π΄ CVE-2026-41091 β Microsoft Defender Privilege Escalation (Actively Exploited)
| CVE | CVE-2026-41091 | CVSS 7.8 HIGH | CWE-59 | CISA KEV β Due 2026-06-03 |
| Fixable? | β Yes β patch auto-deployed via Windows Defender update |
| Business Impact | A local attacker (malware, unprivileged user, or compromised service account) can escalate to SYSTEM-level privileges on any Windows endpoint or server running Microsoft Defender. Combined with initial access, this enables full machine takeover, ransomware deployment, lateral movement, and credential harvesting. Both CVE-2026-41091 and CVE-2026-45498 are confirmed actively exploited in the wild and listed on CISA’s Known Exploited Vulnerabilities catalog. |
| How to Fix | Defender updates automatically via Windows Update and Defender signature delivery. Verify your engine version is 1.1.26040.8 or later: open Windows Security β Virus & threat protection β Protection updates β Check for updates. In enterprise: validate Intune/SCCM/WSUS is distributing Defender platform updates. Target Antimalware Platform version: 4.18.26040.7+. |
| Recommended Action | URGENT β CISA mandates remediation by June 3, 2026. Immediately verify Defender engine version across all Windows endpoints. Review EDR telemetry for anomalous privilege escalation events. Isolate any endpoint showing unexpected SYSTEM-level processes originating from non-system users. |
| Official Source | Microsoft MSRC Advisory β CVE-2026-41091 | CISA KEV Catalog |
| Software Affected | Microsoft Defender (Windows Defender Antivirus / Malware Protection Engine) |
| Affected Versions | Malware Protection Engine: 1.1.26030.3008 through 1.1.26040.7 (all builds before 1.1.26040.8) | Antimalware Platform: 4.18.26030.3011 β 4.18.26040.6 | Fixed in Engine 1.1.26040.8 / Platform 4.18.26040.7 |
π΄ CVE-2026-45498 β Microsoft Defender Denial of Service (Actively Exploited)
| CVE | CVE-2026-45498 | CVSS 4.0 MEDIUM (Microsoft) / 7.5 HIGH (NVD) | CWE-400 | CISA KEV β Due 2026-06-03 |
| Fixable? | β Yes β patch auto-deployed via Windows Defender update |
| Business Impact | An unauthenticated local attacker can crash the Microsoft Defender service, blinding endpoint protection while other malicious activity proceeds undetected. Often deployed alongside CVE-2026-41091 as a precursor step β disabling AV/EDR is a standard ransomware pre-deployment tactic. |
| How to Fix | Same update as CVE-2026-41091 β ensure Defender engine is updated to 1.1.26040.8 or later. Both CVEs are remediated in the same update package. |
| Recommended Action | URGENT β CISA KEV applies. Verify Defender is updated. Monitor for Defender service crashes or unexpected service stops. Consider supplementary EDR layer if Defender is your primary protection. |
| Official Source | Microsoft MSRC Advisory β CVE-2026-45498 |
| Software Affected | Microsoft Defender Antimalware Platform (Windows) |
| Affected Versions | Antimalware Platform: 4.18.26030.3011 through 4.18.26040.6 | Malware Protection Engine: up to and including 1.1.26030.3008 | Fixed in Engine 1.1.26040.8 / Platform 4.18.26040.7 |
π CVE-2026-45585 β Windows BitLocker Bypass “YellowKey” (No Patch Yet, PoC Public)
| CVE | CVE-2026-45585 | CVSS 6.8 MEDIUM | CWE-77 | Publicly disclosed, PoC available |
| Fixable? | β οΈ Partial β no security patch yet. Microsoft has published a PowerShell mitigation script (Remove-AutoFsTxFromWinRE.ps1). |
| Business Impact | An attacker with physical access (stolen laptop, inside threat, unattended workstation) can use a specially crafted USB drive to bypass BitLocker encryption and access full drive contents without needing the BitLocker key. This completely defeats data-at-rest protection β undermining compliance requirements such as ISO 27001, NIS2, and GDPR for lost/stolen hardware. The public PoC on GitHub significantly lowers the attack bar. |
| How to Fix | 1. Apply Microsoft’s PowerShell mitigation script Remove-AutoFsTxFromWinRE.ps1 β removes autofstx.exe from the WinRE BootExecute registry key. 2. Switch from TPM-only to TPM+PIN mode β users with TPM+PIN are NOT vulnerable. 3. Enable pre-boot PIN via Group Policy: Computer Configuration β Admin Templates β Windows Components β BitLocker β OS Drives β Require additional authentication at startup. 4. Monitor MSRC for the security patch when released. |
