Patch Tuesday – July 2026

Post Syndicated from Adam Barnett original https://www.rapid7.com/blog/post/em-patch-tuesday-july-2026

Microsoft is publishing 622 vulnerabilities on July 2026 Patch Tuesday, including a record-breaking 416 Windows vulnerabilities. Microsoft is aware of exploitation in the wild for two of the vulnerabilities published today, both of which are listed on CISA KEV, as well as public disclosure for one other. As usual, browser vulns are not included in the Patch Tuesday count above. Rapid7 noted last month that Microsoft no longer enumerates Chromium CVEs in the Security Update Guide. However, Microsoft has now taken the pursuit of minimalism much further, since today’s Security Update Guide no longer lists out even Microsoft vulnerabilities! Instead, we now receive a summary table of vulnerability counts by product family, as well as a new slimline “Notable CVEs” section. All of this only serves to illustrate the recent industry-wide trend of exploding vulnerability report counts, with an associated uptick in the publication of remediations as a trailing indicator.

SharePoint: critical auth bypass by Rapid7

Today sees the publication of CVE-2026-55040, a critical authentication bypass in Microsoft SharePoint. Discovered by Rapid7 Senior Principal Security Researcher Stephen Fewer, and published today in coordination with Microsoft, this vulnerability is the first in a pair of exploits which, when chained together, can lead to unauthenticated remote code execution against a vulnerable SharePoint server. Patches are available for SharePoint Server Subscription Edition, 2019, and 2016. As the full Rapid7 blog post sets out, the second vulnerability in the full RCE chain remains embargoed for now, with Microsoft expected to publish patches for that second vulnerability as part of Patch Tuesday August 2026. Microsoft noted: “We would like to thank Rapid7 for responsibly reporting this issue through coordinated vulnerability disclosure.”

SharePoint: zero-day EoP

It’s a rare Patch Tuesday which doesn’t include multiple SharePoint fixes, and today is no exception. Microsoft is aware of existing in-the-wild exploitation of CVE-2026-56164, where successful exploitation allows an attacker to elevate privileges over a network, with no existing privileges required, and low attack complexity since “an attacker does not require significant prior knowledge of the system, and can achieve repeatable success”. This is as good an example as any that a relatively low CVSS v3 base score (5.3) may be an imperfect signal concealing something much spicier, and Microsoft acknowledges that possibility by assigning a severity rating of Important. Microsoft certainly intended to list CVE-2026-56164 in the new Notable CVEs section of the Security Update Guide instead of erroneously listing CVE-2026-56155 twice, and it’s likely that this will be corrected shortly.

What’s the opposite of coordinated disclosure?

After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026. As well as the AI-fuelled exponential growth of vulnerability reporting and discovery, Microsoft is grappling with the emergence of a series of vulnerabilities disclosed in such a way as to bring maximum discomfort for Redmond. Pseudonymous researcher Nightmare Eclipse dropped another Defender elevation of privilege vulnerability in the hours following Patch Tuesday June 2026, which Microsoft subsequently published and patched as CVE-2026-50656, along with a terse acknowledgement of the vulnerability’s celebrity nickname of RoguePlanet. Recently, Nightmare Eclipse has given conflicting estimates of what sort of surprises Microsoft can expect today, as well as claiming that the CVE-2026-50656 patches introduce a new avenue for a disk exhaustion attack. Today,  a new proof of concept for a further vulnerability nicknamed LegacyHive has emerged from the same source, which appears to allow a non-privileged user to mount another user’s user hive.

Microsoft BitLocker receives patches today for a publicly-known security feature bypass vulnerability. The advisory for CVE-2026-50661 explains that an unauthorized attacker with physical access to the target machine can bypass Windows BitLocker. While Microsoft doesn’t confirm either way, it’s very probable that this is a patch for the GreatXML vulnerability which Nightmare Eclipse announced the day after Patch Tuesday June 2026.

Active Directory Federation Services: zero-day EoP

Active Directory administrators should note the emergence today of CVE-2026-56155, an exploited-in-the-wild elevation of privilege vulnerability in Active Directory Federation Services which allows an authorized attacker to elevate privileges locally. Eight other vulnerabilities are also published today in Active Directory Federation Services, all ranked as Important on Microsoft’s proprietary severity ranking scale. The advisory doesn’t explicitly describe the location of the attacker, but it’s likely that an attacker would need an existing toehold on the target system to chain together with the elevation of privilege opportunity on offer here.

Age of Empires II: RCE

Historically, Patch Tuesday hasn’t seen too many security patches for video games. However, Age of Empires II: Definitive Edition is a new entrant to the Microsoft CVE roster today. Veteran AoE2 players may well be familiar with dangerous opposition early game strategies such as the Persian Town Center nuisance or the Aztec monk rush, but anyone who opens a malicious game scenario file without applying the patch for CVE-2026-50663 might suffer a serious defeat. Successful exploitation allows an attacker to place malicious files in unexpected locations, potentially enabling code execution on the target system.

Microsoft lifecycle update

As Rapid7 noted last month, there are some significant Microsoft product lifecycle changes taking place in mid-July. SQL Server 2016 moves beyond regular extended support and into the pay-to-play Extended Security Updates (ESU) phase from July 15, 2026, and its older sibling SQL Server 2014 moves into the third and final year of ESU. Also on July 14, 2026, SharePoint Server 2016 and 2019 reach extended end date, and since there’s no ESU available, the only remaining option for fully-supported self-hosted SharePoint after today is SharePoint Subscription Edition. The July 2026 lifecycle casualties continue with Project Server 2016 and 2019, Dynamics GP 2016 and 2016 R2, InfoPath 2013, and SharePoint Designer 2013, which also all reach their Extended End Dates, ending their supported lifecycles. Visual Studio 2022 Version 17.12 Long-Term Servicing Channel (LTSC) reaches its release end date on July 14, leaving either the Visual Studio 2022 current channel or an upgrade to Visual Studio 2026 as supported options.

Summary charts

2026-07-vuln_count_impact.png

2026-07-vuln_count_component.png

2026-07-vuln_count_impact-component-heatmap.png

Summary tables

Apps vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-58617

M365 Copilot for iOS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-58595

Microsoft Bing App for IOS Spoofing Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-48561

Microsoft Copilot Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.6

CVE-2026-58636

Microsoft PC Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50438

Microsoft PC Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-54124

Windows Terminal Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

Azure vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-50652

Azure Active Directory Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50653

Azure Active Directory Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-57969

Azure CycleCloud Elevation of Privilege Vulnerability

N/A

No

8.8

CVE-2026-58279

Azure CycleCloud Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-47632

Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50338

Azure Spring Apps Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.2

Developer Tools vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-47302

.NET Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50525

.NET Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50651

.NET Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-57108

.NET Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50524

.NET Framework Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50527

.NET Framework Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50648

.NET Framework Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50650

.NET Framework Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50646

.NET Framework Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50649

.NET Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-47304

.NET Security Feature Bypass Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-50528

.NET Security Feature Bypass Vulnerability

Exploitation Less Likely

No

8.2

CVE-2026-50659

.NET Spoofing Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50526

.NET Tampering Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-56170

ASP.NET Core Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-47300

ASP.NET Core Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-47303

ASP.NET Core Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-47282

GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-41109

GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50506

OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-45646

OData for ASP.NET and ASP.NET Core Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50520

Visual Studio Code Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-45496

Visual Studio Code Security Feature Bypass Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-57101

Visual Studio Code Security Feature Bypass Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-57102

Visual Studio Code Security Feature Bypass Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-47305

Visual Studio Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

Device vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-48581

Surface Broker SDMA Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

ESU vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-54121

Active Directory Certificate Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50682

Active Directory Denial of Service Vulnerability

Exploitation Unlikely

No

7.1

CVE-2026-50647

Active Directory Federation Server Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50684

Active Directory Federation Server Spoofing Vulnerability

N/A

No

4.8

CVE-2026-56155

Active Directory Federation Services Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-50491

Code Integrity DLL (ci.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50381

Composite Image File System driver (cimfs.sys) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50427

Content Delivery Manager Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50692

Desktop Window Manager Elevation of Privilege Vulnerability

N/A

No

8.8

CVE-2026-48564

DHCP Server Service Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50370

DHCP Server Service Remote Code Execution Vulnerability

Exploitation More Likely

No

8.8

CVE-2026-56159

DHCP Server Service Remote Code Execution Vulnerability

Exploitation Unlikely

No

9.8

CVE-2026-50296

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50375

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

6.3

CVE-2026-50493

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56643

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56644

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58629

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50382

DirectX Graphics Kernel Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-49174

DNS Client Tampering Vulnerability

Exploitation Unlikely

No

6.1

CVE-2026-50495

DNS Client Tampering Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-49787

HTTP.sys Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-49788

HTTP/2 Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50696

Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50329

Microsoft DWM Core Library Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-58541

Microsoft DWM Core Library Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55006

Microsoft Exchange Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55009

Microsoft Exchange Server Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-55005

Microsoft Exchange Server Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-55008

Microsoft Exchange Server Spoofing Vulnerability

Exploitation More Likely

No

9.6

CVE-2026-50343

Microsoft Install Service Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-54992

Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability

Exploitation More Likely

No

8.4

CVE-2026-50439

Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-42900

Microsoft Windows App Store Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-49784

Microsoft Windows App Store Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50356

Microsoft Windows App Store Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-49165

Microsoft Windows App Store Information Disclosure Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-54993

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58610

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50655

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-56189

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-57090

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-57094

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-57087

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-57092

Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

Exploitation Less Likely

No

9.9

CVE-2026-50359

Microsoft XML Core Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-57097

Microsoft XML Security Feature Bypass Vulnerability

Exploitation Less Likely

No

6.4

CVE-2026-50346

Netlogon RPC Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50402

NTFS Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-54989

Quality Windows Audio/Video Experience (QWAVE) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50365

Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-50474

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-58594

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56190

Remote Desktop Protocol Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-49783

Secure Boot Security Feature Bypass Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-42990

SQL Server ODBC driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

9.8

CVE-2026-49168

Storage Spaces Direct Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-49180

Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50455

Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-58601

Virtual Hard Disk (VHD) Miniport Driver Elevation of Privilege Vulernability

Exploitation Less Likely

No

7.8

CVE-2026-49805

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-50297

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-50325

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-50489

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

8.8

CVE-2026-57095

Win32k Elevation of Privilege Vulnerability

Exploitation Unlikely

No

6.2

CVE-2026-56184

Win32k Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5


CVE-2026-50432

Window Virtual Filtering Platform (VFP) Denial of Service Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-54119

Windows Active Directory Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-57976

Windows Active Directory Domain Services Denial of Service Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50366

Windows Active Directory Domain Services Denial of Service Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-49164

Windows Active Directory Domain Services Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-49178

Windows Active Directory Domain Services Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-54983

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50695

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50304

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50368

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50324

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Less Likely

No

5.9

CVE-2026-50355

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50411

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50312

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

4.7

CVE-2026-50462

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-57093

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-34346

Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50400

Windows App Package Installer Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50331

Windows Application Model Core API Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49803

Windows AppX Deployment Extensions Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50351

Windows Audio Compression Manager (ACM) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-34328

Windows Audio Service Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50406

Windows Backup Engine Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50364

Windows Backup Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-50661

Windows BitLocker Security Feature Bypass Vulnerability

Exploitation Less Likely

Yes

6.1

CVE-2026-42975

Windows Bluetooth Port Driver Remote Code Execution

Exploitation Less Likely

No

8.0

CVE-2026-58538

Windows Bluetooth Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58638

Windows Boot Loader Security Feature Bypass Vulnerability

Exploitation More Likely

No

6.0

CVE-2026-58637

Windows Client-Side Caching Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50384

Windows Clip Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-49183

Windows Clipboard Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50689

Windows Clipboard Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50374

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.3

CVE-2026-58536

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-58613

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50401

Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50697

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50667

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50421

Windows Connected User Experiences and Telemetry Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50352

Windows Cryptographic Services Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50302

Windows Cryptographic Services Security Feature Bypass Vulnerability

Exploitation Unlikely

No

4.2

CVE-2026-50347

Windows Data.dll Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49181

Windows DHCP Client Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50683

Windows DHCP Client Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.0

CVE-2026-54128

Windows DHCP Client Remote Code Execution Vulnerability

Exploitation More Likely

No

8.4

CVE-2026-58627

Windows DHCP Server Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50518

Windows DHCP Server Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-50685

Windows DHCP Server Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-49807

Windows DirectX Information Disclosure Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-49175

Windows DNS Client Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50426

Windows DNS Server Remote Code Execution Vulnerability

Exploitation Unlikely

No

6.8

CVE-2026-50300

Windows DWM Core Library Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50437

Windows DWM Core Library Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-34348

Windows Event Logging Service Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50502

Windows Event Logging Service Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-33842

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-40422

Windows File Explorer Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-41087

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50473

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50442

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50389

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50456

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-57084

Windows File Explorer Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-57091

Windows File History Service Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50405

Windows Filtering Platform Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49172

Windows FTP Service Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-50387

Windows GDI Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-54122

Windows GDI+ Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-49796

Windows GDI+ Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50380

Windows GDI+ Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.6


CVE-2026-58609

Windows Graphics Component Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50391

Windows Group Policy Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50310

Windows Human Interface Device Information Disclosure Vulnerability

Exploitation Less Likely

No

4.7

CVE-2026-50485

Windows Hyper-V Denial of Service Vulnerability

Exploitation Less Likely

No

4.5

CVE-2026-54129

Windows Hyper-V Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50680

Windows Hyper-V Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.2

CVE-2026-58534

Windows Input Method Editor (IME) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50490

Windows Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-58540

Windows Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50425

Windows Internal System User Profile Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50293

Windows Internal Task Bar Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49167

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

4.7

CVE-2026-54132

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-49795

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

8.8

CVE-2026-49798

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

9.3

CVE-2026-50354

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-50332

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50377

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50390

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-50423

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50397

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50399

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50459

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50477

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50478

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50484

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50673

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58532

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50294

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-50316

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50419

Windows Kernel Information Disclosure Vulnerability

Exploitation Unlikely

No

3.3

CVE-2026-50463

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50475

Windows Kernel Information Disclosure Vulnerability

Exploitation More Likely

No

5.5

CVE-2026-50429

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

8.2

CVE-2026-58614

Windows Kernel Security Feature Bypass Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-58545

Windows Kernel Security Feature Bypass Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50378

Windows Key Guard Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50303

Windows Key Guard Security Feature Bypass Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-40378

Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-49799

Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50371

Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50358

Windows Media Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50433

Windows Media Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-34349

Windows Media Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50394

Windows Media Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50415

Windows Media Information Disclosure Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-57083

Windows Media Photo Codec Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-54115

Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50447

Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-50505

Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-58635

Windows Narrator Braille Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50500

Windows Netlogon Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50476

Windows Network Connections Service Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50450

Windows Network Connections Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56650

Windows Network File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56649

Windows Network File System Remote Code Execution Vulnerability

Exploitation Unlikely

No

5.9

CVE-2026-50470

Windows Network Policy Server SNMP Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50496

Windows Network Policy Server SNMP Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-56194

