Agregátor RSS

Apple se zbavil procesorů od Intelu ve svých počítačích, obě firmy však překvapivě mají navázat spolupráci. Podle deníku WSJ dosáhly prvotní dohody, na kterou prý tlačila Trumpova administrativa. Tim Cook navíc ví, že spoléhat se na jediného dodavatele není rozumné. Zvlášť když sídlí na Tchaj-wanu. ...

A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data. Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It

A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data. Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The Russian hacker group Secret Blizzard has developed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and data collection. [...]

Robotics

Unitree Will Sell You a Massive ‘Transformable Mecha’ for $650,000Jess Weatherbed | The Verge

“Unitree is already one of the most recognizable names in the humanoid robot industry, but now it’s pursuing even nicher sci-fi tech: giant mech suits. The Chinese robotics company has debuted the GD01, which it describes as ‘the world’s first production-ready manned mecha,’ and it can be yours for a paltry $650,000.”

Biotechnology

How an ‘Impossible’ Idea Led to a Pancreatic Cancer BreakthroughGina Kolata and Rebecca Robbins | The New York Times ($)

“A drug nearing regulatory approval, daraxonrasib, is the first to substantially extend the lives of patients with pancreatic cancer. It works by targeting a cellular protein that fuels not just nearly all pancreatic tumors, but also many lung and colon cancers. …Now, some scientists predict that the approach could wind up being the most significant advance in cancer treatment in 15 years, since the arrival of immunotherapy.”

Tech

Software Developers Say AI Is Rotting Their BrainsEmanuel Maiberg | 404 Media

“Developers talk not just about how the AI output is often flawed, but that using AI to get the job done is often a more time consuming, harder, and more frustrating experience because they have to go through the output and fix its mistakes. More concerning, developers who use AI at work report that they feel like they are de-skilling themselves and losing their ability to do their jobs as well as they used to.”

Space

A Plan to Make Drugs in Orbit Is Going CommercialAntonio Regalado | MIT Technology Review ($)

“Varda Space Industries, a startup that’s been pitching its ability to perform drug experiments in space, says it has signed up the pharmaceutical company United Therapeutics in what may be remembered as a notable step toward in-orbit manufacturing.”

Biotechnology

Rebooting Stem Cells Builds Aged Muscles and Assists Injury RecoveryAlice Klein | New Scientist ($)

“Old mice grow bigger muscles and recover from injuries better when stem cells are taken out of their aged muscles, given a reboot, then put back in. A similar approach may allow rejuvenation of aging muscles in people too. ‘In theory, if you took an elderly person’s muscle stem cells out, charged them up and put them back in, they would probably be more functional,’ says James White at Duke University in North Carolina.”

Artificial Intelligence

Google Stopped a Zero-Day Hack That It Says Was Developed With AIStevie Bonifield | The Verge

“It’s the first time Google has found evidence that AI was involved in an attack like this, although Google’s researchers note that they ‘do not believe Gemini was used.’ Google says it was able to ‘disrupt’ this particular exploit, but also says hackers are increasingly using AI to find and take advantage of security vulnerabilities.”

Future

Can Some Very Tiny Particles Cool the Planet? One Tech Company Says Yes.Eric Niiler | The New York Times ($)

“Stardust executives said that initial effort to begin atmospheric cooling would cost about $10 billion. …By adding 10 million tons of the reflective particles to the atmosphere over the course of several years, the atmosphere could be cooled by 1.5 degrees Celsius, the company said.”

Artificial Intelligence

Anthropic Blames Dystopian Sci-Fi for Training AI Models to Act ‘Evil’Kyle Orland | Ars Technica

“Those with an interest in the concept of AI alignment (i.e., getting AIs to stick to human-authored ethical rules) may remember when Anthropic claimed its Opus 4 model resorted to blackmail to stay online in a theoretical testing scenario last year. Now, Anthropic says it thinks this ‘misalignment’ was primarily the result of training on ‘internet text that portrays AI as evil and interested in self-preservation.'”

Computing

Forget Smart Glasses, These Earbuds Can See, Hear, and Remember Everything for YouShimul Sood | Digital Trends

“Smart glasses have always felt a little awkward to me. Sure, they can play music, take calls, snap photos, and even throw notifications in front of your eyes, but at the end of the day, they’re still just tiny screens sitting on your face. Now imagine removing the screen entirely. That’s exactly what this new pair of AI-powered earbuds is trying to do. …And honestly, this might be one of the more interesting directions wearable AI has taken so far.”