| Recommended Action | HIGH PRIORITY for organizations with mobile workers or laptop fleets. Apply the mitigation script immediately. Enforce TPM+PIN via Group Policy as a permanent baseline improvement. Audit BitLocker configurations across all endpoints. |
| Official Source | Microsoft MSRC Advisory β CVE-2026-45585 | Public PoC (GitHub) |
| Software Affected | Windows BitLocker / Windows Recovery Environment (WinRE) β TPM-only configurations |
| Affected Versions | Windows 11 24H2, 25H2, 26H1 (all builds, x64) | Windows Server 2025 (all builds, x64) | NOT affected: systems with BitLocker TPM+PIN pre-boot authentication |
π΄ CVE-2026-42945 β NGINX Heap Buffer Overflow “NGINX Rift” (Actively Exploited, CVSS 9.2)
| CVE | CVE-2026-42945 | CVSS 8.1 HIGH (v3.1) / 9.2 CRITICAL (v4.0) | CWE-122 | Actively exploited, PoC public |
| Fixable? | β Yes β patches available for NGINX Open Source and NGINX Plus. Some downstream products still awaiting fix. |
| Business Impact | A heap buffer overflow in NGINX’s rewrite module allows unauthenticated HTTP requests to crash NGINX worker processes (DoS). On systems with ASLR disabled, full remote code execution is achievable. NGINX is deployed on an estimated 5.7 million public servers and is widely used as a reverse proxy for internal application delivery. Active exploitation confirmed; PoC is publicly available. |
| How to Fix | NGINX Open Source: Upgrade to 1.31.0 (mainline) or 1.30.1 (stable). NGINX Plus: Upgrade to R36 P4 or R32 P6. F5 WAF for NGINX: Upgrade to 5.13.0. F5 DoS for NGINX: Upgrade to 4.9.0. Interim: Verify ASLR is enabled β cat /proc/sys/kernel/randomize_va_space should return 2. Review nginx.conf and remove/restructure rewrite rules using PCRE unnamed captures with question marks.Note: NGINX Instance Manager, App Protect WAF, App Protect DoS, and Gateway Fabric are awaiting patches. |
| Recommended Action | URGENT. Inventory all NGINX instances including Docker containers and Kubernetes ingress controllers. Patch immediately. Ensure ASLR is enabled on all hosts. Monitor HTTP server logs for unusual request patterns targeting rewrite endpoints. |
| Official Source | NGINX Security Advisories | F5 Advisory K000161019 |
| Software Affected | NGINX Open Source, NGINX Plus, NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, F5 DoS for NGINX, NGINX App Protect DoS, NGINX Gateway Fabric |
| Affected Versions | Open Source: 0.6.27 β 1.30.0 β Fixed: 1.31.0 / 1.30.1 NGINX Plus: R32 β R36 β Fixed: R36 P4 / R32 P6 (R37+ not affected) NGINX Instance Manager: 2.16.0 β 2.22.0 β No fix yet F5 WAF for NGINX: 5.9.0 β 5.12.1 β Fixed: 5.13.0 NGINX App Protect WAF: 4.9.0 β 4.16.0 and 5.1.0 β 5.8.0 β No fix yet F5 DoS for NGINX: 4.8.0 β Fixed: 4.9.0 NGINX App Protect DoS: 4.3.0 β 4.7.0 β No fix yet NGINX Gateway Fabric: 2.0.0 β 2.6.0 β No fix yet |
π΄ CVE-2026-9082 β Drupal Core SQL Injection / RCE (SA-CORE-2026-004, Highly Critical)
| CVE | CVE-2026-9082 | CVSS 6.5 MEDIUM | CWE-89 | Rated “Highly Critical” by Drupal Security Team |
| Fixable? | β Yes β patches released May 20, 2026 for all supported branches |
| Business Impact | SQL injection in Drupal’s core database abstraction API allows unauthenticated remote attackers to extract sensitive data (user credentials, PII), escalate privileges, and achieve Remote Code Execution on PostgreSQL-backed sites. Drupal powers 1+ million websites globally. The Drupal Security Team warned exploits typically appear within hours of patch release β exploitation is likely already underway. |
| How to Fix | Update Drupal core via composer update drupal/core to: 10.4.x β 10.4.10 | 10.5.x β 10.5.10 | 10.6.x β 10.6.9 | 11.1.x β 11.1.10 | 11.2.x β 11.2.12 | 11.3.x β 11.3.10. Clear caches after updating. Drupal 7 is not affected. EOL versions 8.x/9.x: manual patches available from drupal.org. |
| Recommended Action | URGENT β do not wait for a maintenance window. Patch today. After updating, review database logs for SQL injection attempts and check for unexpected admin accounts or privilege escalations. |
