Google has released a major security update for Google Chrome Stable Channel, addressing 151 vulnerabilities, including 22 critical flaws impacting core graphics, networking, media, and user interface components across Windows, macOS, and Linux platforms.
Critical Vulnerabilities Addressed in Chrome Update
Google has patched three Critical-severity vulnerabilities in Google Chrome that could potentially allow attackers to execute arbitrary code or compromise affected systems.
CVE-2026-7896 – An integer overflow vulnerability in the Blink rendering engine. The flaw was reported by an external security researcher on March 18 and was significant enough to receive a $43,000 bug bounty reward from Google.
CVE-2026-7897 – A use-after-free vulnerability affecting the Chrome Mobile component, internally identified by Google on April 18.
CVE-2026-7898 – A use-after-free vulnerability in Chromoting (Chrome Remote Desktop), internally discovered by Google on April 20.
Successful exploitation of these vulnerabilities could lead to memory corruption, application crashes, or remote code execution under certain conditions. Users and organizations are strongly advised to update Chrome to the latest available Stable release immediately.
Fixed Software Versions
Versions Google Chrome 148.0.7778.215 for Android and Linux, 148.0.7778.215/216 for macOS, and 148.0.7778.216/217 for Windows contain the bug fixes, as Google writes in the release announcement. For Android and iOS, Google is also distributing browsers of the 149 version branch in smaller waves.
The update for the Chromium-based web browsers is usually initiated by the version dialog, which is hidden behind “Help” and then “About” or “Info” on the respective browser name in the browser menu (usually an icon with three stacked dots or lines). On Linux, the distribution’s software management is usually responsible for this. However, updates often arrive with a delay in Apple’s and Google’s app stores; acceleration cannot be forced.
Those who use Chrome-based web browsers like Microsoft Edge should also check here whether the manufacturer has already distributed the updates.
Chrome updates:
According to Chrome’s advisory, the detected bugs were uncovered using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL, underscoring the scale of Google’s proactive security testing infrastructure.
Users across Windows, Mac, and Linux should immediately update to Chrome 148.0.7778.96/97 to remediate these vulnerabilities.
The next stable release, Chrome 149, is scheduled for June 2, 2026. Users can update via Settings → Help → About Google Chrome, which triggers an automatic download and install.
Italian digital forensics firm Forenser has uncovered a sophisticated zero-click attack campaign thatenables threat actors to covertly compromise WhatsApp accounts while legitimate users remain actively logged in and unaware of the intrusion.
The incidents primarily affected iPhone users running iOS 16, spanning devices from the iPhone 8 through the iPhone 14 series. Victims reported unauthorized WhatsApp messages requesting money transfers being sent from their accounts, despite no unfamiliar sessions or devices appearing within the app’s “Linked Devices” section.
What did researchers identified
Forensics ’ analysis identified unusual “resync” events in iOS unified logs, indicating that both the victim’s device and the attacker’s client were simultaneously competing to maintain control over the same WhatsApp session.
The attack chain combined two separate vulnerabilities to achieve a stealthy WhatsApp account takeover on vulnerable iPhones.
The first flaw, CVE-2025-43300, is an out-of-bounds write vulnerability within Apple’s ImageIO framework, a core iOS component responsible for processing image files.
By exploiting this ImageIO flaw, attackers could potentially execute malicious code on targeted iPhones without requiring any user interaction, making it a true zero-click exploit.
The second vulnerability, CVE-2025-55177, affected WhatsApp’s linked-device synchronization mechanism on iOS devices running versions earlier than iOS 16.7.12.
Attackers reportedly leveraged this WhatsApp synchronization weakness to secretly instantiate and maintain unauthorized WhatsApp sessions on compromised devices. The chained exploitation enabled threat actors to bypass normal WhatsApp security visibility, meaning compromised sessions did not appear under the app’s “Linked Devices” section.
Impact on Users
Attackers can gain full access to a victim’s WhatsApp account without the user clicking any link or opening any file.
Victims may not receive any warning, notification, or suspicious login alert during the compromise.
