Google has released a major security update for Google Chrome Stable Channel, addressing 151 vulnerabilities, including 22 critical flaws impacting core graphics, networking, media, and user interface components across Windows, macOS, and Linux platforms.
Critical Vulnerabilities Addressed in Chrome Update
Google has patched three Critical-severity vulnerabilities in Google Chrome that could potentially allow attackers to execute arbitrary code or compromise affected systems.
CVE-2026-7896 – An integer overflow vulnerability in the Blink rendering engine. The flaw was reported by an external security researcher on March 18 and was significant enough to receive a $43,000 bug bounty reward from Google.
CVE-2026-7897 – A use-after-free vulnerability affecting the Chrome Mobile component, internally identified by Google on April 18.
CVE-2026-7898 – A use-after-free vulnerability in Chromoting (Chrome Remote Desktop), internally discovered by Google on April 20.
Successful exploitation of these vulnerabilities could lead to memory corruption, application crashes, or remote code execution under certain conditions. Users and organizations are strongly advised to update Chrome to the latest available Stable release immediately.
Fixed Software Versions
Versions Google Chrome 148.0.7778.215 for Android and Linux, 148.0.7778.215/216 for macOS, and 148.0.7778.216/217 for Windows contain the bug fixes, as Google writes in the release announcement. For Android and iOS, Google is also distributing browsers of the 149 version branch in smaller waves.
The update for the Chromium-based web browsers is usually initiated by the version dialog, which is hidden behind “Help” and then “About” or “Info” on the respective browser name in the browser menu (usually an icon with three stacked dots or lines). On Linux, the distribution’s software management is usually responsible for this. However, updates often arrive with a delay in Apple’s and Google’s app stores; acceleration cannot be forced.
Those who use Chrome-based web browsers like Microsoft Edge should also check here whether the manufacturer has already distributed the updates.
Chrome updates:
According to Chrome’s advisory, the detected bugs were uncovered using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL, underscoring the scale of Google’s proactive security testing infrastructure.
Users across Windows, Mac, and Linux should immediately update to Chrome 148.0.7778.96/97 to remediate these vulnerabilities.
The next stable release, Chrome 149, is scheduled for June 2, 2026. Users can update via Settings → Help → About Google Chrome, which triggers an automatic download and install.
The CIFSwitch vulnerability allows any local user without administrator privileges to gain full root access on Linux systems running cifs-utils 6.14 or later with CIFS enabled.
The vulnerability remained hidden in the Linux ecosystem since 2007 and was discovered using AI-based semantic graph analysis instead of traditional manual code review methods.
Security researchers confirmed successful exploitation on multiple Linux distributions, including Linux Mint, Kali Linux, Rocky Linux, AlmaLinux, CentOS Stream 9, and several SUSE Enterprise versions, with a public proof-of-concept (PoC) exploit now available.
CIFSwitch Vulnerability Details:
The newly discovered local privilege escalation (LPE) vulnerability, dubbed CIFSwitch, exposes a critical design flaw in the Linux kernel’s CIFS (Common Internet File System) client that has been latent since 2007.
The bug allows any low-privileged local user to elevate themselves to full root access by exploiting a missing validation check between the kernel CIFS subsystem and the userspace `cifs-utils` helper.
This vulnerability is especially concerning given that it is the fourth major Linux kernel privilege escalation requiring immediate action in just a matter of weeks, following recent flaws like “Copy Fail,” “Dirty Frag,” and “Fragnesia”. With a public Proof-of-Concept (PoC) already released, system administrators must act immediately to prevent unauthorized root access.
The root cause
The kernel lacks a `.vet_description` hook for the cifs_spnego_key_type. This omission means the kernel does not verify whether a request for a `cifs.spnego` key originated from the trusted CIFS subsystem or from a malicious user process.
An attacker can exploit this by calling `request_key()` or `add_key()` directly, forging the key description to include malicious parameters like `pid` and upcall_target.