Biotechnology

A Single Infusion Could Suppress HIV for Years, Study SuggestsApoorva Mandavilli | The New York Times ($)

“For about a decade, scientists have had remarkable success curing some blood cancers by modifying a patient’s own immune cells to recognize and kill the malignant cells. That same approach may help control HIV, among the wiliest of viruses, scientists will report on Tuesday. After a single infusion of immune cells engineered to recognize the virus, two people in a new study have suppressed their HIV to undetectable levels, one of them for nearly two years.”

Energy

The Tesla Semi Could Be a Big Deal for Electric TruckingCasey Crownhart | MIT Technology Review ($)

“Globally, trucks and buses represent about 8% of total vehicles on the road, but they create 35% of carbon dioxide emissions from road transport. Tesla’s latest addition to its vehicle lineup, the Class 8 Semi, could be part of the solution to cleaning up this polluting sector.”

Tech

World’s First Native Color Lidar Gives Machines Human-Like VisionOmar Kardoudi | New Atlas

“LiDAR sensors—the laser-based eyes of self-driving cars, industrial robots, and inspection drones—build precise 3D maps of their surroundings, but everything is built of monochrome geometric shapes. Ouster’s new Rev8 sensor family aims to change that, not by bolting a camera onto a LiDAR unit, but by fusing color directly into every point of data the sensor captures.”

Future

The Creative Risk of Letting AI Do All the WorkNatalie Nixon | Fast Company

“[MIT’s Sinan Aral] calls this ‘diversity collapse,’ the slow homogenization of output that occurs when AI, trained on the same publicly available internet, starts flattening the edges that make creative work distinctive. The more a team delegated to AI, the more productive they became—and the more vulnerable they were to this collapse.”

The post This Week’s Awesome Tech Stories From Around the Web (Through May 16) appeared first on SingularityHub.

Umělá inteligence dokázala přesněji diagnostikovat pacienty na urgentním příjmu • Jazykový model však neumí vyhodnocovat obrazová data a nenese odpovědnost • Před nasazením v nemocnicích proto musíme provést další klinické studie

Tyto filmy a seriály jsou teď na českém Disney+ nejoblíbenější. Nerozlišujeme žánr, stáří ani hodnocení na filmových webech. Jde o souhrnnou oblíbenost za poslední týdny, kterou zjišťuje web FlixPatrol.

ChatGPT prý ztratí exkluzivitu v Apple Intelligence. • Googlovský model Gemini bude pohánět novou generaci Siri. • Lidé z Applu odcházejí do OpenAI tvořit konkurenci pro iPhone.

Teplota oceánu roste a formuje se mimořádně silné El Niño • Tento jev zhorší extrémní sucha, rozsáhlé záplavy a požáry • Experti očekávají v roce 2027 rekordní teploty po celé planetě

Mirantis s českým vývojovým centrem v Praze kupuje AI infrastrukturní firma IREN za 13 miliard korun • . • IREN po éře těžby bitcoinu vsadil na AI datacentra a rychle roste díky čipům Nvidia. • Akvizice může posílit české know-how v AI cloudech a přinést další růst pražského vývoje.

První malý modulární reaktor by mohl vyrůst v Dětmarovicích na Karvinsk • u • ČEZ začne stavět britské jaderné reaktory pravděpodobně kolem roku 2035 • Politici projekt podporují kvůli udržení průmyslu a novým pracovním místům

Tento týden nabízejí obchody řadu zajímavých příležitostí – od finančních produktů zdarma přes velké výprodeje sportovního vybavení až po slevy na domácí spotřebiče. Připravili jsme přehled deseti nejlepších akcí, které stojí za pozornost.

Ucelený přehled článků, zpráviček a diskusí za minulých 7 dní.

Atmosféra je plná oxidu uhličitého, proč toho nevyužít? Tým korejského institutu KRICT vyvinul novou metodu hydrogenace oxidu uhličitého v jediném kroku na uhlovodíky, jako je benzín nebo solventní nafta. Je to jednodušší a méně energeticky náročné než dosavadní postup s Fischerovou-Tropschovou syntézou.