The hijacked session does not appear under WhatsApp’s “Linked Devices,” making detection extremely difficult.
Cybercriminals can impersonate victims and send fraudulent messages to contacts requesting money transfers or sensitive information.
Personal conversations, shared media, and confidential data may be exposed to attackers.
Users can experience ongoing session instability due to simultaneous access attempts between the legitimate device and the attacker.
Traditional phishing awareness offers limited protection because the exploit requires zero user interaction.
Individuals running outdated or unpatched iOS 16 versions face a significantly higher risk of compromise.
Financial fraud risks increase as attackers exploit trust between victims and their contacts.
Business users may face corporate data exposure, reputational damage, and unauthorized access to sensitive communications.
The attack demonstrates how mobile messaging platforms are increasingly becoming high-value targets for sophisticated cybercriminals. It highlights the critical importance of rapid OS updates, mobile threat monitoring, and secure communication practices.
Reminder for Organization on timely patching
This incident serves as a critical reminder for organizations that making timely patch management and proactive mobile security essential components of enterprise defense strategies.
The importance of adopting proactive threat intelligence, incident response readiness and Zero Trust security principles cannot be neglected.
When it is essential to defend against increasingly advanced attacks targeting communication platforms and sensitive business data in modern cyber warfare.
Key Highlights from Drupal Core SQL Injection Vulnerability: CVE-2026-9082
Severity: Highly Critical
CVSSv3: 6.5 : Medium
CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API
Can be exploited by unauthenticated attackers on sites using PostgreSQL.
No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.
As per Tenable, this vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations. No in-exploitation in the wild reported.
This means older versions of Drupal — specifically Drupal 8.9 and 9.5 — are no longer officially supported and will not receive normal security update packages anymore because they have reached end-of-life (EOL).
Drupal has still released special emergency “hotfix” files for:
Drupal 9.5.11
Drupal 8.9.20
These hotfixes help protect vulnerable websites from the reported security issue. The update also includes security fixes from third-party components used inside Drupal, including:
Symfony
Twig
Even if organizations are not using PostgreSQL databases, Drupal still recommends updating because other security vulnerabilities are also fixed in these releases.
Affected Environments by CVE-2026-9082
The vulnerability only affects certain versions of Drupal when the website uses a PostgreSQL database.
In simple terms:
Vulnerable versions:
Drupal 8.9.0 to 11.3.9
Affected only if:
The site uses PostgreSQL as its database backend
The issue exists in the PostgreSQL-specific code used by Drupal to process database queries.
Websites using: MySQL, MariaDB and SQLite are not affected by this particular vulnerability because they use different database handling code.
Additionally: Drupal 7 is completely unaffected by this issue.
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Drupal estimates that under 5% of installations run on PostgreSQL. Across the hundreds of thousands of public Drupal sites, that still leaves thousands of internet-reachable targets, concentrated in the segments where Drupal adoption is strongest.
Drupal Patches:
Drupal released fixes across all six supported branches on May 20: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. The security team also published exceptional patches for the end-of-life 8.9 and 9.5 branches, given the severity and the volume of legacy installations.
The advisory recommends upgrading to the patched release matching the current branch (11.3.x to 11.3.10, 11.2.x to 11.2.12, 11.1.x or 11.0.x to 11.1.10, 10.6.x to 10.6.9, 10.5.x to 10.5.10, 10.4.x or earlier to 10.4.10). Drupal 8 and 9 sites should treat the exceptional patches as a stopgap rather than a long-term position, because other unpatched issues remain in those branches.
Defenders should verify patch status directly with their hosting provider rather than assume any specific platform-level fix is in place.
Federal agencies and organizations are required to remediate the issue by May 27, 2026, under Binding Operational Directive (BOD) 22-01.
Conclusion: Because of improper input validation, attackers can insert harmful SQL commands into input fields such a application. If unchecked or not sanitized on time, user input before sending it to the database, attackers may manipulate backend database operations potentially bypassing authentication controls. This may lead to accessing sensitive database information and modify or delete data.