Windows NFS Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56648

Windows NFS Server Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50337

Windows Notification Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49789

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-50412

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50422

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50672

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-56175

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56182

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50341

Windows NTFS Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-58640

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-49184

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-49797

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50308

Windows NTFS Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50386

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50309

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50313

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50388

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50448

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50471

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50461

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50417

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50482

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-50494

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50344

Windows OLE Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50686

Windows OLE Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-50335

Windows Operating Systems Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-54987

Windows Overlay Filter Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50435

Windows Overlay Filter Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50409

Windows Overlay Filter Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-40400

Windows PowerShell Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.0

CVE-2026-55004

Windows Print Configuration Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50499

Windows Print Spooler Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50383

Windows Print Spooler Information Disclosure Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-57085

Windows Print Spooler Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-58608

Windows Print Spooler Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50469

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50434

Windows Push Notification Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50339

Windows Push Notification Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50430

Windows Push Notification Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50334

Windows Push Notification Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50363

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50431

Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50372

Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-54982

Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-54995

Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-50666

Windows Remote Access Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56647

Windows Remote Access Service Infrastructure Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50330

Windows Remote Desktop Client Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50376

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50504

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-58533

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-58535

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-58546

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-58539

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-55003

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-57979

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50445

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50497

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-54126

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-57982

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50369

Windows Remote Desktop Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-58626

Windows Remote Desktop Services Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-50318

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50407

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50357

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50441

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50668

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

6.8

CVE-2026-54109

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49792

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49793

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50362

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50492

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

6.8

CVE-2026-58530

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49791

Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-50451

Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-57096

Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50452

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50348

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50410

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50449

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50460

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-50457

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50486

Windows Runtime Elevation of Privilege Vulnerability

N/A

No

7.8

CVE-2026-54125

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50373

Windows Search Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-44806

Windows Secure Channel Denial of Service Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-50681

Windows Secure Channel Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-56186

Windows Secure Channel Information Disclosure Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-42982

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50694

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-50367

Windows Sensor Data Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58619

Windows Sensor Data Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50311

Windows Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56188

Windows Server Network driver Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8


CVE-2026-50444

Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50328

Windows Server Update Service (WSUS) Tampering Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-58531

Windows SMB Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.5

CVE-2026-54997

Windows SMB Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-49801

Windows SMB Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50690

Windows SMB Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-56168

Windows SMB Server Denial of Service Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50360

Windows SMB Server Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-57089

Windows SMB Server Network Transport Driver (srvnet.sys) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50333

Windows Spaceport.sys Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50298

Windows Spaceport.sys Elevation of Privilege Vulnerability

Exploitation Unlikely

No

6.8

CVE-2026-49171

Windows Speech Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-49170

Windows StateRepository API Server file Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-58526

Windows Storage Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50299

Windows Storage Spaces Direct Remote Code Execution Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-50306

Windows TCP/IP Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50307

Windows TCP/IP Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-49177

Windows TCP/IP Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-54999

Windows TCP/IP Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50669

Windows Telephony Server Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-54124

Windows Terminal Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50350

Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50326

Windows Unified Consent System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49790

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-50498

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58547

Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-49794

Windows USB Audio Class Driver Information Disclosure Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-50453

Windows USB Audio Class Driver Information Disclosure Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-58528

Windows USB Audio Class Driver Information Disclosure Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-50321

Windows USB Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50479

Windows USB Hub Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49804

Windows USB Video Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.6

CVE-2026-49176

Windows WalletService Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49800

Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50480

Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56173

Windows WebView Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-58632

Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-54107

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-54986

Windows Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-54112

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-54114

Windows Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50670

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50688

Windows Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-56176

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58628

Windows Wireless Network Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50509

Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

Microsoft Dynamics vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-55944

Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

Microsoft Office vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-50678

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

6.6

CVE-2026-54988

Microsoft Excel Information Disclosure Vulnerability

Exploitation Unlikely

No

6.1

CVE-2026-48580

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50408

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55046

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55138

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55054

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-55122

Microsoft Excel Information Disclosure Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-55898

Microsoft Excel Information Disclosure Vulnerability

Exploitation Unlikely

No

6.1

CVE-2026-50675

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55899

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55948

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-58618

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-47642

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55024

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55025

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-55031

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55048

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55029

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55039

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55041

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55136

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-55141

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55036

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55044

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55037

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55058

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55137

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55053

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55131

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-54131

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55947

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55949

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56156

Microsoft Excel Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56193

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-55023

Microsoft Office Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-55026

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-55027

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55028

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55047

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55035

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55057

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55042

Microsoft Office Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-55139

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50665

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56192

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-56195

Microsoft Office Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55121

Microsoft Office Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-47290

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50301

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50314

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50467

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55017

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55018

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55022

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55125

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55045

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-55049

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55129

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55056

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55140

Microsoft Office Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55133

Microsoft OneNote Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55043

Microsoft PowerPoint Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55123

Microsoft PowerPoint Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55120

Microsoft PowerPoint Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55052

Microsoft SharePoint Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-58277

Microsoft SharePoint Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50522

Microsoft SharePoint Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-58644

Microsoft SharePoint Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-56164

Microsoft SharePoint Server Elevation of Privilege Vulnerability

Exploitation Detected

No

5.3

CVE-2026-55051

Microsoft SharePoint Server Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-55040

Microsoft SharePoint Server Security Feature Bypass Vulnerability

Exploitation More Likely

No

9.1

CVE-2026-54108

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-55016

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-55019

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Unlikely

No

4.6

CVE-2026-55020

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Unlikely

No

4.6

CVE-2026-55021

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Unlikely

No

7.3

CVE-2026-55030

Microsoft SharePoint Server Spoofing Vulnerability

N/A

No

4.6

CVE-2026-55034

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-55126

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-55135

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-56157

Microsoft SharePoint Server Spoofing Vulnerability

Exploitation Less Likely

No

5.4

CVE-2026-55050

Microsoft Word Information Disclosure Vulnerability

N/A

No

5.5

CVE-2026-55124

Microsoft Word Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55142

Microsoft Word Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-55032

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55033

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55127

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55055

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55038

Microsoft Word Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-55132

Microsoft Word Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55134

Microsoft Word Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-55128

Microsoft Word Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-55130

Microsoft Word Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50387

Windows GDI Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

Open Source Software vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-40553

Stack-based buffer overflow in gawk

n/a

No

CVE-2026-40469

Heap buffer overflow in gawk

n/a

No

CVE-2026-40468

Heap buffer overflow in gawk

n/a

No

CVE-2026-40467

Use after free in gawk

n/a

No

CVE-2026-57968

Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-57973

Windows Subsystem for Linux (WSL2) Kernel Tampering Vulnerability

Exploitation Less Likely

No

6.3

Other vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-50663

Game: Age of Empires II: Definitive Edition Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50510

GitHub Copilot Remote Code Execution Vulnerability

N/A

No

7.8

CVE-2026-55010

Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-55145

Outlook Copilot Tampering Vulnerability

N/A

No

6.3

Server Software vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-55006

Microsoft Exchange Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55009

Microsoft Exchange Server Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-55005

Microsoft Exchange Server Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-55008

Microsoft Exchange Server Spoofing Vulnerability

Exploitation More Likely

No

9.6

SQL Server vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-56642

Microsoft Fabric Data Warehouse Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-58647

Microsoft PowerBI Report Server Spoofing Vulnerability

Exploitation Unlikely

No

8.0

CVE-2026-47296

Microsoft SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55002

Microsoft SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-47295

Microsoft SQL Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50468

Microsoft SQL Server Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-54116

Microsoft SQL Server Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-54117

Microsoft SQL Server Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-54118

Microsoft SQL Server Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

System Center vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-50658

Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-56178

Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50657

Microsoft Defender for Endpoint for Mac Information Disclosure Vulnerability

Exploitation Less Likely

No

4.7

CVE-2026-55011

Microsoft Defender Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55012

Microsoft Defender Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

Windows vulnerabilities

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-54121

Active Directory Certificate Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50682

Active Directory Denial of Service Vulnerability

Exploitation Unlikely

No

7.1

CVE-2026-55001

Active Directory Domain Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50647

Active Directory Federation Server Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50684

Active Directory Federation Server Spoofing Vulnerability

N/A

No

4.8

CVE-2026-56155

Active Directory Federation Services Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-50488

Clipboard User Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50491

Code Integrity DLL (ci.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50381

Composite Image File System driver (cimfs.sys) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50427

Content Delivery Manager Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50692

Desktop Window Manager Elevation of Privilege Vulnerability

N/A

No

8.8

CVE-2026-58633

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-58634

Desktop Window Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-48564

DHCP Server Service Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50370

DHCP Server Service Remote Code Execution Vulnerability

Exploitation More Likely

No

8.8

CVE-2026-56159

DHCP Server Service Remote Code Execution Vulnerability

Exploitation Unlikely

No

9.8

CVE-2026-50296

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50375

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

6.3

CVE-2026-50353

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50493

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56643

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56644

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58629

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50382

DirectX Graphics Kernel Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-49174

DNS Client Tampering Vulnerability

Exploitation Unlikely

No

6.1

CVE-2026-50495

DNS Client Tampering Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-57088

Extensible Storage Engine (ESENT) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49787

HTTP.sys Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50420

HTTP.sys Information Disclosure Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-49788

HTTP/2 Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50696

Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-49162

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50305

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50361

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50466

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50458

Microsoft Brokering File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50329

Microsoft DWM Core Library Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-58541

Microsoft DWM Core Library Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50343

Microsoft Install Service Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-54992

Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability

Exploitation More Likely

No

8.4

CVE-2026-50439

Microsoft Message Queuing Queue Manager Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-58537

Microsoft NAT Helper Components (ipnathlp.dll) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-42900

Microsoft Windows App Store Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-49784

Microsoft Windows App Store Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50356

Microsoft Windows App Store Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-49165

Microsoft Windows App Store Information Disclosure Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-54993

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58610

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50655

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-56189

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-57090

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-57094

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-57087

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-57092

Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

Exploitation Less Likely

No

9.9

CVE-2026-50359

Microsoft XML Core Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-57097

Microsoft XML Security Feature Bypass Vulnerability

Exploitation Less Likely

No

6.4

CVE-2026-50346

Netlogon RPC Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50402

NTFS Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-54989

Quality Windows Audio/Video Experience (QWAVE) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50365

Remote Access Management service/API (RPC server) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-54990

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-50474

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-58594

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56190

Remote Desktop Protocol Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-49783

Secure Boot Security Feature Bypass Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-42990

SQL Server ODBC driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

9.8

CVE-2026-49168

Storage Spaces Direct Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-49180

Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50455

Universal Plug and Play (upnp.dll) Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-54111

Universal Print Management Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-58543

Universal Print Management Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.3

CVE-2026-58601

Virtual Hard Disk (VHD) Miniport Driver Elevation of Privilege Vulernability

Exploitation Less Likely

No

7.8

CVE-2026-49805

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-50297

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-50325

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-50489

Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

8.8

CVE-2026-57095

Win32k Elevation of Privilege Vulnerability

Exploitation Unlikely

No

6.2

CVE-2026-50416

Win32k Information Disclosure Vulnerability

Exploitation Less Likely

No

3.3

CVE-2026-56184

Win32k Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5


CVE-2026-50432

Window Virtual Filtering Platform (VFP) Denial of Service Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-54119

Windows Active Directory Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-57976

Windows Active Directory Domain Services Denial of Service Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50366

Windows Active Directory Domain Services Denial of Service Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-49164

Windows Active Directory Domain Services Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-49178

Windows Active Directory Domain Services Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-58529

Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-54983

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50695

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50304

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50368

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50324

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Less Likely

No

5.9

CVE-2026-50355

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50411

Windows Active Directory Federation Services Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-58631

Windows Admin Center (WAC) Remote Code Execution Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-56196

Windows Admin Center (WAC) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56197

Windows Admin Center (WAC) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56169

Windows Admin Center Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-57107

Windows Admin Center Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56185

Windows Admin Center Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50312

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

4.7

CVE-2026-50462

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-57093

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-34346

Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-48572

Windows App Package Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-48571

Windows App Package Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50400

Windows App Package Installer Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50331

Windows Application Model Core API Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49803

Windows AppX Deployment Extensions Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50351

Windows Audio Compression Manager (ACM) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50440

Windows Audio Service Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-34328

Windows Audio Service Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50406

Windows Backup Engine Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50364

Windows Backup Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-50661

Windows BitLocker Security Feature Bypass Vulnerability

Exploitation Less Likely

Yes

6.1

CVE-2026-42975

Windows Bluetooth Port Driver Remote Code Execution

Exploitation Less Likely

No

8.0

CVE-2026-58538

Windows Bluetooth Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58638

Windows Boot Loader Security Feature Bypass Vulnerability

Exploitation More Likely

No

6.0

CVE-2026-58637

Windows Client-Side Caching Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50384

Windows Clip Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-49183

Windows Clipboard Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50689

Windows Clipboard Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50374

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.3

CVE-2026-58536

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-58613

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50401

Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50697

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50667

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50421

Windows Connected User Experiences and Telemetry Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50428

Windows Container Isolation FS Filter Driver (unionfs.sys) Information Disclosure Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-50352

Windows Cryptographic Services Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50302

Windows Cryptographic Services Security Feature Bypass Vulnerability

Exploitation Unlikely

No

4.2

CVE-2026-55144

Windows Cryptography API: Next Generation (CNG) Tampering Vulnerability

Exploitation Unlikely

No

7.1

CVE-2026-50347

Windows Data.dll Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49181

Windows DHCP Client Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50683

Windows DHCP Client Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.0

CVE-2026-54128

Windows DHCP Client Remote Code Execution Vulnerability

Exploitation More Likely

No

8.4

CVE-2026-58627

Windows DHCP Server Denial of Service Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50518

Windows DHCP Server Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-50685

Windows DHCP Server Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-49807

Windows DirectX Information Disclosure Vulnerability

Exploitation Less Likely

No

6.2

CVE-2026-49175

Windows DNS Client Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50487

Windows DNS Client Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-50465

Windows DNS Client Tampering Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-49169

Windows DNS Server Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-50426

Windows DNS Server Remote Code Execution Vulnerability

Exploitation Unlikely

No

6.8

CVE-2026-50424

Windows Domain Controller Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50300

Windows DWM Core Library Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50437

Windows DWM Core Library Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-34348

Windows Event Logging Service Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50502

Windows Event Logging Service Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.0

CVE-2026-33842

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-40422

Windows File Explorer Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-41087

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50473

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50442

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50389

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50456

Windows File Explorer Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-57084

Windows File Explorer Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-57091

Windows File History Service Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50405

Windows Filtering Platform Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49172

Windows FTP Service Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-50387

Windows GDI Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-54122

Windows GDI+ Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-49796

Windows GDI+ Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50380

Windows GDI+ Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.6

CVE-2026-50483

Windows Graphics Component Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-58609

Windows Graphics Component Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50391

Windows Group Policy Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50310

Windows Human Interface Device Information Disclosure Vulnerability

Exploitation Less Likely

No

4.7

CVE-2026-50485

Windows Hyper-V Denial of Service Vulnerability

Exploitation Less Likely

No

4.5

CVE-2026-54129

Windows Hyper-V Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-54127

Windows Hyper-V Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.4

CVE-2026-50680

Windows Hyper-V Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.2

CVE-2026-50315

Windows Image Acquisition Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-58534