| Official Source | Drupal Security Advisory SA-CORE-2026-004 | NVD β CVE-2026-9082 |
| Software Affected | Drupal CMS Core β database abstraction API (primarily PostgreSQL backends) |
| Affected Versions | 8.9.0 β <10.4.10 | 10.5.0 β <10.5.10 | 10.6.0 β <10.6.9 | 11.0.0 β <11.1.10 | 11.2.0 β <11.2.12 | 11.3.0 β <11.3.10 | Drupal 7 not affected. 8.x/9.x EOL but manual patches available. |
π΄ CVE-2026-8598 β ZKTeco Security Camera Authentication Bypass (CVSS 9.1 Critical)
| CVE | CVE-2026-8598 | CVSS 9.1 CRITICAL | CWE-288 | ICS/OT Advisory |
| Fixable? | β Yes β firmware patch available via ZKTeco and authorized partners |
| Business Impact | ZKTeco cameras contain an undocumented port accessible over the network without authentication, exposing device credentials and configuration. Full administrative takeover is possible from the same network segment or internet (if cameras are internet-facing). Impacts include surveillance blind spots, VLAN pivoting, and use of cameras as network footholds for lateral movement. Physical security infrastructure is directly compromised. |
| How to Fix | 1. Contact ZKTeco or authorized partner for firmware patch. 2. Apply firmware update to all affected models. 3. Interim: place cameras on an isolated camera VLAN with no internet or cross-segment routing. 4. Disable remote management features if not required. 5. Review camera logs for unauthorized access. |
| Recommended Action | HIGH PRIORITY for all ZKTeco camera deployments. Audit deployed models, obtain firmware patches from ZKTeco, and isolate cameras on a dedicated VLAN immediately. Physical security devices are often missed in patch cycles β treat with server-level urgency. |
| Official Source | CISA ICS Advisory ICSA-26-139-04 | ZKTeco Vendor Announcement |
| Software Affected | ZKTeco CCTV security cameras (firmware) |
| Affected Versions | Specific affected camera models listed in CISA ICS Advisory ICSA-26-139-04 and the ZKTeco vendor announcement. NVD is pending enrichment with the full model list. |
π CVE-2026-46333 β Linux Kernel 9-Year-Old Privilege Escalation “ssh-keysign-pwn” (CVSS 7.1)
| CVE | CVE-2026-46333 | CVSS 7.1 HIGH (kernel.org) / 5.5 MEDIUM (CISA-ADP) | CWE-269 | PoC published by Qualys |
| Fixable? | β Yes β kernel patches available for all stable branches. Distro updates rolling out (Debian, Ubuntu, Fedora, RHEL). |
| Business Impact | A flaw in the Linux kernel’s __ptrace_may_access() function (present since November 2016 β 9 years) enables an unprivileged local user to read /etc/shadow and SSH host private keys, and execute arbitrary commands as root via four exploit paths: chage, ssh-keysign, pkexec, and accounts-daemon. Affects all major Linux distributions. A compromised developer machine or non-privileged server account becomes a full root compromise, enabling credential harvesting and lateral movement. |
| How to Fix | 1. Apply kernel update from your distribution (apt upgrade / yum update / dnf update). 2. Immediate workaround: Raise ptrace_scope to 2: echo 2 > /proc/sys/kernel/yama/ptrace_scopeMake permanent: add kernel.yama.ptrace_scope = 2 to /etc/sysctl.conf3. Restart services or reboot after kernel update. |
| Recommended Action | HIGH PRIORITY for all Linux environments. Apply the ptrace_scope workaround immediately on all Linux servers and workstations. Schedule kernel updates promptly β PoC is publicly available. Prioritize internet-facing systems and multi-user environments. |
| Official Source | Qualys Security Advisory (oss-security) | NVD β CVE-2026-46333 | Linux kernel stable fix |
| Software Affected | Linux kernel β all distributions (Debian, Ubuntu, Fedora, RHEL, CentOS, AlmaLinux, Rocky Linux, Arch Linux, and others) |
| Affected Versions | All Linux kernel versions since November 2016 (kernel 4.9+) through all stable branches prior to patched commits. Distro-specific patched kernels available via each distribution’s security update channel. See NVD for full list of stable-branch fix commits. |
π΄ Supply Chain Incident: TanStack + Nx npm Attack β TeamPCP / “Mini Shai-Hulud” + “s1ngularity”
Identifiers: GHSA-g7cv-rxg3-hmpx (TanStack) | GHSA-cxm3-wv7p-598c (Nx) β GitHub internal repos (~3,800) and Grafana Labs confirmed breached.