Jaderný test Trinity provětral geologii pozoruhodnými objevy. V roce 2021 byl v materiálu z této exploze, příhodně nazvaném trinitit odhalený kvazikrystal, k němuž se nedávno přidal klatrát doposud neznámého typu. Ve svých klíckách, typických pro klatráty, drží atomy vápníku.

A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. [...]

Long before Taco Tuesday became part of the pop-culture vernacular, Tuesdays were synonymous with security — and for anyone in the tech world, they still are.  Patch Tuesday, as you most likely know, refers to the day each month when Microsoft releases security updates and patches for its software products — everything from Windows to Office to SQL Server, developer tools to browsers.

The practice, which happens on the second Tuesday of the month, was initiated to streamline the patch distribution process and make it easier for users and IT system administrators to manage updates.  Like tacos, Patch Tuesday is here to stay.

In a blog post celebrating the 20th anniversary of Patch Tuesday, the Microsoft Security Response Center wrote: “The concept of Patch Tuesday was conceived and implemented in 2003. Before this unified approach, our security updates were sporadic, posing significant challenges for IT professionals and organizations in deploying critical patches in a timely manner.”

Patch Tuesday will continue to be an “important part of our strategy to keep users secure,” Microsoft said, adding that it’s now an important part of the cybersecurity industry.  As a case in point, Adobe, among others, follows a similar patch cadence.

Patch Tuesday coverage has also long been a staple of Computerworld’s commitment to provide critical information to the IT industry. That’s why we’ve gathered together this collection of recent patches, a rolling list we’ll keep updated each month.

In case you missed a recent Patch Tuesday announcement, here are the latest six months of updates.

For May, Patch Tuesday means 139 updates — but no zero-days

Microsoft this week released 139 updates affecting Windows, Office, .NET, and SQL Server (though there were no updates for Microsoft Exchange Server). Despite the absence of zero-days, the May Patch Tuesday update still requires Patch Now recommendations for Windows and Office. 

The combination of three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira and Confluence), four Word Preview Pane RCEs, the large TCP/IP vulnerability cluster, and the carry-over BitLocker recovery condition (still active on Windows 10 and Windows Server) warrants an accelerated deployment release schedule. 

More info is available here on Microsoft Security updates for May 2026.

Microsoft’s Patch Tuesday release for April is a whopper

Windows admins are going to be busy this month, dealing with the largest Patch Tuesday cycle in memory. The April release involves 165 updates and roughly 340 unique CVEs from Microsoft — including two zero-days, one of which is already being actively exploited in the wild. 

The Readiness team recommends “Patch Now” schedules for nearly every major product family: Windows, Office (with a zero-day), Microsoft Edge (Chromium), SQL Server, and Microsoft Developer Tools (.NET). April also brings Phase 2 of Microsoft’s Kerberos RC4 hardening with full enforcement set for July. There is a lot to cover, so here’s a useful infographic mapping the deployment risk for each platform.

More info is available here on Microsoft Security updates for April 2026.

For March, Patch Tuesday delivers fixes for 83 vulnerabilities

Microsoft’s March Patch Tuesday release addresses 83 vulnerabilities across Windows, Office, SQL Server, Azure, and .NET — with two publicly disclosed zero-days affecting SQL Server and .NET (though neither is being actively exploited in the wild.) Six additional vulnerabilities spanning the Windows Kernel, Graphics Component, SMB Server, Accessibility Infrastructure, and Winlogon are flagged as “Exploitation More Likely.”

The most significant change this month is the introduction of Common Log File System (CLFS) hardening with signature verification, which will affect how Windows handles log files across the operating system. More info on Microsoft Security updates for March 2026.

February’s Patch Tuesday release fixes 59 flaws, including 6 being exploited

The company’s Patch Tuesday release for February addresses 59 CVEs across the company’s product family — roughly half the volume of January’s 159 patches. Six vulnerabilities, affecting Windows Shell, MSHTML, Desktop Window Manager, Remote Desktop, Remote Access, and Microsoft Word, are already being actively exploited. (All five Critical-rated CVEs target Azureservices rather than Windows, however.) 