Windows Input Method Editor (IME) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50490

Windows Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-58540

Windows Installer Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50425

Windows Internal System User Profile Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50293

Windows Internal Task Bar Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49167

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

4.7

CVE-2026-49173

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-54132

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-49795

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

8.8

CVE-2026-49798

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

9.3

CVE-2026-49808

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50354

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-50332

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50377

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50390

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.0

CVE-2026-50423

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50397

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50436

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50399

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50459

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50477

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50478

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50484

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50673

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58532

Windows Kernel Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50294

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

6.2


CVE-2026-50316

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50419

Windows Kernel Information Disclosure Vulnerability

Exploitation Unlikely

No

3.3

CVE-2026-50463

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50475

Windows Kernel Information Disclosure Vulnerability

Exploitation More Likely

No

5.5

CVE-2026-50429

Windows Kernel Information Disclosure Vulnerability

Exploitation Less Likely

No

8.2

CVE-2026-58614

Windows Kernel Security Feature Bypass Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-58545

Windows Kernel Security Feature Bypass Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-58602

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50393

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50396

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50378

Windows Key Guard Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50303

Windows Key Guard Security Feature Bypass Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-40378

Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-49799

Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50371

Windows LUA File Virtualization Filter Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-58544

Windows Management Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50404

Windows Media Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50358

Windows Media Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50336

Windows Media Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50398

Windows Media Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-50414

Windows Media Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50379

Windows Media Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50433

Windows Media Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50676

Windows Media Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50677

Windows Media Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-34349

Windows Media Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50394

Windows Media Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50415

Windows Media Information Disclosure Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-57083

Windows Media Photo Codec Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50327

Windows Media Remote Code Execution Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-58542

Windows Media Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-54115

Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50447

Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-50505

Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50342

Windows MIDI Service Module Elevation of Privileges Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56183

Windows MIDI Service Module Elevation of Privileges Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-56187

Windows MIDI Service Module Elevation of Privileges Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-58635

Windows Narrator Braille Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50500

Windows Netlogon Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-56181

Windows Network Address Translation (NAT) Spoofing Vulnerability

Exploitation Less Likely

No

8.3

CVE-2026-50476

Windows Network Connections Service Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50450

Windows Network Connections Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56650

Windows Network File System Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56649

Windows Network File System Remote Code Execution Vulnerability

Exploitation Unlikely

No

5.9

CVE-2026-50470

Windows Network Policy Server SNMP Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-50496

Windows Network Policy Server SNMP Information Disclosure Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-56194

Windows NFS Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56648

Windows NFS Server Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50337

Windows Notification Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49789

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-50412

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50422

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50672

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-56175

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56182

Windows NTFS Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50341

Windows NTFS Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-58640

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-49184

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.4

CVE-2026-49797

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50308

Windows NTFS Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50386

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50309

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50313

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50388

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50448

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50471

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50461

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50417

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50482

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-50494

Windows NTFS Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50344

Windows OLE Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50686

Windows OLE Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.1

CVE-2026-50335

Windows Operating Systems Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50317

Windows Operating Systems Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-54987

Windows Overlay Filter Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50435

Windows Overlay Filter Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50409

Windows Overlay Filter Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-40400

Windows PowerShell Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.0

CVE-2026-49166

Windows Print Configuration Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55004

Windows Print Configuration Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50499

Windows Print Spooler Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50383

Windows Print Spooler Information Disclosure Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-57085

Windows Print Spooler Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-58608

Windows Print Spooler Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50469

Windows Projected File System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50434

Windows Push Notification Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50339

Windows Push Notification Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50430

Windows Push Notification Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50334

Windows Push Notification Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-44800

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50363

Windows Push Notifications Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50431

Windows Quality of Service (QoS) Packet Scheduler Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50372

Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-54982

Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-54995

Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-50666

Windows Remote Access Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56647

Windows Remote Access Service Infrastructure Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50330

Windows Remote Desktop Client Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50376

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50504

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-58533

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-58535

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-58546

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-58539

Windows Remote Desktop Client Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-55003

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-57979

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50445

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50497

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-54126

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Unlikely

No

6.5

CVE-2026-57982

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50369

Windows Remote Desktop Services Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-58626

Windows Remote Desktop Services Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-55014

Windows Remote Help Defense Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50318

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50407

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50357

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50441

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50668

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Exploitation Unlikely

No

6.8

CVE-2026-54109

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49792

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49793

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50362

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50492

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

6.8

CVE-2026-50501

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-58530

Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49791

Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-50451

Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.1

CVE-2026-57096

Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50323

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50452

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50348

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50345

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50322

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50340

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.5

CVE-2026-50410

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50449

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50460

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-50403

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-50385

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-50413

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50457

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50486

Windows Runtime Elevation of Privilege Vulnerability

N/A

No

7.8

CVE-2026-50503

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-54125

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58527

Windows Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50373

Windows Search Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50679

Windows Search Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-44806

Windows Secure Channel Denial of Service Vulnerability

Exploitation Less Likely

No

5.3

CVE-2026-50681

Windows Secure Channel Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-56186

Windows Secure Channel Information Disclosure Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-42982

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50392

Windows Secure Kernel Mode Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50694

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

Exploitation Unlikely

No

8.1

CVE-2026-50367

Windows Sensor Data Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58619

Windows Sensor Data Service Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50311

Windows Server Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56188

Windows Server Network driver Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-50444

Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50328

Windows Server Update Service (WSUS) Tampering Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-58531

Windows SMB Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.5

CVE-2026-54997

Windows SMB Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-49801

Windows SMB Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5


CVE-2026-50690

Windows SMB Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-56168

Windows SMB Server Denial of Service Vulnerability

Exploitation Less Likely

No

6.5

CVE-2026-50360

Windows SMB Server Elevation of Privilege Vulnerability

Exploitation Unlikely

No

8.8

CVE-2026-57089

Windows SMB Server Network Transport Driver (srvnet.sys) Remote Code Execution Vulnerability

Exploitation Unlikely

No

7.5

CVE-2026-50333

Windows Spaceport.sys Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50298

Windows Spaceport.sys Elevation of Privilege Vulnerability

Exploitation Unlikely

No

6.8

CVE-2026-49171

Windows Speech Runtime Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.5

CVE-2026-49170

Windows StateRepository API Server file Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-58526

Windows Storage Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50299

Windows Storage Spaces Direct Remote Code Execution Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-50418

Windows System Secure Feature Bypass Vulnerability

Exploitation Unlikely

No

5.1

CVE-2026-50306

Windows TCP/IP Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50307

Windows TCP/IP Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-49177

Windows TCP/IP Information Disclosure Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-54999

Windows TCP/IP Remote Code Execution Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50669

Windows Telephony Server Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-54124

Windows Terminal Remote Code Execution Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50350

Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability

Exploitation Unlikely

No

5.5

CVE-2026-50326

Windows Unified Consent System Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-49790

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.3

CVE-2026-50498

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58547

Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-49794

Windows USB Audio Class Driver Information Disclosure Vulnerability

Exploitation Less Likely

No

4.6

CVE-2026-50453

Windows USB Audio Class Driver Information Disclosure Vulnerability

Exploitation Less Likely

No

6.1

CVE-2026-58528

Windows USB Audio Class Driver Information Disclosure Vulnerability

Exploitation Less Likely

No

6.8

CVE-2026-50321

Windows USB Driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-50479

Windows USB Hub Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-55000

Windows USB Print Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.4

CVE-2026-54991

Windows USB Print Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-54996

Windows USB Print Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-49802

Windows USB Print Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-49806

Windows USB Print Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-50674

Windows USB Print Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.0

CVE-2026-49804

Windows USB Video Driver Elevation of Privilege Vulnerability

Exploitation Less Likely

No

6.6

CVE-2026-50454

Windows User Interface Core Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-49176

Windows WalletService Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-49800

Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50480

Windows Web Proxy Auto-Discovery Protocol (WPAD) Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-56173

Windows WebView Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.0

CVE-2026-58632

Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-54107

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-54986

Windows Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-54112

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Unlikely

No

7.8

CVE-2026-54114

Windows Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50670

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-50688

Windows Win32k Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

CVE-2026-50687

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

8.8

CVE-2026-56176

Windows Win32k Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-58628

Windows Wireless Network Manager Elevation of Privilege Vulnerability

Exploitation Less Likely

No

7.8

CVE-2026-50295

Windows Zero Trust DNS Security Feature Bypass Vulnerability

Exploitation Less Likely

No

5.5

CVE-2026-50509

Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability

Exploitation More Likely

No

7.8

Zero-Day Vulnerabilities: Known Exploited

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-56155

Active Directory Federation Services Elevation of Privilege Vulnerability

Exploitation Detected

No

7.8

CVE-2026-56164

Microsoft SharePoint Server Elevation of Privilege Vulnerability

Exploitation Detected

No

5.3

Zero-Day Vulnerabilities: Publicly Disclosed (No known exploitation)

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-50661

Windows BitLocker Security Feature Bypass Vulnerability

Exploitation Less Likely

Yes

6.1

Critical RCEs

CVE

Title

Exploitation status

Publicly disclosed?

CVSS v3 base score

CVE-2026-56159

DHCP Server Service Remote Code Execution Vulnerability

Exploitation Unlikely

No

9.8

CVE-2026-48561

Microsoft Copilot Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.6

CVE-2026-55944

Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-55008

Microsoft Exchange Server Spoofing Vulnerability

Exploitation More Likely

No

9.6

CVE-2026-50522

Microsoft SharePoint Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-58644

Microsoft SharePoint Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-55040

Microsoft SharePoint Server Security Feature Bypass Vulnerability

Exploitation More Likely

No

9.1

CVE-2026-57092

Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

Exploitation Less Likely

No

9.9

CVE-2026-55010

Minecraft Bedrock Dedicated Server Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-54990

Remote Desktop Client Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-56190

Remote Desktop Protocol Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-42990

SQL Server ODBC driver Elevation of Privilege Vulnerability

Exploitation Unlikely

No

9.8

CVE-2026-50518

Windows DHCP Server Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

CVE-2026-49172

Windows FTP Service Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-50380

Windows GDI+ Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.6

CVE-2026-49798

Windows Kernel Elevation of Privilege Vulnerability

Exploitation More Likely

No

9.3

CVE-2026-50447

Windows Message Queuing Service (MSMQ) Remote Code Execution Vulnerability

Exploitation Less Likely

No

9.8

CVE-2026-56188

Windows Server Network driver Remote Code Execution Vulnerability

Exploitation More Likely

No

9.8

How Mapfre USA modernized fraud claims with Amazon EMR Serverless

Post Syndicated from Lijan Kuniyil original https://aws.amazon.com/blogs/architecture/how-mapfre-usa-modernized-fraud-claims-with-amazon-emr-serverless/

Insurance fraud remains a significant challenge for the insurance industry because fraudulent claims can increase loss costs, reduce trust, and consume investigation capacity that could otherwise be focused on serving customers. Traditional fraud detection approaches typically rely on rules-based controls, manual investigation triggers, historical claim patterns, and structured-data-only analysis. These approaches are useful for known fraud patterns, but they can struggle to detect sophisticated fraud rings or hidden relationships across claimants, policies, vehicles, providers, addresses, and prior suspicious activities.

Mapfre USA is the number one auto and home insurer in Massachusetts, serving customers in 11 states nationwide. Our coverage includes auto, home, motorcycle, watercraft, business insurance, and more. As part of Mapfre Group, we’re a worldwide leader serving over 31.1 million customers in more than 100 countries with a team of 31,000 employees. In collaboration with AWS and Neo4j, Mapfre USA modernized its fraud prevention capabilities by combining graph-based features with machine learning (ML) models deployed on AWS. This initiative, focused initially on Massachusetts Auto insurance and later expanded to Home (HO), has delivered significant business impact, exceeding $5 million Net Present Value (NPV), with realized savings already outperforming projections.

In this post, we share how Mapfre USA designed and implemented this solution, highlight the technical architecture running on AWS specifically on the Mapfre Data Platform called Atenea, and explore lessons learned that can apply to other industries facing complex fraud challenges.

Business challenge

Fraudulent claims aren’t always isolated events. They often involve hidden networks of policyholders, vehicles, providers, and prior suspicious activities. Detecting these complex relationships requires going beyond traditional structured data analysis.

Mapfre set out with a clear goal:

  • Goal: Improve fraud detection accuracy and claims handling efficiency.
  • Key KPI: Identify fraudulent claims missed by traditional methods.
  • Approach: Develop several ML models that use both traditional structured data and graph-based features derived from claim relationships.
  • Deployment: Integrate seamlessly with Guidewire Claims, so front-line adjusters automatically receive fraud alerts with explanations.

Each flagged claim exposure generates a Guidewire activity showing the top three model drivers, helping investigators understand why the claim was identified and act quickly.

Technical solution on AWS (Atenea Data Platform)

The fraud detection platform is built on a modern data architecture on AWS, designed to scale efficiently and provide long-term governance.

At its core, the solution uses Apache Iceberg tables stored on Amazon Simple Storage Service (Amazon S3), with metadata managed through the AWS Glue Data Catalog and access governed through AWS Lake Formation as part of the Atenea lakehouse governance model. The platform feature store is implemented through feature-store-managed Iceberg tables that manage model features, predictions, and Guidewire activities. The implementation is structured across three logical layers:

  • Silver Layer – Iceberg tables that contain source data from each of the sources, used as the initial consumption point of the platform.
  • Gold Layer – Iceberg tables storing intermediate data, such as unified Guidewire activity logs, Auto features, and Home features.
  • Platinum Layer – Feature Store-managed Iceberg tables containing encoded features and model predictions, making them reusable across models and ensuring strong metadata governance.

Processing pipelines are executed on Amazon EMR Serverless, with orchestration managed by Apache Airflow operators running on Amazon Managed Workflows for Apache Airflow (Amazon MWAA). This provides elastic, cost-efficient compute for both batch processing and fast-time scoring, while keeping orchestration, monitoring, and recovery centralized.

For graph enrichment, the platform connects to Neo4j using a dedicated driver, enabling advanced network-based features like suspicious claim linkages, provider fraud ratios, and centrality metrics.

This architecture supports efficient, reliable, and transparent production execution through repeatable Airflow orchestration, environment-based continuous integration and delivery (CI/CD) promotion, centralized monitoring, failure notifications, retry mechanisms, dead-letter queue handling for Guidewire integration, and controlled secret management. At the same time, the layered lakehouse design keeps the platform flexible enough to evolve with new business needs and fraud detection use cases.

Architecture diagram showing the Mapfre USA fraud detection platform on AWS, including data ingestion, graph enrichment, model scoring, and Guidewire integration

The data sources are policy, claims, vehicles, and notes (from AS400 and Guidewire), which include structured data and derived features capturing entity relationships (graph data).