If patching is not applicable or not matching with application, organizations should consider temporarily turning off affected services until mitigation measures are in place. The active exploitation of CVE-2026-9082 underscores the ongoing risk posed by SQL injection vulnerabilities in widely used platforms such as Drupal.
Overview: PinTheft vulnerability originates from improper memory reference handling inside the Linux kernel’s RDS zerocopy implementation
A newly disclosed Linux privilege escalation vulnerability named PinTheft allows local unprivileged users to gain full root access on vulnerable systems. Modern Linux systems use “zerocopy” operations to improve performance by avoiding unnecessary memory duplication during network transfers. In this case, failed RDS zerocopy operations improperly release memory references multiple times.
The flaw combines a long-standing issue in the Linux kernel’s RDS (Reliable Datagram Sockets) zerocopy functionality with io_uring to overwrite SUID-root binaries directly in memory and spawn a root shell.
Impact of PinTheft Vulnerability:
The issue primarily impacts systems where RDS modules are enabled and loadable, along with io_uring support. Researchers confirmed default exposure on Arch Linux, while several enterprise Linux distributions mitigate the risk by disabling or blocking RDS modules by default.
What makes PinTheft particularly dangerous is that the exploit modifies SUID-root binaries only in memory, leaving the original files on disk untouched.
PinTheft demonstrates how older kernel flaws can become highly exploitable when combined with newer Linux subsystems such as io_uring.
The vulnerability also highlights:
The increasing complexity of Linux kernel attack surfaces
Risks associated with performance-oriented kernel optimizations
The importance of minimizing unnecessary kernel modules in production environments
For enterprise security teams, systems allowing untrusted local workloads should be prioritized for immediate mitigation and monitoring.
The vulnerability impacts Linux kernels dating back to version 4.17, first released in 2018, highlighting how long-standing kernel flaws can remain dormant until newer features enable reliable exploitation techniques
Affected environments:
Researchers confirmed that:
Arch Linux systems were vulnerable by default
Some distributions ship RDS modules disabled or blacklisted
Certain enterprise Linux distributions are not affected because RDS is absent or io_uring is disabled by default
PoC Released
The release of a public proof-of-concept significantly increases operational risk for organizations running affected Linux environments.
Unlike remote vulnerabilities, PinTheft requires local access. However, once an attacker gains even limited user-level execution, the exploit provides a reliable path to full root compromise.
The vulnerability also highlights increasing complexity of Linux kernel attack surfaces and risks associated with performance-oriented kernel optimizations, importance of minimizing unnecessary kernel modules in production environments.
RakshaOne from Intrucept
RakshaOne can play a significant role in detecting and responding to the PinTheft Linux privilege escalation vulnerability. Since the exploit abuses kernel-level behavior and enables local users to gain root access while leaving minimal traces on disk, traditional security tools may struggle to identify the attack. RakshaOne helps security analysts and SOC teams gain centralized visibility across Linux servers, workloads, and enterprise infrastructure, allowing them to quickly understand the scope and context of suspicious activity.
By combining threat intelligence, behavioral analytics, and automated alert correlation, RakshaOne can detect abnormal privilege escalation attempts, suspicious SUID binary execution, unusual kernel activity, and unauthorized module loading associated with PinTheft exploitation.
The platform also simplifies incident response by automatically prioritizing high-risk alerts and correlating related events, helping organizations identify both known and unknown threats faster.
This becomes especially important for multi-tenant Linux environments, CI/CD runners, container hosts, and shared infrastructure where local privilege escalation vulnerabilities can rapidly lead to full system compromise.
Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.
As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.
CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.
(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.
CVE ID
Affected Product
Vulnerability Description
Potential Impact
Severity Rating
CVE-2026-41091
Microsoft Malware Protection Engine
Vulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning engine
Privilege escalation allowing attackers to gain SYSTEM-level access
🔴 Critical
CVE-2026-45498
Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier
Vulnerability affecting Microsoft Defender and related endpoint protection platforms
Security risk impacting endpoint protection systems and enterprise security tools
🟠 High
CVE-2026-41091 vulnerability affects:
The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
With this access, attackers could potentially take full control of the affected device.