Both Windows and Office get a “Patch Now” recommendation, with CISA setting a March 3 enforcement deadline for all six exploited vulnerabilities. Two new enforcement timelines also take effect in April: Kerberos RC4 deprecation (CVE-2026-20833) and Windows Deployment Services hardening (CVE-2026-0386). More info on Microsoft Security updates for February 2026.

For January, Patch Tuesday starts off with a bang

The first Patch Tuesday release of 2026 addresses 112 CVEs across Microsoft’s product portfolio, including eight rated critical and three zero-day vulnerabilities. One zero-day (CVE-2026-20805), an information disclosure flaw in the Desktop Window Manager, is already under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog with a remediation deadline of Feb. 3, 2026. (Note: 95 of the vulnerabilities affect Windows.) More info on Microsoft Security updates for January 2026.

Ho ho ho! December’s Patch Tuesday delivers three zero-days

The December Patch Tuesday update addresses three zero-days (CVE-2025-64671, CVE-2025-54100, and CVE-2025-62221) but includes surprisingly few total patches (just 57). Notably, Microsoft has not published any critical updates for the Windows platform this month. That said, given the zero-days, we recommend a “Patch Now” release schedule for Windows and Microsoft Office. More info on Microsoft Security updates for December 2025.

Microsoft this week released 139 updates affecting Windows, Office, .NET, and SQL Server (though there were no updates for Microsoft Exchange Server). Despite the absence of zero-days, the May Patch Tuesday update still requires Patch Now recommendations for Windows and Office. 

The combination of three unauthenticated network RCEs (Netlogon, DNS Client, and SSO Plugin for Jira and Confluence), four Word Preview Pane RCEs, the large TCP/IP vulnerability cluster, and the carry-over BitLocker recovery condition (still active on Windows 10 and Windows Server) warrants an accelerated deployment release schedule. The Readiness team suggests that testing start with internet-facing services, domain controllers, and Office endpoints. The May 2026 Assurance Security Dashboard breaks the cycle down by Microsoft product family for deployment risk assessment.

(More information about recent Patch Tuesday releases is available here.)

Known issues

Patch Tuesday arrived this month with a clean bill of health (at least with respect to reported and known issues) for Windows 11 24H2, 23H2, Windows 10 22H2, and Windows Server 2025. However, two items warrant attention.

• Windows 10 and Windows Server customers remain exposed to the April 2026 BitLocker recovery condition on devices set with the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy and an invalid PCR7 (Platform Configuration Register 7) profile. 
• Microsoft also acknowledged on the Hardware Dev Center that Windows Update replaces manually-installed graphics drivers with older OEM versions from the catalogue, because its ranking uses four-part Hardware IDs rather than version numbers: “Customers who actively manage their display drivers experience unwanted downgrades through Windows Update.”

Issues resolved

• KB5089549 for Windows 11 25H2 and 24H2 resolves the April PCR7/BitLocker recovery condition and improves Boot Manager servicing so subsequent boot file updates do not trigger recovery.
• Secure Boot certificate distribution adds a new C:\Windows\SecureBoot folder of automation scripts for IT teams rolling out the Windows UEFI CA 2023 key replacement under CVE-2023-24932, ahead of the 2011 certificate expirations happening between June and October 2026.
• Simple Service Discovery Protocol (SSDP) notification reliability improves, so the service is less likely to become unresponsive under sustained load; this is relevant to networks running UPnP device discovery.

Major revisions and mitigations

Given this month’s Preview Pane issues, Microsoft offered mitigation advice:

• Microsoft Word Preview Pane RCEs — CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367, critical at CVSS 8.4, with the first two flagged “Exploitation More Likely.” The Preview Pane is the attack vector; viewing a malicious document in Outlook or File Explorer is enough to trigger exploitation. 

Windows lifecycle and enforcement updates

We’ve mentioned the CA certificate issue before, but it’s worth flagging again as we approach the EOS and enforcement dates for:

• SharePoint Server 2016 and 2019, Project Server 2016 and 2019, SQL Server 2016, and SQL Server 2014 ESU Year 2, all of which reach end of support in July.
• Secure Boot certificate enforcement — the 2011 KEK CA expires on June 24, the UEFI CA for third-party boot loaders on June 27, and the Windows Production PCA for the boot manager on Oct. 19. 
• Graphics driver HWID enforcement — the pilot moving driver submissions from four-part to two-part Hardware IDs plus Computer Hardware IDs runs to September, with broader enforcement planned for the fourth quarter of this year and Q1 of 2027.