The following list describes the architecture overview:

  1. Data ingestion – Claim batch data uploaded to Amazon S3. Data gets standardized and materialized in Iceberg tables within the Silver layer.
  2. Graph enrichment – Data processed to update Neo4j graph database hosted on AWS.
  3. Model training and scoring – Batch scoring for several ML models.
  4. Model orchestration – Unified orchestration for ingestion, training, and inference using Apache Airflow operators. CI/CD pipelines for promotion across environments.
  5. Execution platform – Amazon EMR Serverless for cost-efficient Spark processing. Migration to Apache Iceberg plus AWS Glue Data Catalog for scalable metadata handling.
  6. Integration with claims systems – Fraud predictions automatically create Guidewire activities, enriched with a description for investigators.
  7. Secrets and securityAWS Secrets Manager securely stores credentials and tokens for Guidewire API integration, with environment-specific and Region-specific access controls.
  8. Monitoring and reliabilityAmazon CloudWatch and Amazon Simple Notification Service (Amazon SNS) provide visibility into pipeline health and notify teams on failures. Data quality checks are executed at key stages of the pipeline to validate data availability, schema consistency, completeness, and business-rule expectations before outputs are consumed by models or sent to Guidewire.

Guidewire integration with MLOps on AWS

One of the most important parts of Mapfre’s solution was closing the loop between ML predictions and the claims handling system. This required a resilient integration between the Atenea data platform on AWS and Guidewire Claims.

The following describes the integration flow:

  1. When an ML use case finishes scoring, the results are written as JSON files into the S3 path: <bucket_name>/guidewire/.
  2. An S3 event notification triggers an AWS Lambda function.
  3. This Lambda function:
    • Reads the JSON file.
    • Calls the Guidewire Predictive Model API.
    • Because Guidewire doesn’t support batch requests, the Lambda function sends each JSON payload individually. This keeps the integration compatible with Guidewire and isolates failures at the individual activity level, but it increases the number of API calls and makes retry, throttling, DLQ handling, and monitoring controls important.
  4. If successful, the API responds with HTTP 201 (activity created).
    • If not, the Lambda function retries up to two times.
    • Failed requests are sent to an Amazon Simple Queue Service (Amazon SQS) dead-letter queue (DLQ), and an Amazon SNS notification is published for monitoring.
  5. Secrets are stored in AWS Secrets Manager and injected as Lambda environment variables, along with AWS Region-specific URLs for token retrieval and API endpoints.
  6. The following JSON shows the example structure for Guidewire integration:
{
  "method": "createPredictiveActivity",
  "params": [
    {
      "claimNumber": "AUXXXXXXX",
      "exposureNumber": 1,
      "subject": "Fraud alert from ML model",
      "description": "Claim flagged as potential fraud based on graph + ML features",
      "shortSubject": "ML_Fraud_Flag",
      "priority": "high",
      "availableForClosedClaim": true,
      "autoCloseOnExposureClosure": false,
      "targetDays": 4,
      "escalationDays": 6
    }
  ]
}

Diagram showing the Guidewire integration flow with AWS Lambda, Amazon SQS dead-letter queue, and AWS Secrets Manager

Key benefits of this integration:

  • Real-time actionability – Fraud predictions automatically create Guidewire activities for front-line adjusters.
  • Resilience – Built-in retries, DLQ handling, and Amazon SNS alerts make sure failed events aren’t lost.
  • Security – Secrets and tokens are managed using AWS Secrets Manager, with strict environment separation (dev, pre, pro).
  • Scalability – Any new MLOps use case writes results into the S3 output path, automatically flowing into Guidewire.

This integration shows that fraud models don’t exist in isolation but actively augment daily claim workflows in production. It connects Atenea’s MLOps pipelines on AWS directly with business decisioning systems, which is critical to realizing the fraud savings impact.

Data quality and resilience

For robustness, data quality checks are applied on ingestion pipelines and graph features. Automated validation detects anomalies early, monitoring dashboards track KPIs and model performance, and standardized recovery and promotion processes operate across environments.

Visualization and investigative tools

Neo4j Bloom supports SIU workflows by visually exploring entity relationships, such as a provider linked across multiple suspicious claims, accelerating fraud ring identification.

Conclusion

The fraud detection model in auto claims has enhanced Mapfre USA’s ability to identify fraudulent activity, driving significant savings and improving overall claims efficiency.

During the pilot phase alone, savings exceeded projections, and in production the initiative has proven a Net Present Value (NPV) of more than $5M. These results confirm the business case and highlight the strength of combining structured data with graph-based features to uncover fraud networks that traditional approaches miss.

The results have been compelling:

  • Accuracy gains – Detection improved by 50–135 percent compared to baseline methods.
  • Substantial realized value – Both during the pilot and in production.
  • Cross-functional success – The initiative brought together Claims, IT Data, Advanced Analytics, and Neo4j teams in an agile, collaborative model.

Beyond the financial outcomes, several lessons have emerged. First, cross-functional collaboration between groups like Claims, Data Engineering, Advanced Analytics, and technology partners like AWS and Neo4j was critical to success. Second, explainability proved essential. By presenting adjusters with the top model drivers directly in Guidewire, trust and adoption of the system increased substantially. Finally, building resilience into the architecture through monitoring, retries, and data quality processes helped the models operate reliably in production.

Looking ahead, the platform is well-positioned to expand beyond fraud detection. New use cases such as underwriting anomaly detection and customer entity resolution are already on the roadmap. With robust architecture built on AWS using Amazon EMR Serverless, Apache Iceberg on Amazon S3 supported by AWS Glue Data Catalog and Lake Formation, a custom-built Feature Store, and Neo4j, Mapfre now has a scalable foundation to continue driving innovation and business impact.

To learn more about Amazon EMR Serverless, see the Amazon EMR Serverless documentation.

Introducing modularized kernel cryptography in Amazon Linux

Post Syndicated from Mahak Arora original https://aws.amazon.com/blogs/compute/introducing-modularized-kernel-cryptography-in-amazon-linux/

We are introducing modularized kernel cryptography in Amazon Linux 2023, an approach that separates Federal Information Processing Standard (FIPS) 140-3 cryptographic components into an independent kernel module that can be certified once and reused across subsequent kernel versions. In this post, we describe how this modular approach works, what it means for FIPS compliance workflows, and how customers can prepare for adoption.

Previously, when any part of the kernel changed, the entire kernel binary had to go through FIPS re-certification because the cryptographic code was embedded within it. With this modular approach, only the standalone cryptographic module undergoes validation, which means non-cryptographic kernel changes no longer require full re-certification. This can help customers who need both security updates and FIPS-validated cryptography while reducing disruption.

FIPS 140-3 validation can be a critical requirement for customers in regulated environments, including federal contractors. Previously, this re-certification process meant customers had to wait 12-18 months for each new kernel version to complete validation before they could adopt it. With the modular approach, once the module is validated it is designed to carry forward across kernel updates, whether minor or major releases, through a streamlined update process rather than repeating the full certification cycle, as long as the module itself remains unchanged. This is particularly relevant as customers face growing pressure to apply security patches rapidly while helping to maintain continuous compliance.

The FIPS re-certification process can be time-intensive with unpredictable timelines given current NIST Cryptographic Module Validation Program (CMVP) processing volumes. To help address this, we isolate all FIPS-scoped cryptographic algorithms, self-tests, and integrity checks into a single loadable kernel module that defines its own FIPS 140-3 cryptographic boundary with a stable interface to the kernel. This reduces what must be re-validated because instead of certifying the entire kernel binary which contains millions of lines of non-cryptographic code, only the standalone module containing the cryptographic implementation falls within the certification scope. For subsequent kernel versions using an unchanged module, re-validation can follow a more streamlined process rather than requiring a full certification cycle, helping our customers adopt kernel updates without the re-certification delays they previously faced, as long as the certified module itself remains unchanged.

We submitted the module for FIPS 140-3 validation. Based on current CMVP processing timelines, validation is expected to complete in 2027. The module interface boundary is designed to remain stable across kernel versions. Changes to the module are required if the kernel internal cryptographic API changes or if new algorithms need to be added to the FIPS scope. In many of these cases, changes can be absorbed by the interface layer without modifying the certified module itself, reducing the need for full re-certification.

Technical overview

The modular capability is included in AL2023 kernel 6.18 and later versions. The module loads automatically at boot with no kernel rebuild or configuration change required. To operate in FIPS mode, follow the enablement guide referenced in the customer guidance section below. This change does not affect other FIPS user-space modules such as OpenSSL, libgcrypt, and NSS.

The following diagram illustrates the architectural shift:

Diagram showing kernel cryptography architecture before and after modularization, with the FIPS crypto module separated from the kernel binary

Figure 1. Kernel cryptography architecture before and after modularization.

The implementation spans two areas described below. The kernel build process produces the module as a separate artifact, and a boot-time mechanism loads and connects it to the running kernel.

A restructured kernel build

In the standard kernel build, crypto source code is compiled and statically linked together with other non-crypto components that are not in scope for FIPS to produce the final kernel image. With this change, the build process separates the FIPS-relevant cryptographic components from the kernel image by defining customized compilation rules. Crypto components that are FIPS-related and were previously built into the kernel are now automatically collected and linked separately into a standalone crypto kernel module. The new build process requires no changes to existing build workflows.

Boot-time module plug-in mechanism

Immediately after kernel boot starts, the crypto kernel module is loaded and initialized. Low-level interfaces such as function addresses are connected back to the kernel binary interface so that the module integrates seamlessly with the running kernel. Once loaded, kernel crypto subsystems and their services behave as if they were built in, with the same algorithmic implementations and call paths. This process was designed to not have a material impact on performance. This loading process is independent of FIPS mode configuration because FIPS mode controls how cryptographic algorithms behave at runtime while modularization determines how they are built and delivered within the kernel. To learn more about the design and implementation, see the detailed writeup on LWN.net.

Industry impact and benefits

Once the module completes validation, modularized kernel cryptography can help customers in regulated industries update kernels more frequently while maintaining their FIPS validation status. Customers who previously faced 12-18 month re-certification delays with each kernel version can instead adopt updates as they are released, whether they operate in financial services, healthcare, government, or any sector requiring FIPS-validated cryptography. This can help customers who want to apply critical security patches without a full certification cycle before deployment.

Customer guidance

When evaluating kernel options, customers should consider their specific regulatory requirements, the validation status of cryptographic modules, and their system requirements in accordance with all applicable authorization processes.

Customers who require a completed FIPS 140-3 certificate should continue using AL2023 kernel 6.1, which maintains active validation through 2029-09-22. The modularized crypto module is included in kernel 6.18 and initializes automatically at boot. The module is designed to not require configuration changes and preserves current behavior for non-FIPS workloads. Customers planning FIPS adoption can begin evaluation and testing ahead of formal certification.

Once validation is complete, customers can transition production workloads to kernel 6.18 or later with the validated module by following the FIPS Mode enablement guide for configuration.

Conclusion

To enable FIPS mode on AL2023, refer to our FIPS Mode enablement guide. For regular updates and best practices, follow the AWS Security Blog and FIPS-related FAQs on Amazon Linux 2023. You can also reach out to your AWS account team for help finding the resources you need.

If you have questions about this post, contact AWS Support.

Security Hub adds AI workload protection and multicloud support for Microsoft Azure

Post Syndicated from Michael Fuller original https://aws.amazon.com/blogs/security/security-hub-adds-ai-workload-protection-and-multicloud-support-for-microsoft-azure/

Security Hub is our foundation for full-stack enterprise security across clouds. It centralizes your security operations and turns raw signals into prioritized insights, so your team spends its time managing real risk instead of stitching tools together. Today that foundation grows in two directions our customers asked for most. We are adding purpose-built protection for AI workloads, and security monitoring for Microsoft Azure. Both are steps toward a bigger idea, that your best security tools should get smarter by working together.

These expansions came directly from customers, and they reflect where security is heading, not where it has been. The old promise of security tooling was a place to collect everything in one view. Collecting findings was never the hard part. The hard part is understanding them, connecting them, and acting before an attacker does, and doing it at the speed attacks now move. The programs that win from here will be the ones that see across their whole estate and respond fast, not the ones with the most dashboards. That is what we are building toward, and these launches are steps on that path.

Multicloud security management for Microsoft Azure

Customers across industries have made Security Hub a core part of how they run security on AWS. Most of them have run in more than one cloud for years, and they have been clear with us that they want Security Hub to also cover the rest of their estate. Today we do that for Microsoft Azure, with more clouds following quickly.

Security Hub now discovers Azure Virtual Machines, container images, Function Apps, and identities, then evaluates them for misconfigurations, internet exposure, and software vulnerabilities, with posture checks against the CIS Microsoft Azure Foundations Benchmark™. Azure findings are prioritized next to your AWS findings using the same finding format, automation, and response workflows, so your team works from one understanding of risk across your entire estate. Azure resources are priced at the same rates as equivalent AWS resources with no additional fees, and there’s an independent 30-day free trial. To learn more, see the What’s New post.

This is not actually our first move beyond AWS. Earlier this year we introduced Security Hub Extended, bringing best-in-class partner solutions across nine security categories into the same experience you already use. Those partner solutions protect endpoints, identities, email, browsers, and data wherever they run, across any cloud, on-premises, and everywhere your enterprise operates. Extended was already our first multicloud and multi-workload step. Today we broaden what our own native capabilities cover, and the two lines of work now advance together.

Protecting AI workloads

Every customer I talk to is building with AI. Generative AI on Amazon Bedrock, model training on SageMaker, agents orchestrating workflows through AgentCore. These workloads are reaching production faster than most security programs can keep up, and teams often don’t yet have the tools to monitor model invocations, track agent behavior, or even know what AI assets exist across the organization. One security leader told me his team only caught a compromised service account, one that had been invoking a foundation model thousands of times, because finance questioned the bill. They found a security incident through an accounting review. The visibility gap is real, and it is already expensive.

This summer we start closing it with three launches. Two are GuardDuty capabilities for threat detection and investigation, and a third is a new Security Hub AI inventory.

GuardDuty AI Protection (generally available)

Amazon GuardDuty AI Protection delivers threat detection purpose-built for Bedrock and SageMaker. It detects anomalous model invocations, cost harvesting attacks where adversaries abuse stolen credentials to run inference at your expense, and prompt injection attempts through integration with Bedrock Guardrails.

Cost harvesting is accelerating. When credentials are compromised, attackers increasingly use them to invoke foundation models. Inference is expensive, demand is high, and stolen access converts straight to value without deploying any infrastructure. GuardDuty analyzes CloudTrail data events, learns what normal invocation looks like at scale, and flags the deviations that signal compromise or abuse. This is detection that only works at AWS scale, because you have to see the signal across millions of workloads to know what normal is. GuardDuty AI Protection is now available to all GuardDuty customers with a 30-day free trial.

GuardDuty AI-powered investigations (preview)

AI-powered investigations take on the manual investigation work that drives alert fatigue and slows response. The capability automatically analyzes GuardDuty findings and the accounts around them to separate true threats from benign activity.

