CVE-2025-70101 - An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by supplying a specially crafted ext4 filesystem image. The vulnerability occurs due to ins... read CVE-2025-70101
Published: June 03, 2026; 10:16:31 AM -0400

CVE-2025-70100 - A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical bl... read CVE-2025-70100
Published: June 03, 2026; 10:16:31 AM -0400

CVE-2026-40898 - quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a ... read CVE-2026-40898
Published: June 04, 2026; 3:16:28 PM -0400

V3.1: 7.5 HIGH

CVE-2026-50292 - In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
Published: June 04, 2026; 2:16:32 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-48040 - The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to ... read CVE-2026-48040
Published: June 04, 2026; 2:16:31 PM -0400

V3.1: 9.1 CRITICAL

CVE-2026-41207 - The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is... read CVE-2026-41207
Published: June 04, 2026; 2:16:30 PM -0400

V3.1: 5.3 MEDIUM

CVE-2026-10891 - Use after free in GFX in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Published: June 04, 2026; 7:16:50 PM -0400

CVE-2026-8874 - Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, de... read CVE-2026-8874
Published: June 03, 2026; 3:16:39 PM -0400

CVE-2026-8881 - Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching.
Published: June 03, 2026; 3:16:39 PM -0400

CVE-2026-11118 - Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: June 04, 2026; 7:17:17 PM -0400

CVE-2026-8888 - Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns ... read CVE-2026-8888
Published: June 03, 2026; 3:16:39 PM -0400

V3.1: 7.5 HIGH

CVE-2026-11000 - Use after free in Fonts in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: June 04, 2026; 7:17:03 PM -0400

CVE-2026-8889 - Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).
Published: June 03, 2026; 3:16:39 PM -0400

V3.1: 7.5 HIGH

CVE-2026-11125 - Use after free in Compositing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: June 04, 2026; 7:17:18 PM -0400

CVE-2026-11130 - Use after free in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: June 04, 2026; 7:17:19 PM -0400

CVE-2026-11136 - Use after free in Canvas in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: June 04, 2026; 7:17:19 PM -0400

CVE-2026-11147 - Use after free in WebML in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: June 04, 2026; 7:17:21 PM -0400

CVE-2026-11149 - Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severit... read CVE-2026-11149
Published: June 04, 2026; 7:17:21 PM -0400

CVE-2026-11164 - Use after free in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: June 04, 2026; 7:17:23 PM -0400

CVE-2026-11171 - Integer overflow in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Published: June 04, 2026; 7:17:23 PM -0400