Each month, the team at Readiness provides detailed, actionable testing guidance for Patch Tuesday releases. This guidance is based on assessing a large application portfolio and a comprehensive analysis of the patches and their potential impact on Windows platforms and application deployments.

This month’s Patch Tuesday flags two components as high-risk: the Ancillary Function Driver for WinSock, with an explicit Bluetooth focus, and the Telnet client. Microsoft also ships a pre-release security fix to the Common Log File System driver, and Secure Boot key rolling continues under CVE-2023-24932. TCP/IP is the most-patched component this cycle, with 11 separate updates. Lower-risk patches involve graphics, storage, virtualization, VPN, and Office MSI editions.

Ancillary Function Driver for WinSock 

The WinSock kernel driver (afd.sys) mediates every TCP and UDP socket on Windows, and the May update lands a regression-sensitive change to the Bluetooth interaction path. Failure here typically surfaces as audio dropouts, paired-device drops on sleep, slow reconnect on Wi-Fi handover, or a clean AFD-referenced bug check during sustained load. Watch the System event log for new errors from AFD, TCP/IP, or BTHUSB sources during your test window.

Success in testing these drivers looks silent: no stutters, no event-log churn, no handle leaks.

Your testing regime should include:

• Browse the web over HTTP and HTTPS on both IPv4 and IPv6; download a multi-gigabyte file and verify it completes without stalls.
• Establish a Remote Desktop session, idle 30+ minutes, then resume; place a Teams call with audio, video, and screen share.
• Disable and re-enable the NIC, switch between Wi-Fi and Ethernet, and sleep/resume the machine; expect the network to return cleanly with no AFD-referenced bug check.
• Toggle Bluetooth on and off from Settings and Action Center; pair and unpair headphones, mouse, keyboard, and phone, repeating through several cycles.
• Play audio over a Bluetooth headset for 10+ minutes during a Teams call; expect zero dropouts and clean mic/speaker switching as devices toggle.
• Transfer a file to and from a phone over Bluetooth; connect a Bluetooth keyboard and mouse, leave idle, and resume input.
• Sleep and resume the machine with Bluetooth peripherals connected; verify they reconnect without manual intervention.

Telnet client

The Telnet client (telnet.exe) is an optional Windows feature, rarely enabled on modern endpoints. The high-risk flag matters wherever the feature is installed. Check first with Get-WindowsCapability -Online -Name “Telnet.Client~~~~0.0.1.0”. If installed, launch telnet.exe against a known good endpoint and confirm it opens, accepts input, and exits cleanly. If the feature is not in use, treat this update as an opportunity for attack-surface reduction and remove it.

Common Log File System security fix

Microsoft corrected two integer underflow vulnerabilities in the CLFS driver (clfs.sys) that could trigger a system crash or elevation of privilege. Regression risk is low, but CLFS underpins transaction logging across SQL Server, DTC, Failover Clustering, Hyper-V, Active Directory, and Event Log. Validate where these run. A bug check referencing clfs.sys after the update is the clearest red flag.

• Reboot, run a representative workload for 24 to 48 hours, and check System and Application logs for new errors referencing CLFS, NTFS, DTC, or FailoverClustering.
• On SQL Server, restart the service, run standard transactions, perform a backup and restore, and confirm Always On replication stays healthy.
• Patch each cluster node, verify all nodes return as Up, and move a clustered role across nodes.
• On a patched domain controller, run repadmin /replsummary and dcdiag /v; verify Group Policy still applies on clients.
• Confirm VSS writers report Stable via vssadmin list writers, then run a full backup and a test restore.

Secure Boot and BitLocker

Secure Boot validation continues under the CVE-2023-24932 key rolling work. The risk is a recovery prompt or an unbootable device. Run only on dedicated test machines with the recovery key backed up.

• Enable BitLocker on the OS drive, verify TPM protectors with manage-bde -protectors -get c:, then disable and confirm clean decryption.
• With Secure Boot enabled, trigger recovery via reagentc /boottore 1, unlock with the recovery key, and verify normal next boot.
• With both enabled, apply the Windows UEFI CA 2023 key update and confirm the system boots without a recovery prompt.
• Hibernate with Secure Boot and BitLocker on (powercfg /hibernate on, shutdown -h), then resume and confirm no recovery screen.