It examines finding context, related activity from the last 90 days, affected resources, and threat indicators, using knowledge graphs and threat intelligence to complete in minutes what used to take hours. Each investigation returns a disposition assessment with confidence scoring, MITRE ATT&CK® classification, supporting evidence, and clear recommendations to suppress, contain, or remediate. Your team focuses on genuine threats, whether across a single account or an entire AWS Organization, and mean time to resolution drops. GuardDuty AI-powered investigations is available in preview in 10 AWS Regions.

Security Hub AI inventory (generally available)

You can’t secure what you don’t know exists. Security Hub now provides an AI inventory, a continuously updated, organization-wide view of your AI assets and their security posture. As teams deploy models, agents, and pipelines, security often can’t see what’s running, and without connecting those assets to active threats and misconfigurations, it’s difficult to know what to secure first.

Security Hub AI inventory discovers and catalogs AI workloads across your AWS environment two ways. For managed services, it inventories AWS Config resources across Bedrock, SageMaker, and AgentCore. For self-hosted and external workloads, it finds models running on EC2, ECS, and EKS through runtime analysis, and identifies the external model endpoints your workloads make calls to. It maps each asset to the infrastructure beneath it, including compute, networking, IAM roles, and data stores, and correlates it with security signals such as GuardDuty findings. So when GuardDuty AI Protection flags an anomalous invocation, AI inventory immediately shows you which infrastructure is involved, what’s connected to it, and where it belongs in your priority order.

AI assets multiply fast. A developer spins up a Bedrock agent for a proof of concept. A data science team stands up a SageMaker endpoint for internal testing. Another team wires in an external model API through a Lambda function. Multiply that across hundreds or thousands of accounts and you can quickly lose track. AI inventory gives you that view across every account in your organization, available in your Security Hub Essentials plan at no additional cost.

A different approach to full-stack security

These launches share something worth pausing on. You didn’t procure AI protection as a separate product, and you won’t stand up separate operations for Azure. You add them to the Security Hub you already run, and they show up in your prioritized view of risk. That same idea is what Security Hub Extended extends to the rest of the security estate.

Security Hub Extended now has 21 curated partners across nine categories: 7AIBritiveCrowdStrike, Idira (CyberArk), CyeraIsland, LayerX, Native Security, NomaOktaOligoOptiProofpointSailPoint, SentinelOneSplunkSublime, Upwind, Varonis, Zenity, and Zscaler. These are best-in-class solutions across endpoint, identity, email, network, data, browser, cloud, AI, and security operations. None of them are here by default. Each one earned its place by committing to a shared view of where enterprise security is going, and by investing alongside us to build it. Curation is the point. A recommendation only means something if it can be turned down.

The commercial benefits of Extended are real today. Pay-as-you-go pricing, a single AWS bill, EDP eligibility, and no long-term commitments. But the work we’re most excited about goes further, and it’s not about procurement at all. Findings from every participating solution are emitted in the Open Cybersecurity Schema Framework (OCSF) and aggregated in Security Hub, and we’re building toward a single correlation across all of them, so a signal from an endpoint solution, an identity solution, and a cloud solution combine into one exposure and one attack path instead of three disconnected alerts. We’re working to reduce the deployment and onboarding effort between subscribing and seeing value. And we’re building the exchange that lets partner findings enrich each other, so the best-in-class tools you already trust become more than the sum of their parts. That is the differentiated future we’re investing in, and we’re building it in the open, guided by what customers ask for next. To learn more about Extended, see the What’s New post.

Accelerating forward

Step back and the shape of it is clear. Security Hub reaches across cloud providers, starting with Azure and expanding from there. It reaches across workload types with purpose-built AI protection and inventory. And it reaches across security categories through Extended and its curated partners. What began as a way to bring order to AWS security findings has become how more enterprises run full-stack security.

Detection and visibility are the foundation. What we build on top of them is a security experience that connects signals across every source you trust and helps you respond faster. It’s still Day 1, and Security Hub will keep extending as your environment, and the threats you face, continue to change.

If you have feedback about this post, submit comments in the Comments section below.


Michael Fuller

Michael has been with AWS for 16 years and led product for AWS Security Services for 11 years. Michael has 29 years in the industry and held several roles in product management, business development, and software development for IBM, Cisco, and Amazon. Michael has a Bachelor’s of Science in Computer Engineering from the University of Arizona and an MBA from the University of Washington.

Lenovo ThinkStation P3 Ultra SFF G2 Review A Bit Bigger and a Bit Better

Post Syndicated from Ryan Smith original https://www.servethehome.com/lenovo-thinkstation-p3-ultra-sff-g2-review-intel-nvidia-a-bit-bigger-and-a-bit-better/

Today we are taking a look at Lenovo’s more spacious mini-PC workstation, the ThinkStation P3 Ultra SFF Gen 2. With multiple PCIe slots, the P3 Ultra seeks to strike a fine balance between size and expandability

The post Lenovo ThinkStation P3 Ultra SFF G2 Review A Bit Bigger and a Bit Better appeared first on ServeTheHome.

The Linux.org story

Post Syndicated from corbet original https://lwn.net/Articles/1082901/

Rob Kennedy has posted the
story
of the birth of Linux.org — one
of the earliest Linux-related web sites — and its more recent rebirth.

The site was founded in May 1994 by Michael McLagan, at a time when
Linux itself was barely three years old. Linus Torvalds had only
just released it to the world, there was no real way for a newcomer
to find their footing, no search engines, no Wikipedia, none of the
infrastructure people take for granted now for figuring out a new
piece of technology. Michael built linux.org to fill that gap, a
place for people to learn about Linux and follow the movement as it
grew.

Patch perfect: Automating Amazon Redshift patch testing

Post Syndicated from Eva Donaldson original https://aws.amazon.com/blogs/big-data/patch-perfect-automating-amazon-redshift-patch-testing/

Amazon Redshift continuously innovates to deliver improved performance and advanced features. In some releases, Amazon Redshift patches might introduce behavior changes. Testing patches in a non-production environment confirms that production workloads continue to function and you can maintain your applications’ service level agreements. As a best practice, keep Dev/QA clusters on the Current patch track and Production on the Trailing track. Test on Dev/QA when a patch lands, allowing 1–6 weeks of review before the scheduled production deployment.

In this post, we demonstrate an automated test suite that validates your Amazon Redshift cluster automatically after any patch, reboot, or modification. It uses standard drivers against real workload patterns to provide a verified gate between a patch landing and that patch reaching production.

Architecture

The solution uses native AWS services to create an automated validation pipeline.

Architecture diagram of the patch testing pipeline: Amazon EventBridge triggers AWS Lambda, which runs an AWS Fargate task that tests the cluster and reports to Amazon S3 and Amazon SNS

Figure 1 — High-level architecture diagram

Process overview showing the four stages: event detection, orchestration, test execution, and reporting

Figure 2 — Process overview

  1. Event Detection: When your Amazon Redshift cluster receives a patch, reboot, or modification, the Amazon Redshift cluster event notifications fire. Amazon EventBridge rules match these events automatically.
  2. Orchestration: A lightweight AWS Lambda function receives the event from the Amazon EventBridge rule and launches an AWS Fargate task. The task runs in a subnet within the same Amazon Virtual Private Cloud (VPC) as your Amazon Redshift cluster, giving the test runner direct network connectivity to the cluster endpoint.
  3. Test Execution: A Docker container runs a comprehensive test suite in four phases:
    • JDBC Driver Tests – Validates the official Amazon Redshift JDBC driver, testing DatabaseMetaData API calls, connection handling, and queries that tools like SQL Workbench/J depend on.
    • ODBC Driver Tests – Validates the PostgreSQL ODBC driver with SQLTables, SQLColumns, and other ODBC API calls that RStudio and similar tools use.
    • Catalog SQL Queries – Runs approximately 35 queries against pg_catalog, information_schema, and svv_* views, organized by client (SQL Workbench, DBeaver, RStudio, JDBC metadata API).
    • Performance Benchmarks – Executes your custom workload queries and compares execution time against known baselines, flagging regressions. For convenience, the solution includes sample queries to be replaced with performance validation queries from your workloads.
  4. Reporting: Detailed JSON results land in Amazon Simple Storage Service (Amazon S3) for historical analysis. An Amazon Simple Notification Service (Amazon SNS) notification sends your team an email immediately with a pass/fail summary. Full JSON results are written to Amazon S3 with timing data for every individual query, row counts, error details, and the Amazon EventBridge event that triggered the run. If tests fail, you have specific, actionable evidence (which queries broke, which drivers failed, which benchmarks regressed) to open a support case requesting a rollback and defer maintenance until the case is resolved. When tests succeed, you can move forward with confidence to production.

For real-time feedback while the tests are running, a quick command tells you the current state:

aws lambda invoke --function-name my-redshift-tests-trigger \
--payload '{}' --cli-binary-format raw-in-base64-out /dev/stdout

What gets tested

The test suite covers two critical areas: client tool compatibility and query performance.

Client compatibility queries

The test suite replicates the connection behavior of popular SQL clients by issuing the same metadata API calls and queries they perform when connecting to your cluster.

Client What’s tested
SQL Workbench/J Connection queries, schema browsing, metadata enumeration
DBeaver Database object discovery, catalog traversal
RStudio (DBI/odbc) ODBC-specific catalog queries, column type mapping
JDBC Metadata API getTables(), getColumns(), getPrimaryKeys(), and other DatabaseMetaData method equivalents

The package contains the exact queries these clients execute upon connection.

Performance regression detection

The benchmark phase of the suite automatically detects whether it has been run before. On the first execution, it captures baseline query execution times as the “known good” state for your pre-patch environment. On every subsequent run, it compares current query timings against the stored baseline and flags any regressions. If a query that previously completed in 2 seconds now takes 15, the report calls it out immediately. This phase is designed to test your most performance-sensitive queries.

Prerequisites

Before deploying, make sure your environment meets the following requirements:

Docker installed. Consider building the image with AWS CloudShell, which comes with Docker pre-installed. You can do this either by uploading the customized repo to Amazon S3 and then downloading it to AWS CloudShell, or by cloning and customizing the repo directly within AWS CloudShell.

Getting started

The full solution is available on GitHub. It includes the AWS CloudFormation template, Docker build scripts, test suite, and documentation.

Clone the GitHub repo, customize it for your workload, deploy it against a Dev/QA cluster.

Detailed instructions are included in the package README.md. Reference those for deployment.

Step 1: Clone the repo

Clone the GitHub repo.

Step 2: Customize the scripts for your environment

The test suite ships with comprehensive default queries. After cloning and before deployment, edit the scripts as described in the following sections for each phase.

Add your performance-critical queries

Edit bundle/run_tests.py and replace the example queries with queries where performance is critical:

BENCHMARK_QUERIES = {
    "daily_patient_summary": """
SELECT department, COUNT(DISTINCT patient_id), AVG(los_days)
FROM clinical.encounters
WHERE admit_date >= CURRENT_DATE - 30
GROUP BY 1
""",
    "revenue_rollup": """
SELECT payer_type, SUM(total_charges)
FROM billing.claims
WHERE service_date >= DATE_TRUNC('month', CURRENT_DATE)
GROUP BY 1
""",
}

Add client-specific catalog queries

If your team uses custom views or schemas, add them to bundle/client_catalog_queries.py:

"custom_view_check": {
    "description": "Verify our reporting view works after patching",
    "sql": "SELECT * FROM analytics.monthly_kpis LIMIT 10",
},

Step 3: Build the Docker image

Execute build-image.sh, which creates an Amazon ECR repository, builds the Docker image (with JDBC and ODBC drivers bundled), and pushes it, outputting the image URI for the next step.

# Upload project to S3, then build in CloudShell
./build-image.sh --stack-name my-redshift-tests

Step 4: Deploy the stack

Use the AWS Command Line Interface (AWS CLI) to deploy the AWS CloudFormation stack with your environment-specific parameters. The stack creates the required components: Amazon Elastic Container Service (Amazon ECS) cluster, AWS Fargate task definition, security groups, VPC endpoints (to keep AWS Secrets Manager and Amazon SNS traffic off the NAT gateway), Amazon S3 bucket, Amazon SNS topic, AWS Lambda trigger, and Amazon EventBridge rules.

aws cloudformation deploy \
--template-file template.yaml \
--stack-name my-redshift-tests \
--parameter-overrides \
RedshiftSecretArn=arn:aws:secretsmanager:... \
RedshiftHost=my-cluster.xxxx.us-east-2.redshift.amazonaws.com \
RedshiftClusterIdentifier=my-cluster \
VpcId=vpc-xxxxxxxx \
VpcSubnetIds=subnet-aaa,subnet-bbb \
RedshiftSecurityGroupId=sg-xxxxxxxx \
EcrImageUri=123456789012.dkr.ecr.us-east-2.amazonaws.com/my-redshift-tests-runner:latest \
[email protected] \
--capabilities CAPABILITY_NAMED_IAM

Key takeaways

Here are the core principles that make automated patch testing effective:

  1. Dev/QA on Current track, Production on Trailing: This separation creates the buffer window between when a patch is available and when it reaches production. Without it, there’s no opportunity to catch regressions before they affect users.
  2. Automate the validation: The track split is most effective if the test suite runs after every patch. Event-driven automation helps confirm no patch goes untested during the buffer window.
  3. Test with real drivers: Simulated queries aren’t sufficient. The test suite exercises the Amazon Redshift JDBC and PostgreSQL ODBC drivers that your SQL clients depend on. This validates the same code paths your tools use in production.
  4. Event-driven, not scheduled: Tests run the moment a patch is applied. They don’t run on a fixed cron schedule. Patch applied, then test executed, then results delivered in minutes.
  5. Low operational overhead, minimal cost: The entire solution is serverless (AWS Lambda and AWS Fargate). There are no instances to manage and no agents to install. The Fargate task spins up only when a patch event fires, runs the test suite, and shuts down. You pay only for the compute each test run consumes.

Clean up

When you no longer need the automated test suite, delete the associated resources so you don’t incur ongoing costs.

  1. Delete any created prerequisites, if not needed.
    1. Amazon Redshift cluster (removes the managed secret).
    2. NAT gateway.
    3. VPC.
  2. Empty the Amazon S3 results bucket (AWS CloudFormation cannot delete non-empty buckets).
  3. Delete the image you installed in the Amazon ECR repository in step 1 of getting started.
  4. Delete the AWS CloudFormation stack to remove the Amazon ECS cluster, AWS Fargate task definition, security groups, VPC endpoints, Amazon S3 bucket, Amazon SNS topic, AWS Lambda function, and Amazon EventBridge rules created by the deployment.
    aws cloudformation delete-stack --stack-name my-redshift-tests

Conclusion

Automated patch testing ensures consistent and predictable performance of your production workloads. By deploying Dev/QA clusters on the Current track with event-driven validation, you gain weeks of advance notice before patches reach production. The solution presented here provides comprehensive testing of JDBC drivers, ODBC drivers, catalog queries, and performance benchmarks. It requires zero manual intervention. Deploy it once, customize it for your workload, and gain confidence that the next Amazon Redshift patch will be validated before it matters.

