-45498
Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier
Vulnerability affecting Microsoft Defender and related endpoint protection platforms
Security risk impacting endpoint protection systems and enterprise security tools
🟠 High
CVE-2026-41091 vulnerability affects:
The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
With this access, attackers could potentially take full control of the affected device.
CVE-2026-45498 vulnerability affects:
Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.
As a result, users may experience:
System slowdowns or freezes
Security services stopping unexpectedly
CISA Adds the vulnerability in its KEV
For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.
On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.
Privilege Escalation Flaw:
The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.
mpengine.dll (Microsoft Malware Protection Engine) is responsible for:
Malware scanning
Threat detection
File inspection
Cleaning and remediation operations
The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.
CISA gave federal agencies until June 3 to ensure mitigation measures are in place.
Threat Mitigation advice from Microsoft:
“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.
Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.
It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.
One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.
The April 2026 vulnerabilities identified in Defender:
Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.
RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse”
For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.
RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
SIEM Helps Detect Exploitation
Privilege Escalation Detection (CVE-2026-41091)
The SIEM can correlate:
Suspicious file write activity
Abnormal SYSTEM privilege assignments
Unexpected execution of privileged processes
Defender engine (mpengine.dll) anomalies
Unauthorized access attempts to protected system directories
DoS & Security Service Monitoring (CVE-2026-45498)
The SIEM can detect:
Unexpected Microsoft Defender crashes
Antimalware service restarts
Endpoint protection failures
Repeated system instability events
Disabled or unavailable Defender services
This helps security teams identify attempts to disrupt endpoint protection mechanisms