Other Windows components

TCP/IP has the highest patch volume; the rest receive routine updates with no functional changes.

• Networking: run sustained file transfers, VPN sessions, and stable throughput over IPv4 and IPv6 to cover tcpip.sys (six updates), the Native Wi-Fi driver, and the LLDP driver.
• VPN and filtering: exercise IKEv2 tunnels through sleep/wake and verify Windows Firewall rules to cover IKEEXT.dll and BFE.
• Graphics and shell: run sustained UI activity and GPU-accelerated workloads to cover the Desktop Window Manager, graphics memory manager, and the graphics kernel; watch for artifacts or flickering.
• Virtualization: exercise VM start/save/resume/stop and external/internal/private virtual switches to cover Hyper-V vmswitch.sys.
• Storage and sync: exercise cloud sync hydration, Storage Spaces pool operations, and RDP printer/clipboard redirection.

Microsoft Office and SharePoint

This month’s Office updates target MSI editions only: Excel 2016 (KB5002865), Word 2016 (KB5002858), Office 2016 shared libraries (KB5002866), and SharePoint Server 2016, 2019, Online Server, and Subscription Edition. Click-to-Run estates are unaffected.

• Open complex Excel workbooks with formulas, macros, and external data connections; save and reopen to verify integrity.
• Edit Word documents with embedded objects, tracked changes, and complex formatting.
• Across patched SharePoint editions, validate document library operations, co-authoring, and workflow execution.
• Confirm that Office add-ins and line-of-business integrations continue to operate.

The Readiness team recommends testing start with the high-risk items. The WinSock driver update warrants a Bluetooth-heavy regression pass across peripherals, audio, file transfer, and sleep/wake. The Telnet client flag is narrow but applies wherever the optional feature is enabled. The CLFS security fix is low regression risk, but its blast radius is wide: validate SQL Server, failover clusters, Hyper-V, Active Directory, and event logging where they exist. Secure Boot and BitLocker validation remains essential as CVE-2023-24932 key rolling continues. Microsoft Office is MSI-only this cycle.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: 

• Browsers (Microsoft Edge) 
• Microsoft Windows (both desktop and server) 
• Microsoft Office
• Microsoft Exchange and SQL Server 
• Microsoft Developer Tools (Visual Studio and .NET)
• Adobe (if you get this far) 

Browsers

For this Patch Tuesday, Microsoft Edge released the stable version (148.0.3967.54) on May 7, according to the Edge security release notes. This update cycle covers six Edge-engineered CVEs plus 127 Chromium upstream CVEs flowing through:

• CVE-2026-33111 — Copilot Chat (Microsoft Edge) — Information disclosure (CVSS 7.5, rated critical). This is the headline browser issue this month.
• CVE-2026-41107 — Microsoft Edge (Chromium-based) — Information disclosure (CVSS 7.4). External control of file name and path.
• CVE-2026-42838 — Microsoft Edge (Chromium-based) — Elevation of privilege (CVSS 5.4). Injection in a downstream component.
• CVE-2026-7896 through CVE-2026-8022 — Chromium upstream — 127 CVEs covering use-after-free, out-of-bounds read and write, type confusion, and integer overflow across V8, Blink, Skia, WebRTC, ANGLE, and DevTools. The same fixes ship in the Chrome Stable channel; see the Chrome releases blog for the upstream notes.

Add these updates to your Patch Now deployment schedule for Edge-managed environments.

Microsoft Windows

Microsoft addressed 67 unique vulnerabilities across Windows, six rated critical and 61, important. Elevation of privilege dominates by volume (44 entries), followed by remote code execution (9), denial of service (7), information disclosure (4), and security feature bypass (3). The six critical entries span six distinct Windows features:

• CVE-2026-41089 — Windows Netlogon — Remote code execution (CVSS 9.8). Unauthenticated stack-based buffer overflow targeting domain controllers; the highest-impact Windows CVE this cycle.
• CVE-2026-41096 — Windows DNS Client — Remote code execution (CVSS 9.8). Unauthenticated heap-based overflow in name resolution.
• CVE-2026-40402 — Windows Hyper-V — Elevation of privilege (CVSS 9.3). The only non-RCE critical this cycle; guest-to-host escalation on virtualization hosts.
• CVE-2026-40403 — Windows Graphics Component — Remote code execution (CVSS 8.8). Rendering-path RCE.
• CVE-2026-35421 — Windows GDI — Remote code execution (CVSS 7.8). Exploitation via a malicious Enhanced Metafile (EMF) image opened in Microsoft Paint or any EMF-rendering application.
• CVE-2026-32161 — Windows Native WiFi Miniport Driver — Remote code execution (CVSS 7.5). Wireless networking attack surface.