To learn more about Amazon Redshift, explore the following resources:


About the author

Eva Donaldson

Eva Donaldson

Eva is a Senior Technical Account Manager (TAM) at AWS, specializing in Healthcare & Life Sciences customers. With 20+ years of experience as a data architect, engineer, and team manager, she focuses on designing automated data platforms and solutions that solve real business problems.

Upcoming Speaking Engagements

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2026/07/upcoming-speaking-engagements-58.html

This is a current list of where and when I am scheduled to speak:

  • I’m speaking (virtually) at the Policy-Relevant Privacy Research Workshop in Calgary, Canada, on Monday, July 20, 2026.
  • I’m speaking at Boston Leadership Exchange in Boston, Massachusetts, USA, on Wednesday, July 22, 2026.
  • I’m speaking at Cognitive Security Conference in Las Vegas, Nevada, USA. The conference runs August 6-7, 2026; my speaking time is TBD.
  • I’m speaking at DEF CON 34 in Las Vegas, Nevada, USA. The conventions runs August 6-9, 2026; my speaking time is TBD.
  • I’m speaking at LAcon V in Anaheim, California, USA. The convention runs August 27-31, 2026, and my speaking time is TBD.
  • I’m speaking at CanSecWest 2026 in Vancouver, Canada. The conference runs September 30–October 1, 2026; the time of my talk is TBD.

The list is maintained on this page.

Authenticate legitimate AI agent traffic with AWS WAF Bot Control

Post Syndicated from Harith Gaddamanugu original https://aws.amazon.com/blogs/security/authenticate-legitimate-ai-agent-traffic-with-aws-waf-bot-control/

As AI agents and automated tools increasingly access web applications, distinguishing legitimate bot traffic from malicious attempts has become a critical security challenge. Traditional approaches such as IP-based filtering and reverse DNS lookups fail in multi-tenant systems (such as Amazon Bedrock AgentCore) where thousands of distinct workloads share the same IP space. Attackers can easily spoof user agents, and manual allowlists don’t scale with growing demand.

Web Bot Authentication (WBA), available in AWS WAF Bot Control since November 2025, solves this challenge by implementing cryptographic signatures that provide tamper-proof verification of bot identities. WBA uses asymmetric cryptography to verify that a request comes from an authorized automated agent, relying on two active Internet Engineering Task Force (IETF) drafts: a directory draft for sharing public keys, and a protocol draft defining how keys attach crawler identity to HTTP requests.

With WBA, you can confidently identify trusted automated access while maintaining granular control through WAF labels, creating a more secure and manageable ecosystem for both bot operators and website owners. AWS WAF Bot Control respects WBA verification status by default, automatically allowing verified AI agent traffic.

This post provides a deeper technical guide to implementing WBA with AWS WAF. You learn how WBA works, explore the new labels and capabilities it introduces, and walk through a step-by-step implementation—including signing code—to authenticate bot traffic using cryptographic signatures.

How Web Bot Authentication works with AWS WAF

WBA uses asymmetric cryptography to verify bot identities through HTTP message signatures. The process works as follows:

  1. Bot registration – Bot operators publish their public keys in a signature directory. AWS WAF regularly polls these directories and maintains a valid key registry.
  2. Request signing – Each bot operator’s request is signed using their private key following the IETF standard HTTP Message Signatures (RFC 9421).
  3. Verification – AWS WAF verifies signatures against known public keys associated with the bot operator and appends labels related to verification status.

A typical WBA-signed request includes headers like the following:

Signature-Agent: https://signature-agent.test
Signature-Input: sig2=("@authority" "signature-agent")
;created=1735689600
;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U"
;alg="ed25519"
;expires=1735693200
;nonce="e8N7S2MFd/qrd6T2R3tdfA..."
;tag="web-bot-auth"
Signature: sig2=:jdq0SqOwHdyHr9+r5jw3iYZH6aNGKijYp/EstF4RQ..

The following sequence diagram shows how AWS WAF verifies bot signatures and applies labels for allow or block decisions.

Figure 1 – AWS WAF Web Bot Authentication verification flow

Figure 1 – AWS WAF Web Bot Authentication verification flow

The workflow shown in figure 1 includes the following steps:

  1. A bot sends a signed request to Amazon CloudFront and is inspected by AWS WAF Bot Control
  2. AWS WAF Bot Control retrieves the bot operator’s public key from the signature directory
  3. AWS WAF Bot Control verifies the ed25519 signature
  4. AWS WAF Bot Control appends a verification label (verified, invalid, expired, or unknown_bot)

AWS WAF Bot Control evaluates rules using the label to allow or block the request.

New capabilities added to AWS WAF

With the addition of WBA, the following capabilities were added to AWS WAF.

Cryptographic bot verification

When a bot sends a request, it includes HTTP message signatures that AWS WAF validates at the edge using the AWS WAF Bot Control rule group (version 4.0 and later). This validation process adds minimal latency to requests while providing cryptographic certainty about the bot’s identity. HTTP Message Signatures is an open IETF standard (RFC 9421) that defines a mechanism for signing and verifying HTTP messages using asymmetric keys—in practice, this means a bot cryptographically signs specific headers and metadata of each request, and the receiver can verify the signature using the bot’s published public key.

New labels within AWS WAF for granular control

AWS WAF automatically validates signatures, and successfully validated traffic is immediately marked as verified. This verification status can be used in WAF rules and bot management policies, giving you the ability to write your own rules based on the new functionality.

The following table describes the new labels.

Label Meaning Suggested action
awswaf:managed:aws:bot-control:bot:web_bot_auth:verified Successful cryptographic verification Allow
awswaf:managed:aws:bot-control:bot:web_bot_auth:invalid Failed verification attempt Block or rate-limit
awswaf:managed:aws:bot-control:bot:web_bot_auth:expired Expired key used Block and alert
awswaf:managed:aws:bot-control:bot:web_bot_auth:unknown_bot Unrecognized key Monitor or block
awswaf:managed:aws:bot-control:bot:vendor:<vendor_name> Bot vendor or operator Use for vendor-specific rules
awswaf:managed:aws:bot-control:bot:name:<rfc_name> Bot name (RFC token from WBA) Use for bot-specific rules
awswaf:managed:aws:bot-control:bot:account:<hash> AWS account identifier (Amazon Bedrock AgentCore agents only) Use for account-level controls

AWS WAF now automatically allows verified AI agent traffic

AWS WAF Bot Control now respects WBA verification status by default, automatically allowing verified AI agent traffic. This includes two specific behavior changes:

  • Category:AI rule update – Previously, the Category:AI rule under common Bot Control blocked unverified bots. Bot Control now checks WBA verification status before applying this rule.
  • TGT_TokenAbsent rule update – The TGT_TokenAbsent rule, which detects requests without a WAF token, no longer matches requests that carry the web_bot_auth:verified label.

Key benefits for AWS WAF customers

WBA with AWS WAF delivers several advantages for organizations managing automated traffic at scale.

  • Enhanced bot visibility – Clear identification of distinct bots operating from multi-tenant platforms like Amazon Bedrock AgentCore, providing transparency into automated traffic sources. The AWS WAF console includes a new AI activity dashboard that provides a centralized view of AI bot and agent traffic across your protected resources.
  • Enhanced security – Cryptographic verification of bot identities using industry-standard signing mechanisms.
  • Reduced false positives – Accurate distinction between legitimate and malicious automated traffic, particularly in shared IP environments.
  • Industry alignment – Alignment with industry standards and major content delivery network (CDN) providers for consistent bot authentication across platforms.

Customer use cases for WBA with AWS WAF

Across industries, organizations use WBA to grant automated agents secure, controlled access to their web applications. The following scenarios highlight where this capability delivers real-world value:

  • Verified customer support agents – Authenticate AI-powered chat and support bots so websites can recognize them as approved, registered agents. This enables seamless customer service automation while maintaining security controls and audit trails.
  • Automated crawling and indexing – Allow search engine crawlers and content indexers to fetch pages with clear identity and scoped permissions. This reduces false-positive blocks, improves crawl efficiency, and helps legitimate bots access your content without triggering security controls.
  • Partner integrations – Third-party agents can access customer portals and APIs with explicit consent and granular, scoped access controls. This facilitates secure business-to-business (B2B) integrations while maintaining visibility into partner bot activity.
  • Enterprise automations and agents – Internal automation tools—including monitoring systems, QA bots, continuous integration and delivery (CI/CD) pipelines, and robotic process automation (RPA) solutions—get authenticated access to web applications with least-privilege access principles and full auditability.

Availability

WBA was introduced in Bot Control rule group Version_4.0 (November 2025) for Amazon CloudFront distributions, with continued support in later versions. With Version_6.0, WBA is available for resource types supported by AWS WAF across standard commercial AWS Regions.

Getting started: Developers or agents quick start

Whether you’re implementing WBA yourself or working with an AI coding assistant, the following steps walk you through deploying WBA, signing requests, and writing custom rules.

Step 1: Deploy the WBA-enabled Bot Control

Add the AWS WAF Bot Control rule group to your CloudFront-associated web ACL using static Version_4.0 or Version_5.0—both include WBA support for cryptographic bot verification. Version_5.0 (released February 2026) covers more than 650 unique bots and agents spanning categories including AI search engine crawlers, AI data collectors, AI assistants, and large language model (LLM) training crawlers.

Important: You must explicitly select one of these static versions.

The following example CloudFormation YAML snippet shows a bot control rule set configuration:

# Bot Control rule group with WBA support
ManagedRuleGroupStatement:
  VendorName: AWS
  Name: AWSManagedRulesBotControlRuleSet
  # Use Version_4.0 or higher for WBA support
  Version: Version_5.0
  ManagedRuleGroupConfigs:
    - AWSManagedRulesBotControlRuleSet:
        # COMMON level provides WBA verification
        # TARGETED level adds additional bot-specific protections
        InspectionLevel: COMMON

Step 2: Sign requests from your bot

If your agent runs on Amazon Bedrock AgentCore Browser, request signing is handled automatically—no additional configuration is required.

For agents running outside of AgentCore, registration APIs are on the roadmap that you can use to sign requests independently by:

  1. Generating an ed25519 key pair
  2. Hosting your public key in a signature directory
  3. Signing outbound HTTP requests using the Signature-Input and Signature headers with the web-bot-auth tag. For language-specific signing implementations, see the HTTP Message Signatures RFC (RFC 9421) and the AWS WAF Bot Control documentation.

Step 3: Write custom rules using WBA labels

Use the verification labels in custom WAF rules for granular traffic control, for example:

  • Allow – awswaf:managed:aws:bot-control:bot:web_bot_auth:verified
  • Rate-limit – awswaf:managed:aws:bot-control:bot:web_bot_auth:invalid
  • Alert on – awswaf:managed:aws:bot-control:bot:web_bot_auth:expired

Step 4: Monitor WBA traffic

Use AWS WAF metrics and logs to monitor authenticated bot traffic:

  • Review Amazon CloudWatch metrics for Bot Control rule group matches and set up alarms for anomalous or unexpected spikes in invalid or expired verification attempts.
  • Analyze AWS WAF logs to identify patterns in bot authentication attempts and filter on web_bot_auth labels.
  • Use the AI Activity Dashboard in the AWS WAF console for a centralized view of AI bot traffic. Visualize traffic trends, identify top bots and frequently targeted paths, and filter by verification status to decide which bots to allow, rate-limit, or block.

Conclusion

WBA with AWS WAF provides a cryptographically secure, standards-based approach to authenticating legitimate AI agent traffic. By moving from IP-based allowlisting to signature-based verification, you gain accurate bot identification that works across multi-tenant environments.

Looking ahead, our focus is to simplify bot authentication and make it safer by default. Registration APIs that agent owners can use to cryptographically verify bot identity and intent are on the roadmap, helping website owners quickly distinguish trusted automation from unknown traffic.

If you own an agent, adopt WBA and register your agent to receive verified status. In parallel, AWS continues to actively participate in the IETF web-bot-auth working group, advocating for complementary approaches—using both identifying and anonymous verification protocols—and will incorporate these standards into products as they mature to help your deployments stay aligned with the broader ecosystem.

To get started, see the AWS WAF Bot Control documentation and the HTTP Message Signatures RFC (RFC 9421).

If you have feedback about this post, submit comments in the Comments section below.


Harith Gaddamanugu

Harith Shantan Gaddamanugu

Harith is a Sr Edge Specialist Solutions Architect at AWS, where he architects critical infrastructure and security solutions that serve millions of users globally. With a decade of expertise in cloud perimeter protection and web acceleration, he guides large enterprises building resilient architectures. Outside work, Harith enjoys hiking and landscape photography with his family.

Author

Kaustubh Phatak

Kaustubh is a product leader specializing in AI/ML systems and enterprise security solutions. He has led cross-functional teams in deploying AI-powered products at scale, working closely with security architects and CISOs to address the intersection of AI innovation and cybersecurity risk. His work focuses on translating complex technical capabilities into business value, particularly in emerging technology domains where traditional frameworks don’t apply.

Запазените паркоместа в София – нови данни

Post Syndicated from Боян Юруков original https://yurukov.net/blog/2026/slujebno2/

Не, не говоря за пазенето на паркомясто със стол, щайга или саксия.

Преди месец писах за служебното паркиране в София и отправих критика към качеството на данните, които получих тогава. Междувременно пуснах ново запитване по ЗДОИ, с което освен същите данни поисках и всички паркоместа за хора с увреждания. Това беше честа обратна връзка след последната ми карта.

Този път данните бяха в добра форма и практически не се налагаха корекции. Всички данни за абонаменти бяха с имената на платилите ги. Частните лица са с инициали и при тях липсва личен адрес. При фирмите има адрес на централен офис. Данните са абонамента са също много по-добре структурирани – събрани са договорите на едно показвайки какви пакети са групирани. Където има различни периоди на абонамент, това е защото са добавяни пакети на по-късен етап.

Новите данни включват 2246 паркоместа като част от 1317 договора за абонамент с 1048 лица. За сравнение, старата справка от март имаше 48 паркоместа по-малко. Открих само 12 абонамента да са на физически лица. Най-много паркоместа имат ОББ – 51, ДСК – 35, Ц.Б.С. ООД (свързано с хазарт) и Юробанк – по 26, ПИБ 22. Британското посолство има 21 служебни паркоместа. Министерствата имат общо 63, различни агенции – 28, комисии – 15. КТБ още има 3 паркоместа и договорът им е подновен през март тази година. В тези данни не са включени паркоместата, които съдилищата са си осигурили със спорни решения за охранителните зони около сградите си.