CVE-2026-45498 vulnerability affects:
Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.
As a result, users may experience:
System slowdowns or freezes
Security services stopping unexpectedly
CISA Adds the vulnerability in its KEV
For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.
On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.
Privilege Escalation Flaw:
The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.
mpengine.dll (Microsoft Malware Protection Engine) is responsible for:
Malware scanning
Threat detection
File inspection
Cleaning and remediation operations
The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.
CISA gave federal agencies until June 3 to ensure mitigation measures are in place.
Threat Mitigation advice from Microsoft:
“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.
Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.
It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.
One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.
The April 2026 vulnerabilities identified in Defender:
Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.
RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse”
For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.
RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
SIEM Helps Detect Exploitation
Privilege Escalation Detection (CVE-2026-41091)
The SIEM can correlate:
Suspicious file write activity
Abnormal SYSTEM privilege assignments
Unexpected execution of privileged processes
Defender engine (mpengine.dll) anomalies
Unauthorized access attempts to protected system directories
DoS & Security Service Monitoring (CVE-2026-45498)
The SIEM can detect:
Unexpected Microsoft Defender crashes
Antimalware service restarts
Endpoint protection failures
Repeated system instability events
Disabled or unavailable Defender services
This helps security teams identify attempts to disrupt endpoint protection mechanisms
CVE 2026-0300 is a critical vulnerability with CVSS score of 9.3
PaloAlto Networks has issued strict advisory for its customers after an actively exploited zero-day vulnerability, affected its firewall operating system, PAN-OS. CVE 2026-0300 allows attackers to gain full control of affected systems without authentication.
The zero-day bug stems from a buffer overflow weakness, allowing unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.
Active Exploitation Observed in the Wild
Palo Alto Networks confirmed that exploitation attempts have already been observed in its advisory and urged its customers and organizations to mitigate exposure immediately.
Excluded from vulnerability are Prisma Access, Cloud Next-Generation Firewall (Cloud NGFW), and Panorama appliances are not impacted by this vulnerability.
PoC of CVE 2026-0300
PaloAlto published a PoC on May 6, showing how an unauthenticated request to the User-ID Authentication Portal can reliably trigger the buffer overflow and achieve root-level RCE on affected PAN-OS versions.
While the repository is framed as research code and includes legal disclaimers, it materially lowers the barrier to exploitation by validating exploit mechanics.
Palo Alto Networks has not shared details about who is behind the attacks and has not released indicators of compromise at the time of writing.
Patching & Remediation
Since security patches takes time, PaloAlto recommends reducing exposure is the most effective way to contain risk. Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances.
If the User-ID Authentication Portal is not required for business operations, Palo Alto Networks recommends disabling it entirely. Firewalls that do not have the Authentication Portal enabled are not affected by this vulnerability.
The company has stated that security fixes will be released in stages between May 13-28, depending on the PAN‑OS version in use.
In advance of these patches, Palo Alto released a Threat Prevention signature on May 5 for PAN-OS 11.1 and newer to help detect or block exploitation attempts. Applying this signature, where supported, provides interim protection but does not replace the need to reduce exposure and deploy patches once available.
For security teams, immediate focus should be on identifying PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled, confirming whether those services are reachable from untrusted networks, and scheduling timely deployment of Palo Alto’s fixes as they are released.
Monitoring unexpected firewall behavior or unplanned configuration changes provides additional awareness during the period of active exploitation.
Firewall infrastructure attack increased in recent yearsso are the Stakes for Enterprise and Critical Infrastructure
Firewalls are the prime targets because if firewall can be controlled the entire network is in hands of hackers. In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. Threat actors take on management interfaces, login pages and authentication portals as most common targets for both opportunistic and targeted campaigns.
A successful compromise in the firewall can allow attackers to:
Intercept entire network traffic
Disable security protections
Move laterally inside corporate networks
Establish persistent backdoors
For stronger defense allow Intrucept to proactively test your defenses by identifying vulnerabilities fast. You can start the process to enhance your security posture and protect your digital assets from evolving threats.
