Windows update

1. CVE-2026-45495 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

   Acknowledgement added. This is an informational change only.

2. CVE-2026-45494 Microsoft Edge (Chromium-based) Spoofing Vulnerability

   Acknowledgement added. This is an informational change only.

3. CVE-2026-42825 Windows Telephony Service Elevation of Privilege Vulnerability

   Updated Hotpatch links. This is in informational change only.

4. CVE-2025-54518 AMD: CVE-2025-54518 CPU OP Cache Corruption

   Updated Hotpatch links. This is in informational change only.

5. CVE-2025-6965 Integer Truncation on SQLite

   Added Visual Studio software to the Security Updates table. Customers that are running supported version of Visual Studio are encouraged to update to the indicated version to be protected from this vulnerability.

6. CVE-2026-39829 Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh

   Information published.

7. CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

   Information published.

8. CVE-2026-39821 Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

   Information published.

9. Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

   Information published.

10. Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

    Information published.

11. Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

    Information published.

12. CVE-2025-15504 lief-project LIEF ELF Binary Parser.tcc parse_binary null pointer dereference

    Information published.

13. CVE-2024-36137 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.

    Information published.

14. CVE-2024-22018 A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

    Information published.

15. CVE-2017-3736 There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

    Information published.

16. CVE-2026-31789 Heap Buffer Overflow in Hexadecimal Conversion

    Information published.

17. CVE-2026-28387 Potential Use-after-free in DANE Client Code

    Information published.

18. CVE-2026-28388 NULL Pointer Dereference When Processing a Delta CRL

    Information published.

19. CVE-2026-28389 Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo

    Information published.

20. CVE-2026-28390 Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo

    Information published.

21. CVE-2026-34875 An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. A buffer overflow can occur in public key export for FFDH keys.

    Information published.

22. CVE-2026-34874 An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0.

    Information published.

23. CVE-2026-34876 An issue was discovered in Mbed TLS 3.x before 3.6.6. An out-of-bounds read vulnerability in mbedtls_ccm_finish() in library/ccm.c allows attackers to obtain adjacent CCM context data via invocation of the multipart CCM API with an oversized tag_len parameter. This is caused by missing validation of the tag_len parameter against the size of the internal 16-byte authentication buffer. The issue affects the public multipart CCM API in Mbed TLS 3.x, where mbedtls_ccm_finish() can be invoked directly by applications. In Mbed TLS 4.x versions prior to the fix, the same missing validation exists in the internal implementation; however, the function is not exposed as part of the public API. Exploitation requires application-level invocation of the multipart CCM API.

    Information published.

24. CVE-2026-25835 Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).

    Information published.

25. CVE-2025-66442 In Mbed TLS through 4.0.0, there is a compiler-induced timing side channel (in RSA and CBC/ECB decryption) that only occurs with LLVM's select-optimize feature. TF-PSA-Crypto through 1.0.0 is also affected.

    Information published.

26. CVE-2026-34873 An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session.

    Information published.

27. CVE-2026-34871 An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG).

    Information published.

28. CVE-2026-34872 An issue was discovered in Mbed TLS 3.5.x and 3.6.x through 3.6.5 and TF-PSA-Crypto 1.0. There is a lack of contributory behavior in FFDH due to improper input validation. Using finite-field Diffie-Hellman, the other party can force the shared secret into a small set of values (lack of contributory behavior). This is a problem for protocols that depend on contributory behavior (which is not the case for TLS). The attack can be carried by the peer, or depending on the protocol by an active network attacker (person in the middle).

    Information published.

29. CVE-2026-25834 Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade.

    Information published.

30. CVE-2026-25833 Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function

    Information published.

31. CVE-2025-23167 A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.

    Information published.

32. CVE-2026-21717 A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.

    Information published.

33. CVE-2026-2673 OpenSSL TLS 1.3 server may choose unexpected key agreement group

    Information published.

34. CVE-2026-33671 Picomatch has a ReDoS vulnerability via extglob quantifiers

    Information published.

35. CVE-2026-33672 Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

    Information published.

36. CVE-2026-21711 A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.

    Information published.

37. CVE-2026-42250 Off-by-One Leading to Out-of-Bounds Write in bzip2

    Information published.

38. CVE-2026-46242 eventpoll: fix ep_remove struct eventpoll / struct file UAF

    Information published.

39. CVE-2026-42790 nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification

    Information published.

40. CVE-2026-42012 Gnutls: gnutls: certificate validation bypass due to improper handling of uri and srv sans

    Information published.

41. CVE-2026-9804 Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read

    Information published.

42. CVE-2026-48864 Libsolv: heap buffer overflow in libsolv repopagestore via unchecked decompression of malicious .solv page data

    Information published.

43. CVE-2026-48962 IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

    Information published.

44. CVE-2026-40034 gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule

    Information published.

45. CVE-2026-40528 OpenSC 0.27.0 Buffer Overrun in do_key_value() via profile.c

    Information published.

46. CVE-2026-40510 OpenSC 0.27.0-rc1 Stack Buffer Overflow via piv_process_history() in card-piv.c

    Information published.

47. CVE-2026-42789 Non-CA certificate accepted as intermediate issuer in public_key path validation

    Information published.

48. CVE-2026-42013 Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name

    Information published.

49. CVE-2026-42015 Gnutls: gnutls: memory corruption due to off-by-one error in pkcs#12 bag handling

    Information published.

50. CVE-2026-5260 Gnutls: gnutls: information disclosure via heap overread in rsa key exchange

    Information published.