How the Exploit Works
For exploitation requires a vulnerable kernel, a compatible cifs-utils version, and unprivileged user namespace creation. Many mainstream Linux distributions have been found vulnerable out-of-the-box when cifs-utils is present, while others require adjustments to Linux Security Module (LSM) policies.
Fake Request Creation: An attacker with basic local access creates a fake cifs.spnego request and sends it to the Linux kernel.
Root Privilege Abuse: The kernel automatically launches the cifs.upcall helper tool with root privileges, trusting the request as legitimate.
Namespace Hijacking: By abusing Linux namespace settings, the attacker tricks the root process into operating inside an attacker-controlled environment.
Malicious Code Execution: The attacker places a fake nsswitch.conf file and a malicious shared library inside this environment. When the root process performs a system lookup, it unknowingly loads and executes the attacker’s malicious code as root.
Full Root Access: The public proof-of-concept exploit ultimately adds a NOPASSWD: ALL entry to the sudoers configuration, allowing the attacker to gain unrestricted root access to the Linux system.
Asim Manizada has published the full technical write-up (“CIFSwitch”) and the PoC exploit on GitHub to support defenders, maintainers, and incident responders in verifying mitigations and patch coverage.
Recommendation on security patches
The kernel patch introduces a vet_description hook for the CIFS.Spnego key type to verify that descriptions are requested under the CIFS client’s internal spnego_cred.
This measure prevents unprivileged userspace from posing as the kernel. Additional hardening is advised to ensure cifs-upcall does not blindly trust kernel-originated descriptions.
Administrators should urgently deploy the backported kernel patches and consider defense-in-depth measures such as disabling CIFS where unused, removing cifs-utils, and tightening request-key rules for cifs. spnego, and restricting unprivileged user namespaces.
Key Highlights from Drupal Core SQL Injection Vulnerability: CVE-2026-9082
Severity: Highly Critical
CVSSv3: 6.5 : Medium
CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API
Can be exploited by unauthenticated attackers on sites using PostgreSQL.
No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.
As per Tenable, this vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations. No in-exploitation in the wild reported.
This means older versions of Drupal — specifically Drupal 8.9 and 9.5 — are no longer officially supported and will not receive normal security update packages anymore because they have reached end-of-life (EOL).
Drupal has still released special emergency “hotfix” files for:
Drupal 9.5.11
Drupal 8.9.20
These hotfixes help protect vulnerable websites from the reported security issue. The update also includes security fixes from third-party components used inside Drupal, including:
Symfony
Twig
Even if organizations are not using PostgreSQL databases, Drupal still recommends updating because other security vulnerabilities are also fixed in these releases.
Affected Environments by CVE-2026-9082
The vulnerability only affects certain versions of Drupal when the website uses a PostgreSQL database.
In simple terms:
Vulnerable versions:
Drupal 8.9.0 to 11.3.9
Affected only if:
The site uses PostgreSQL as its database backend
The issue exists in the PostgreSQL-specific code used by Drupal to process database queries.
Websites using: MySQL, MariaDB and SQLite are not affected by this particular vulnerability because they use different database handling code.
Additionally: Drupal 7 is completely unaffected by this issue.
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Drupal estimates that under 5% of installations run on PostgreSQL. Across the hundreds of thousands of public Drupal sites, that still leaves thousands of internet-reachable targets, concentrated in the segments where Drupal adoption is strongest.
Drupal Patches:
Drupal released fixes across all six supported branches on May 20: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. The security team also published exceptional patches for the end-of-life 8.9 and 9.5 branches, given the severity and the volume of legacy installations.
The advisory recommends upgrading to the patched release matching the current branch (11.3.x to 11.3.10, 11.2.x to 11.2.12, 11.1.x or 11.0.x to 11.1.10, 10.6.x to 10.6.9, 10.5.x to 10.5.10, 10.4.x or earlier to 10.4.10). Drupal 8 and 9 sites should treat the exceptional patches as a stopgap rather than a long-term position, because other unpatched issues remain in those branches.
Defenders should verify patch status directly with their hosting provider rather than assume any specific platform-level fix is in place.