Обнових картата да показва новите данни и архивирах картата на друг адрес. Тъй като не се налага да обработвам данните и да гадая, няма паркоместа с неизвестен абонамент. Вместо това добавих категория в легендата за паркоместата запазени за хора с увреждания – общо 1177. За тях се показва като информация само района и зоната. Не получих информация за такива паркоместа извън синя и зелена зона, което е странно. Известни са ми поне няколко паркоместа за хора с увеждания извън тези зони. Попитах ги отново защо липсват.

Обновената карта ще намерите тук или може да я отворите на цял екран.

В миналата карта забелязах няколко служебни паркоместа, които имаха нощен режим без да имат основния. Това най-вероятно беше проблем със справката. Този път няма такива, но се забелязва нещо друго странно. Гранд хотел Милениум София ООД са заплатили през ноември 2024-та пет паркоместа с дневен, разширен и нощен режим. Това значи, че местата са резервирани за тях постоянно – понеделник до неделя, 24 часа на ден. Нощният режим обаче е наличен само за синя зона според условията на сайта на ЦГМ. Тези паркоместа се намират в зелена зона и дори справката по моето искане за достъп до данни го показва.

Не става ясно как се е случило това и две години хотелът се радва на денонощни служебни паркоместа почти две години. Възможно е да е било по стара версия на наредбата, но не открих да е имало разлики. Ще питам и ще допълня статията.

В отговора си ЦГМ споделиха и някои финансови данни. Споделят, че за цялата 2025 г. приходите от слъжебен абонамент възлизат на 9.537 млн. лв. или 4.876 млн. € без ДДС. Разходите за осигуряване и поддръжка на служебните паркоместа са 549 хил. лв. или 280.7 хил. € без ДДС. Последното включва само очертаването и слагането на табели, а не махането на погрешно паркирали коли.

Проста сметка показва, че според сега сключените договори приходите без ДДС ще са 505.8 хил. €. Макар броят им и включените пакети да варират, виждам, че се увеличават като брой места в последните години. Така по груби сметки и ако приемем, че всички са се възползвали от намалението от 10% при предплащане за цяла година, биха излезли 5.462 млн. € без ДДС прогнозни приходи за 2026 или 12% повече от предходната. Така предоставените суми за миналата година изглеждат логични като имаме предвид скокът в броя на служебните паркоместа.

Call for topics for the 2026 Maintainers Summit

Post Syndicated from corbet original https://lwn.net/Articles/1082838/

The Maintainers Summit is an annual, invitation-only gathering of kernel
developers and maintainers to discuss development-process issues; see LWN’s 2025 Maintainers Summit coverage for an
example. The call for
topics
for the 2026 gathering (Prague, October 8) has gone out.
One of the best ways to obtain an invitation to the Summit is with a good
topic proposal. For best consideration, topics should be submitted before
July 24.

Automated Incident Remediation with AWS DevOps Agent and Kiro CLI

Post Syndicated from Jishnu Dasgupta original https://aws.amazon.com/blogs/devops/automated-incident-remediation-with-aws-devops-agent-and-kiro-cli/

Introduction

Automated incident remediation – turning investigation findings into deployed fixes without manual toil – is the next frontier for operations teams running distributed workloads on AWS. Today, when an incident fires at 2 AM, the on-call engineer must correlate telemetry across Amazon CloudWatch, deployment pipelines, and application logs, then manually write and deploy a fix – a process that routinely takes hours. AWS DevOps Agent addresses the first half by autonomously investigating incidents, identifying root causes, and generating mitigation plans in minutes. During preview, customers and partners reported up to 75% lower MTTR, 80% faster investigations, and 94% root cause accuracy.

But investigation and mitigation recommendations are only half the story. Someone still has to read the findings, write the fix, test it, and deploy it. What if that second half could be automated too?

In a previous post, Leverage Agentic AI for Autonomous Incident Response with AWS DevOps Agent, we demonstrated how to configure AWS DevOps Agent to monitor your applications, trigger autonomous investigations, and follow best practices for production deployments. We also published this code sample which demonstrates how investigations could be wired to be triggered automatically when a Amazon CloudWatch alarm is raised. These two articles now allow you to trigger AWS DevOps Agent investigation on a Amazon CloudWatch alarm and produce a mitigation plan.

In this post, we demonstrate how to integrate AWS DevOps Agent mitigation plan output with Kiro CLI – running in headless mode on AWS CodeBuild – to close the remediation loop end-to-end. When AWS DevOps Agent completes a mitigation analysis, an event-driven pipeline automatically routes the findings to Kiro CLI, which applies the fix to your codebase, creates a pull request for human review, and triggers deployment upon approval. The result: L1/L2 incidents go from detection to deployed fix with minimal manual intervention – the only human touchpoint is the pull request approval.

We walk through the complete solution using a sample CloudFormation application, including the infrastructure code, anomaly generation scripts, event routing, and the Kiro CLI steering configuration that makes it all work. All source code is available in the accompanying aws-samples repository.

Solution Overview

Consider a typical web application running on AWS — a frontend behind an Application Load Balancer, backend compute on Amazon EC2, and an Amazon RDS database, with source code and CloudFormation templates in AWS CodeCommit. When something goes wrong in this environment, the solution chains two AWS frontier agents —AWS DevOps Agent for autonomous investigation and mitigation, and Kiro CLI for automated code remediation — through a fully serverless event-driven bridge to take the application from incident to deployed fix.

Solution Architecture

Fig 1 – Solution architecture

How it works

  1. An incident occurs – Your application experiences an issue – high CPU utilization, elevated error rates, slow response times. Amazon CloudWatch alarms fire.
  2. DevOps Agent investigates – AWS DevOps Agent, which has your application onboarded into an Agent Space, autonomously correlates metrics, logs, and deployment history to identify root cause and generate a mitigation plan.
  3. EventBridge routes the signal – An Amazon EventBridge rule captures Mitigation Completed events (source: aws.aidevops) and invokes a AWS Lambda function.
  4. Lambda extracts and queues – The AWS Lambda function calls the AWS DevOps Agent API to retrieve the mitigation summary and execution plan, then publishes the payload to Amazon SQS queue.
  5. CodeBuild runs Kiro CLI – When a message arrives in the Amazon SQS queue, a AWS Lambda function with an SQS event source mapping triggers a AWS CodeBuild execution, passing the message content as an environment variable. AWS CodeBuild runs Kiro CLI in headless mode (–no-interactive –trust-tools=read,write,grep,shell), using the mitigation payload as a remediation prompt.
  6. Kiro CLI applies the fix – Guided by a steering file that describes the repository structure and remediation conventions, Kiro CLI modifies the CloudFormation template or application code, commits to a feature branch, and creates a pull request.
  7. Human approves, pipeline deploys – A developer reviews the pull request. Upon approval and merge, the associated deployment pipeline gets triggered to execute the change.

Prerequisites

To follow along with this walkthrough, you need:

  • An AWS account for AWS DevOps Agent access
  • An Agent Space configured
  • Kiro CLI with a Pro, Pro+, or Power subscription (required for headless mode API keys)
  • AWS CLI configured with appropriate credentials
  • The sample repository pushed to your account’s AWS CodeCommit repository

Once completed, follow along the Readme file to setup the components which allow you to implement and execute the above architecture. The sections below provide an explanation of the components that have been built to support the architecture.

Capturing mitigation events

AWS DevOps Agent publishes lifecycle events to the Amazon EventBridge default event bus whenever an investigation or mitigation changes state. Each event uses the source aws.aidevops and a detail-type that identifies the specific like Mitigation Completed, Investigation Completed, or Mitigation Failed. The post focuses on a single signal: the moment a mitigation finishes successfully.

EventBridge rule and Lambda extraction

An Amazon EventBridge rule matching the Mitigation Completed detail-type invokes a AWS Lambda function. The event payload contains metadata (agent_space_id, task_id, and execution_id) which allows the AWS Lambda function to call the AWS DevOps Agent and extracts two key objects: the mitigation summary (what action to take and why) and the execution plan (step-by-step instructions). It publishes this structured payload to an Amazon SQS queue for downstream processing.

Headless remediation with Kiro CLI

With mitigation payloads landing in the Amazon SQS queue, we need a compute environment that can check out the application and infrastructure repository, run Kiro CLI agent against the codebase, and push changes back. AWS CodeBuild is a natural fit — it provides on-demand compute, integrates natively with AWS CodeCommit and requires no persistent infrastructure.

Kiro CLI 2.0 introduced headless mode, which allows it to run programmatically in deployment pipelines without an interactive terminal. You authenticate with an API key (stored in AWS Secrets Manager), pass a prompt, and Kiro CLI executes end-to-end — same tools, same agents, same capabilities as the interactive experience.

How CodeBuild orchestrates the fix

When a message arrives in the Amazon SQS queue, a trigger AWS Lambda function starts a AWS CodeBuild execution, passing the Amazon SQS message body as an environment variable. The AWS CodeBuild buildspec follows a straightforward sequence:

  1. Install : Installs Kiro CLI and configures the environment. The KIRO_API_KEY is pulled automatically from AWS Secrets Manager ,never hardcoded.
  2. Generate prompt : A Python script converts the structured mitigation payload into a natural-language remediation prompt. It inspects the content to classify whether the change targets infrastructure (or application code, then generates a focused prompt with the action, reasoning, and specific instructions.
  3. Create feature branch : Checks out a new branch named after the agent space and execution IDs for traceability.
  4. Run Kiro CLI : Invokes Kiro CLI chat –no-interactive –trust-tools=read,write,grep,shell with the generated prompt. The –trust-tools flag auto-approves specific tool categories following least-privilege, since there is no human to confirm.
  5. Validate and commit : Guardrails check the changes: file count limits, protected file detection, Python syntax validation (py_compile), and YAML linting. If all checks pass, the changes are committed and pushed.
  6. Create pull request : Creates an AWS CodeCommit pull request with the mitigation action as the title and the AWS DevOps Agent reasoning in the description.

The steering file

What makes Kiro CLI effective at remediation – rather than just generating generic code – is the steering file. Steering gives Kiro persistent knowledge about your project: repository structure, coding conventions, and decision frameworks.

For this solution, the steering file serves as the guardrails for automated remediation. It defines:

  • Repository structure – Maps each directory to its purpose.
  • Decision framework – Rules for classifying changes as infrastructure vs. application.
  • Scope constraints – Maximum 3 files per remediation, no new files, no new dependencies, no deletions.
  • Protected files – The buildspec, infrastructure pipeline templates, bridge code, and steering files themselves are explicitly off-limits.
  • Fail-safe – If the prompt is ambiguous or Kiro cannot determine what to change, it makes no changes rather than guessing.

This steering file is committed to the repository, so every AWS CodeBuild execution picks it up automatically. It ensures Kiro CLI makes targeted, predictable changes rather than broad refactors.

From pull request to deployment

At this point, the automated pipeline has done its work – Kiro CLI has analyzed the mitigation plan, modified the appropriate files, and created a pull request on a feature branch. The pull request description includes what was changed, why (directly from the AWS DevOps Agent’s reasoning), and the agent space and execution IDs for full traceability back to the original incident.

This is where the human-in-the-loop gate comes in. A developer reviews the pull request -verifying that the change is correct, scoped appropriately, and safe to deploy. This approval step is deliberate: while we trust the agents to investigate, analyze, and propose fixes, a human makes the final deployment decision.

Once the pull request is approved and merged into the main branch, the deployment pipelines implement the approved changes in the target environment.

The entire cycle – from CloudWatch alarm to deployed fix – completes in minutes rather than hours, with the only manual step being the pull request review. For organizations handling high volumes of L1/L2 incidents, this translates directly into reduced operational toil and faster recovery.

Cleanup

To avoid ongoing charges, remove the resources created during this walkthrough. Refer to the Readme for the complete teardown sequence.

Conclusion

In this post, we demonstrated how to integrate AWS DevOps Agent mitigation outputs with [1] Kiro CLI to build a closed-loop incident remediation pipeline. By connecting these two frontiers agents’ operations teams can go from incident detection to deployed fix with a single human touchpoint: the pull request approval.

This approach delivers measurable impact for enterprise operations:

  • Reduced MTTR – L1/L2 incidents that previously required hours of manual investigation and remediation can now resolve in minutes.
  • Improved operator productivity – Engineers shift from reactive firefighting to reviewing and approving targeted, AI-generated fixes.
  • Consistent remediation – Steering files codify your team’s conventions and decision frameworks, ensuring every automated fix follows the same standards regardless of when or how often incidents occur.

Ready to get started? Clone the aws-samples repository for the complete implementation, visit the AWS DevOps Agent documentation to configure your first Agent Space, and explore the Kiro CLI documentation to learn more about steering-file-driven code generation. Have questions or want to share how you’ve adapted this pattern? Leave a comment below or open an issue in the repository

Jishnu Dasgupta

Jishnu Dasgupta

Jishnu Dasgupta is a Senior Solutions Architect at AWS who specializes in manufacturing and automotive domain. His focus areas are building, migrating and modernizing applications on AWS. He leverages his expertise and experience to help AWS customers build optimized, scalable and fit to purpose architecture on AWS.

Chetan Dharma

Chetan Dharma

Chetan Dharma is a Senior AI Solution architect with 20+ years of experience driving technology transformation for large-scale global enterprises. He has worked across investment banking, logistics, automative, and digital native businesses — progressing from hands-on engineering to architecture to advising AI transformation

[$] Sending packets directly from BPF

Post Syndicated from daroc original https://lwn.net/Articles/1081696/


Tetragon
, the BPF-based security monitoring tool,
uses BPF to monitor different aspects of a running kernel and
enforce user-specified policies. It sends its data to a user-space process,
which forwards the data to a central monitoring service elsewhere in the
network, however. This
presents a point of vulnerability: if an attacker can kill Tetragon’s user-space
agent, it won’t be able to properly report on the situation. Song Liu, Mahé
Tardy, and Liam Wiseheart spoke about their work removing the need for the
user-space agent at the 2026

Linux Storage, Filesystem, Memory-Management, and
BPF Summit
.

Security updates for Tuesday

Post Syndicated from daroc original https://lwn.net/Articles/1082832/

Security updates have been issued by AlmaLinux (389-ds:1.4, buildah, freeipmi, freerdp, gegl, gimp, golang, kernel, libreoffice, maven:3.9, openexr, perl-DBI, plexus-utils, podman, tomcat, tomcat9, xorg-x11-server, and xorg-x11-server-Xwayland), Debian (imagemagick, p7zip, and redis), Fedora (breezy, calibre, and golang-github-openprinting-ipp-usb), Mageia (ffmpeg, gzip, haproxy, libheif, libtiff, libxml2, packages, perl-List-SomeUtils-XS, and perl-Socket), SUSE (alsa, chromedriver, curl, dhcpcd, docker-compose, glibc, haproxy, ImageMagick, jq, kernel, kubernetes, libpng15, libredwg-devel, libslirp, nghttp2, php8, python-Pillow, python313-Django, python313-weasyprint, qemu, rust-keylime, sccache, and systemd), and Ubuntu (cifs-utils, libexif, libreoffice, libssh2, openssh, and pipewire).