Domain controllers and Hyper-V hosts are the deployment priority, given Netlogon’s unauthenticated profile and the guest-to-host escape. Add this Windows update to your Patch Now deployment schedule.

Microsoft Office

Microsoft released 27 Office CVEs — nine critical, 18 important. Remote code execution dominates with 15 entries; the rest split across information disclosure (4), elevation of privilege (4), spoofing (3), and tampering (1).

• SharePoint Server 2016 remote code execution — CVE-2026-40365, CVSS 8.8. Authenticated Site Owner can inject arbitrary code remotely via insufficient access-control granularity.
• Microsoft Word Preview Pane remote code execution — CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367, each with a reported CVSS of 8.4.
• Microsoft Office remote code execution — CVE-2026-40358 and CVE-2026-40363, each CVSS 8.4. Office 2019 32-bit editions affected.

SharePoint Server is the main priority, given the network-RCE profile — even with the authenticated-Site-Owner precondition. Office 2019 MSI estates pick up six critical fixes between the four Word RCEs and the two generic Office RCEs. The Team Events Portal CVE is addressed cloud-side — no on-premises action. Apply this month’s Office security updates (KB5002865, KB5002858, KB5002866, and the SharePoint set in Issues Resolved above) per the standard ring schedule.

Microsoft Exchange and SQL Server

This month, Microsoft SQL Server receives a single patch and Microsoft Exchange Server gets none:

• CVE-2026-40370 — SQL Server — Remote code execution (CVSS 8.8). External control of file name or path allows an authenticated attacker to execute code over a network. The fix is broadly distributed across SQL Server 2025, 2022, 2019, 2017, and 2016 SP3 via both GDR and CU channels.

SQL Server estates should deploy via GDR or CU per their standard patching cadence, prioritizing internet-exposed instances given the post-authentication blast radius implied by the CVSS 8.8. Add this update to your Patch Now deployment schedule for any internet-connected SQL Server.

Developer tools

Microsoft released 11 CVEs across its developer tooling, with one update rated critical (for Azure DevOps) and 10 rated important, covering the following areas:

• Visual Studio Code — five entries: CVE-2026-41109 security feature bypass involving GitHub Copilot, CVE-2026-41610 security feature bypass, CVE-2026-41611 remote code execution, CVE-2026-41613 elevation of privilege, and CVE-2026-41612 information disclosure in the Live Preview extension.
• .NET on Windows — four entries: CVE-2026-32175 (.NET Core tampering), CVE-2026-32177 and CVE-2026-35433 (.NET 10.0 elevation of privilege), and CVE-2026-42899 (ASP.NET Core denial of service on .NET 8.0).

Add these Microsoft updates to your standard developer update release schedule.

Adobe (and third-party updates)

I keep promising that this section should be retired (and it should), but Microsoft released a sizable third-party sweep through Azure Linux 3.0 and CBL Mariner 2.0 this month: 191 open-source CVEs spanning the Linux kernel, the Go runtime, Apache httpd, PHP, CoreDNS, valkey, Ruby, gnutls, Apache Thrift across its Node.js, Rust, and Java implementations, plus vim, postfix, expat, nmap, Prometheus, KEDA, and PgBouncer. This is a lot for anyone.

In addition to all this, Microsoft issued a patch (CVE-2026-41103) for its own SSO Plugin for Jira and Confluence. This vulnerability allows an attacker to forge a Microsoft Entra ID identity via a crafted SAML response; patching requires updating the plugin within Atlassian rather than on a Microsoft platform. In other words, the Microsoft attack surface now extends to other vendors’ application stacks, with patching responsibilities split across vendors. 

With such diffusion of responsibility, what could go wrong?