Federal agencies and organizations are required to remediate the issue by May 27, 2026, under Binding Operational Directive (BOD) 22-01.
Conclusion: Because of improper input validation, attackers can insert harmful SQL commands into input fields such a application. If unchecked or not sanitized on time, user input before sending it to the database, attackers may manipulate backend database operations potentially bypassing authentication controls. This may lead to accessing sensitive database information and modify or delete data.
If patching is not applicable or not matching with application, organizations should consider temporarily turning off affected services until mitigation measures are in place. The active exploitation of CVE-2026-9082 underscores the ongoing risk posed by SQL injection vulnerabilities in widely used platforms such as Drupal.
Overview: PinTheft vulnerability originates from improper memory reference handling inside the Linux kernel’s RDS zerocopy implementation
A newly disclosed Linux privilege escalation vulnerability named PinTheft allows local unprivileged users to gain full root access on vulnerable systems. Modern Linux systems use “zerocopy” operations to improve performance by avoiding unnecessary memory duplication during network transfers. In this case, failed RDS zerocopy operations improperly release memory references multiple times.
The flaw combines a long-standing issue in the Linux kernel’s RDS (Reliable Datagram Sockets) zerocopy functionality with io_uring to overwrite SUID-root binaries directly in memory and spawn a root shell.
Impact of PinTheft Vulnerability:
The issue primarily impacts systems where RDS modules are enabled and loadable, along with io_uring support. Researchers confirmed default exposure on Arch Linux, while several enterprise Linux distributions mitigate the risk by disabling or blocking RDS modules by default.
What makes PinTheft particularly dangerous is that the exploit modifies SUID-root binaries only in memory, leaving the original files on disk untouched.
PinTheft demonstrates how older kernel flaws can become highly exploitable when combined with newer Linux subsystems such as io_uring.
The vulnerability also highlights:
The increasing complexity of Linux kernel attack surfaces
Risks associated with performance-oriented kernel optimizations
The importance of minimizing unnecessary kernel modules in production environments
For enterprise security teams, systems allowing untrusted local workloads should be prioritized for immediate mitigation and monitoring.
The vulnerability impacts Linux kernels dating back to version 4.17, first released in 2018, highlighting how long-standing kernel flaws can remain dormant until newer features enable reliable exploitation techniques
Affected environments:
Researchers confirmed that:
Arch Linux systems were vulnerable by default
Some distributions ship RDS modules disabled or blacklisted
Certain enterprise Linux distributions are not affected because RDS is absent or io_uring is disabled by default
PoC Released
The release of a public proof-of-concept significantly increases operational risk for organizations running affected Linux environments.
Unlike remote vulnerabilities, PinTheft requires local access. However, once an attacker gains even limited user-level execution, the exploit provides a reliable path to full root compromise.
The vulnerability also highlights increasing complexity of Linux kernel attack surfaces and risks associated with performance-oriented kernel optimizations, importance of minimizing unnecessary kernel modules in production environments.
RakshaOne from Intrucept
RakshaOne can play a significant role in detecting and responding to the PinTheft Linux privilege escalation vulnerability. Since the exploit abuses kernel-level behavior and enables local users to gain root access while leaving minimal traces on disk, traditional security tools may struggle to identify the attack. RakshaOne helps security analysts and SOC teams gain centralized visibility across Linux servers, workloads, and enterprise infrastructure, allowing them to quickly understand the scope and context of suspicious activity.
By combining threat intelligence, behavioral analytics, and automated alert correlation, RakshaOne can detect abnormal privilege escalation attempts, suspicious SUID binary execution, unusual kernel activity, and unauthorized module loading associated with PinTheft exploitation.
The platform also simplifies incident response by automatically prioritizing high-risk alerts and correlating related events, helping organizations identify both known and unknown threats faster.
This becomes especially important for multi-tenant Linux environments, CI/CD runners, container hosts, and shared infrastructure where local privilege escalation vulnerabilities can rapidly lead to full system compromise.
Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.
As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.
CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.
(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.
CVE ID
Affected Product
Vulnerability Description
Potential Impact
Severity Rating
CVE-2026-41091
Microsoft Malware Protection Engine
Vulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning engine
Privilege escalation allowing attackers to gain SYSTEM-level access
🔴 Critical
CVE-2026-45498
Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier
Vulnerability affecting Microsoft Defender and related endpoint protection platforms
Security risk impacting endpoint protection systems and enterprise security tools
🟠 High
CVE-2026-41091 vulnerability affects:
The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
With this access, attackers could potentially take full control of the affected device.
CVE-2026-45498 vulnerability affects:
Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.
As a result, users may experience:
System slowdowns or freezes
Security services stopping unexpectedly
CISA Adds the vulnerability in its KEV
For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.
On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.
Privilege Escalation Flaw:
The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.
mpengine.dll (Microsoft Malware Protection Engine) is responsible for:
Malware scanning
Threat detection
File inspection
Cleaning and remediation operations
The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.
CISA gave federal agencies until June 3 to ensure mitigation measures are in place.
Threat Mitigation advice from Microsoft:
“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.
Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.
It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.
One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.
The April 2026 vulnerabilities identified in Defender:
Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.
RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse”
For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.
RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
SIEM Helps Detect Exploitation
Privilege Escalation Detection (CVE-2026-41091)
The SIEM can correlate:
Suspicious file write activity
Abnormal SYSTEM privilege assignments
Unexpected execution of privileged processes
Defender engine (mpengine.dll) anomalies
Unauthorized access attempts to protected system directories
DoS & Security Service Monitoring (CVE-2026-45498)
The SIEM can detect:
Unexpected Microsoft Defender crashes
Antimalware service restarts
Endpoint protection failures
Repeated system instability events
Disabled or unavailable Defender services
This helps security teams identify attempts to disrupt endpoint protection mechanisms
NGINX rewrite module, is used to redirect or modify web requests.
The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.
This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.
The attack can be leveraged & Potential Impact
Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well.
Crash or restart the NGINX server remotely
Cause websites or applications to become unavailable
Launch Denial-of-Service (DoS) attacks
In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:
Attackers may be able to run malicious code on the server
This could potentially lead to full server compromise
Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
Exploitation is already happening in real-world attacks
The vulnerable code has reportedly existed for nearly 18 years
Vulnerability
Details
CVE ID
CVE-2026-42945
Severity
High / Critical
Affected Product
NGINX OSS & NGINX Plus
Impact
DoS / Possible Remote Code Execution
Attack Requirement
Specially crafted web requests
Authentication Needed
No
Researchers also found additional medium-severity vulnerabilities affecting:
HTTP/3 QUIC module
HTTP/2 proxy mode
SSL module
SCGI and uWSGI modules
Charset handling module
These may cause:
Memory exhaustion
Data leakage
Spoofing attacks
Service instability
This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.
Immediate Patching Recommendation
Upgrade to the latest patched NGINX versions immediately.
Review and modify vulnerable rewrite rules.
Restrict unnecessary internet exposure of NGINX servers.
Monitor for unexpected NGINX crashes or restarts.
Ensure ASLR and other OS-level security protections remain enabled.
The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.
How GaarudNode Helps Secure Against This Vulnerability
GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.
Security Capability
How It Helps
Continuous OS & Infrastructure Vulnerability Scanning
Detects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads
Missing Patch Detection
Identifies systems missing critical NGINX security updates and tracks remediation status
Misconfiguration Assessment
Detects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw
CSPM (Cloud Security Posture Management)
Identifies internet-exposed NGINX instances and insecure cloud deployments
Network Security Visibility
Detects externally exposed web services and risky attack surfaces
Runtime Monitoring (Shift Right)
Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts
Risk Prioritization
Correlates internet exposure, vulnerable configurations, and exploitability to prioritize remediation
Unified Risk Dashboard
Provides centralized visibility across applications, infrastructure, cloud, OS, and network risks