A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed

Post Syndicated from Sebastiaan Neuteboom original https://blog.cloudflare.com/dnssec-nta-ede-33/

On July 3, 2026, the Albanian communications authority (AKEP), the operator of the .AL country-code top-level domain (TLD) of Albania, attempted a DNSSEC key rollover. Something went wrong, resulting in DNSSEC validation failures. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return errors to clients. That includes 1.1.1.1, the public DNS resolver operated by Cloudflare.

The .AL TLD is the online home of Albanian government services, banks, and media; it ranks #191 on Cloudflare Radar’s TLD ranking. Anyone trying to visit those sites, using a validating resolver, found them unreachable during the incident. The failure had the potential to affect every .AL domain, regardless of where it was hosted or which authoritative nameservers served it.

Just two months earlier, a similar incident struck .DE, the TLD of Germany. As we described in our blog post on the incident, our response was to install a Negative Trust Anchor (NTA) for .DE, temporarily suspending DNSSEC validation in 1.1.1.1 to keep domains reachable while the registry resolved the issue. We did the same for .AL.

NTAs restore resolution, but silently. A client receiving a response served under an NTA has no way to tell, from the response alone, that DNSSEC validation was bypassed, leaving it unable to distinguish a legitimate answer from a spoofed one. For the .AL incident, 1.1.1.1 addressed that gap for the first time, returning a new Extended DNS Error (EDE) code alongside every affected response to signal that the answer was not DNSSEC-validated due to the presence of an NTA.

The graph below shows the SERVFAIL and NOERROR rates for .AL queries on 1.1.1.1 throughout July 3. The SERVFAIL rate climbs as cached records expire and resolvers are forced to revalidate. It drops sharply when the NTA is applied at 17:15 UTC, restoring resolution.


What happened to .AL

We discussed how DNSSEC works in more detail in our prior blog post. A brief recap:

DNSSEC builds a chain of trust from the root zone down to individual domain names. The root zone holds a Delegation Signer (DS) record for each signed TLD, a fingerprint of that TLD’s DNSKEY. A resolver verifying .AL checks that the DNSKEY served by .AL‘s nameservers matches the DS record in the root. If it does, the resolver trusts that DNS responses from .AL‘s nameservers are authentic. The same pattern repeats one level down: .AL holds DS records for its signed child zones, each with a matching DNSKEY. A break anywhere in that chain, such as a DS record pointing to a key that no longer exists, causes validation to fail for everything below it.

Before the incident, the root zone held a DS record matching the DNSKEY served by the .AL nameservers, as illustrated below.


At around 14:15 UTC, the .AL operator published a new DNSKEY and stopped serving the old one. The DS record in the root zone still pointed to the old DNSKEY (id=26319), so any resolver attempting to validate .AL responses found no matching key and failed.


At roughly 17:00 UTC, the .AL operator removed the new DNSKEY without restoring the old one. The zone now had no DNSKEY records at all, while the DS record in the root still pointed to id=26319, and resolution continued to fail.


At roughly 19:15 UTC, the .AL operator removed the DS record from the root zone. Without a DS record, resolvers no longer expected DNSSEC validation for .AL, and resolution was restored, though the entire TLD was now unsigned.


As of publishing, .AL remains unsigned. The DS record has not been restored to the root zone by the .AL operators. Without a DS record, every .AL domain is unable to use DNSSEC protections.

Why Negative Trust Anchors are used

Having a broken DNSSEC configuration can be painful, especially when it impacts an entire TLD at once. As we covered in our .DE incident blog, recursive DNS operators can install a Negative Trust Anchor (NTA) as defined in RFC 7646, which tells a resolver to treat a zone as unsigned and bypass validation.

Before installing the NTA, we attempted to reach the .AL operator directly and posted on the DNS-OARC Mattermost to alert the community. We received no response, in part because the operator’s contact addresses were themselves under .AL, making them unreachable during the outage.

We applied the NTA for .AL and rolled it out to all 1.1.1.1 users by 17:15 UTC, roughly three hours after the chain broke.

The tradeoff is the same as it was for .DE: a Negative Trust Anchor suspends DNSSEC validation, which means .AL domains were no longer protected against DNS spoofing for the duration. We judged this acceptable for the same reason: the failure was public, confirmed, and affecting every validating resolver equally.

The Negative Trust Anchor was removed the following day, once the .AL operator had removed the DS record from the root zone. With no DS record present, resolvers no longer expected DNSSEC for .AL and the NTA was no longer needed.

The problem with Negative Trust Anchors

Installing a Negative Trust Anchor is an aggressive measure. We suspend DNSSEC validation to keep domains reachable, accepting that responses are no longer cryptographically verified for the duration. Users get answers instead of SERVFAIL, but those answers carry no DNSSEC guarantee.

What makes this harder is that, up until now, nothing in the DNS response signalled this to the client; a response served under an NTA looked identical to a fully validated one. RFC 7646 acknowledges this gap and recommends that operators publicly disclose which NTAs they have in place, but that disclosure is out-of-band. For both the .DE and .AL incidents we published status pages, but a status page requires the user to go looking. An application, a monitoring tool, or a user querying 1.1.1.1 had no way to tell, from the response alone, that DNSSEC validation was bypassed.

Bringing transparency to Negative Trust Anchors

Extended DNS Error (EDE) codes, defined in RFC 8914, allow resolvers to include additional context alongside any DNS response, whether that is an error or a successful answer. Babak Farrokhi at Quad9 proposed an Internet-Draft to signal the presence of a Negative Trust Anchor directly in the DNS response, using a new EDE code: Disclosure of Negative Trust Anchors in DNS Responses. We joined as co-authors, and 1.1.1.1 now implements it.

During the .AL incident, any query for a .AL name returned both the answer and the new EDE code while the Negative Trust Anchor was installed. Here is what that looked like:

$ kdig @1.1.1.1 google.al
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 32848
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; EDE: 9 (DNSKEY Missing): 'no SEP matching the DS found for al.'
;; EDE: 33 (Negative Trust Anchor): 'a Negative Trust Anchor has been applied for this query (see RFC 7646)'

;; ANSWER SECTION:
google.al.              300    IN    A    142.251.142.196

The response is a NOERROR with a valid answer: google.al resolves, but two EDE codes accompany it. EDE 9 (DNSKEY Missing) surfaces the underlying DNSSEC failure: the chain of trust was broken and validation failed. EDE 33 (Negative Trust Anchor) signals that 1.1.1.1 applied a Negative Trust Anchor and served the response anyway. Together they give clients and operators full visibility into what happened: the answer is real, but it was not DNSSEC-validated.

1.1.1.1 returns EDE 33 on any response generated while an NTA is active, regardless of whether the query itself would have failed DNSSEC validation. A query for a domain that does not use DNSSEC at all will still carry EDE 33 if it falls under an active NTA. This is intentional: the NTA covers the entire zone, and transparency applies equally to every response served under it.

This also resolves an issue we flagged in our .DE blog, where 1.1.1.1 incorrectly returned EDE 22 (No Reachable Authority) instead of surfacing the underlying DNSSEC error. During the .AL incident, 1.1.1.1 correctly returned EDE 9 (DNSKEY Missing) alongside EDE 33.

The Internet-Draft is an individual submission and EDE 33 has been assigned by the Internet Assigned Numbers Authority (IANA). Thanks to our co-author, Babak Farrokhi at Quad9, the kdig tool from the Knot project now recognizes EDE 33 by name, and a pull request for Unbound is under review. We hope other resolver implementations will follow. The Internet-Draft has been submitted to the Internet Engineering Task Force (IETF) DNSOP Working Group, and will be discussed at the IETF meeting taking place in Vienna from July 18 to July 24.

Closing the gap

TLD-level DNSSEC failures are rare, but when they happen they affect every domain underneath the affected TLD simultaneously, and every validating resolver equally. The .AL incident, following closely behind .DE, shows that Negative Trust Anchors are a necessary operational tool, but one that has, until now, been invisible to the users they affect.

EDE 33 closes a gap that RFC 7646 left open. A response served under a Negative Trust Anchor now says so directly, giving operators, monitoring tools, and users the information they need to understand what the resolver did and why.

The Internet-Draft is available at the IETF datatracker. If you have thoughts on it, the IETF DNSOP mailing list is the right place to share them.

If you want to learn more about how DNSSEC works, visit our page How does DNSSEC work? And you can always follow real-time DNS trends and TLD data on Cloudflare Radar.

CVE-2026-55040: Microsoft SharePoint JWT Token Authentication Bypass (FIXED)

Post Syndicated from Stephen Fewer original https://www.rapid7.com/blog/post/ve-cve-2026-55040-microsoft-sharepoint-jwt-token-authentication-bypass-fixed

Overview

Rapid7 Labs conducted a zero-day research project against Microsoft SharePoint, resulting in the discovery of two new vulnerabilities that, when chained together, achieve unauthenticated remote code execution (RCE) against a vulnerable SharePoint server. Today, both Rapid7 and Microsoft are disclosing the first vulnerability in this chain, the authentication bypass vulnerability CVE-2026-55040. The RCE component of the exploit chain is expected to be patched by Microsoft in the next update cycle for August 2026. The exploit chain was developed as an entry for the recent Pwn2Own Berlin hacking competition – part of Rapid7 Labs’ continued effort to raise the bar in Vulnerability Intelligence and our commitment to the preemptive protection of our customers through original vulnerability research.

A remote unauthenticated attacker can leverage CVE-2026-55040 to bypass authentication on a vulnerable SharePoint server and perform operations as a SharePoint site user or administrator. The vulnerability is due to several issues in the JWT token validation pipeline.

CVE-2026-55040 has a CVSSv3.1 score of 5.3 (Medium), and a Common Weakness Enumeration (CWE) of CWE-1390: Weak Authentication.

Product description

Microsoft SharePoint is a ubiquitous, web-based collaboration and document management platform deeply integrated into the Microsoft 365 ecosystem. Serving as the central hub for corporate intranets, internal file sharing, and workflow automation, it is trusted by enterprises worldwide to store and manage vast repositories of sensitive business data. Because SharePoint acts as a critical bridge between internal users, active directories, and cloud infrastructure, vulnerabilities within its architecture present a high-risk attack surface.

Impact

By leveraging CVE-2026-55040, a remote unauthenticated attacker can assume the identity of any SharePoint site user; the prerequisite is the attacker must know in advance the user they wish to identify as. This can be achieved in a number of ways, including via a user’s Active Directory (AD) Security ID (SID), or via a user’s AD User Principal Name (UPN). A UPN is the primary logon name for a user in either Windows AD or Microsoft Entra ID, and is formatted similar to that of an email address, e.g. [email protected].

In the example screenshot below, with identifying information redacted, a Rapid7 Labs proof-of-concept script discovers potential SharePoint users via SID enumeration and then leverages CVE-2026-55040 to bypass authentication on the target SharePoint site to assume the identity of that user — ultimately identifying the SharePoint site administrator user account.

Rapid7-Labs-PoC-CVE-2026-55040.png
Figure 1: The Rapid7 Labs PoC for CVE-2026-55040.

An attacker who successfully exploits CVE-2026-55040 can perform operations against the target SharePoint site as the user they identify as. Furthermore, this authentication bypass can be chained to additional vulnerabilities within the authenticated attack surface of the target site.

Rapid7 Labs has chained the authentication bypass CVE-2026-55040 with a separate RCE vulnerability for unauthenticated RCE. Patching CVE-2026-55040 will successfully break this exploit chain. The RCE component has been disclosed to Microsoft and is expected to be patched in the scheduled August patch cycle. The chaining of vulnerabilities highlights that even though the authentication bypass has been assigned a medium severity CVSS score by Microsoft, the impact of successfully chaining a medium severity authentication bypass to an RCE component is significant. This also underscores the importance of patching vulnerabilities such as authentication bypasses, which can break complex and high impact exploit chains.

Leveraging AI

To develop our SharePoint exploit chain, Rapid7 Labs undertook a research project divided into two main sprints, the first in January and the second in March, 2026. While both sprints did encompass more traditional vulnerability research such as manual code review and reverse engineering, a significant amount of the work was undertaken through an agent. Over 24 active days of agentic work, we leveraged 96 sessions, issued 256 prompts, and generated approximately 80,000 agentic tool calls.

The initial January sprint was unsuccessful, resulting in no findings that could be leveraged for an exploit chain. We used this sprint to experiment with several different publicly available models, along with different workflows to navigate and reason across a massive and complex codebase. However, our second sprint in March was successful and yielded, through a heavily prompted agent, a two-vulnerability exploit chain that achieved unauthenticated RCE.

The improvement in quality between January and March in terms of agentic work, along with our improved workflows, was noticeable. This highlights the speed at which this field is evolving, how publicly available models are improving, and how as research teams develop their workflows, the results begin to compound.

Credit

This vulnerability was discovered by Stephen Fewer, Senior Principal Security Researcher at Rapid7 and is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Vendor statement

The following statement has been provided by Microsoft:

“We would like to thank Rapid7 for responsibly reporting this issue through coordinated vulnerability disclosure.”

Technical analysis

Rapid7 will be publishing full technical details for CVE-2026-55040 within 30 days of this disclosure.

Remediation

Customers are advised to apply the latest available updates for the impacted product to ensure they are protected.

Rapid7 customers

Exposure Command, InsightVM and Nexpose customers will be able to assess their exposure to CVE-2026-55040 with Authenticated vulnerability checks available in the July 14 content release

Disclosure timeline

  • May 18, 2026: Rapid7 discloses an unauthenticated RCE exploit chain to Microsoft. Microsoft acknowledges receipt of the disclosure the same day.

  • May 20, 2026: Microsoft confirms the findings and indicates that the exploit chain will be patched across two scheduled update cycles – the authentication bypass component in July, and the RCE component in August.

  • May 21, 2026: Rapid7 acknowledges the disclosure schedule and requests supporting information. Microsoft requests a 30 day stay on disclosure of technical details and publication of PoC.

  • May 29, 2026: Rapid7 agrees to a 30 day stay on technical details with a proviso to publish earlier should either exploitation in-the-wild or third-party publication of details occur within the 30 days. Microsoft confirms the disclosure plan the same day.

  • June 30, 2026: Rapid7 requests supporting information for the upcoming disclosure.

  • June 30, 2026: Microsoft provides supporting information to Rapid7.

  • July 14, 2026: This disclosure for CVE-2026-55040.

The collective thoughts of the interwebz