| Fixable? | β Yes β malicious versions removed from npm/PyPI. Update to patched versions. Treat any affected environment as compromised and rotate all credentials. |
| Business Impact | If any developer installed affected @tanstack/* npm packages (May 11, 2026, 19:20β19:30 UTC window) or affected nx packages (Aug 26, 2025), or had the Nx Console VS Code extension active, their machine may have been silently compromised. The malware stole AWS/GCP/Kubernetes credentials, HashiCorp Vault tokens, GitHub tokens, npm tokens, SSH keys, and 1Password/Bitwarden vault contents. It self-propagated by republishing victim npm packages with the malware embedded, and made 5,500+ private GitHub repositories public. Also affected: durabletask PyPI package versions 1.4.1β1.4.3 (Microsoft Azure Durable Task SDK) containing a dropper downloading remote payloads from check.git-service[.]com. |
| How to Fix | TanStack: Update all @tanstack/* to patched versions (see GHSA-g7cv-rxg3-hmpx). Delete node_modules + lockfile, reinstall cleanly. Check package.json for "optionalDependencies": {"@tanstack/setup": ...} as IOC.Nx: Update Nx Console VS Code extension to 18.66.0+. Update nx to latest safe version. Check for s1ngularity-repository repos in your GitHub org. Check ~/.bashrc and ~/.zshrc for sudo shutdown -h 0. Check for /tmp/inventory.txt on dev machines.durabletask: Pin to version 1.4.0 ( pip install "durabletask==1.4.0").Network blocks: filev2.getsession.org, seed1/2/3.getsession.org, git-tanstack.com, check.git-service[.]com, t.m-kosche[.]com If in the affected window: rotate ALL credentials immediately regardless of whether compromise is confirmed. |
| Recommended Action | CRITICAL for development teams. Audit npm install history. If in the affected window, treat the environment as compromised and rotate all cloud and code credentials. Alert your dev team. Review npm publishing logs for unauthorized package versions. Add npm provenance and package integrity checks to your CI pipeline. |
| Official Source | TanStack Official Postmortem | Nx Security Advisory | Socket Research | Wiz Research |
| Software Affected | @tanstack/* npm packages (42 packages incl. react-router, router-core, react-start); nx, @nx/devkit, @nx/js, @nx/workspace, @nx/node npm packages; Nx Console VS Code Extension; durabletask PyPI package |
| Affected Versions | TanStack (May 11, 2026): 84 malicious versions across 42 packages β full list at GHSA-g7cv-rxg3-hmpx Nx (Aug 26, 2025): nx 20.9.0β20.12.0, 21.5.0β21.8.0; @nx/devkit, @nx/js, @nx/workspace, @nx/node 21.5.0 + 20.9.0 Nx Console VS Code Extension: 18.6.30 β 18.65.1 (Fixed: 18.66.0+) durabletask (PyPI): 1.4.1, 1.4.2, 1.4.3 β all yanked (Safe: 1.4.0) |
This report was automatically generated and verified against official advisories. Always confirm remediation steps in official vendor documentation before applying in production.
