Vulnerability | Breaking Cybersecurity News | The Hacker News

Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild. The list of vulnerabilities is as follows - CVE-2026-3909 (CVSS score: 8.8) - An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page. CVE-2026-3910 (CVSS score: 8.8) - An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Both vulnerabilities were discovered and reported by Google itself on March 10, 2026. As is customary in these cases, no details are available about how the issues are being abused in the wild and who is behind the efforts. This is done so as to prevent other threat actors from exploiting the issues. "Google is aware that exploits for both CVE-2026-3909 an...

Cybersecurity researchers have disclosed multiple security vulnerabilities within the Linux kernel's AppArmor module that could be exploited by unprivileged users to circumvent kernel protections, escalate to root, and undermine container isolation guarantees. The nine confused deputy vulnerabilities have been collectively codenamed CrackArmor by the Qualys Threat Research Unit (TRU). The cybersecurity company said the issue has existed since 2017. No CVE identifiers have been assigned to the shortcomings. AppArmor is a Linux security module that provides mandatory access control (MAC) and secures the operating system against external or internal threats by preventing known and unknown application flaws from being exploited. It has been included in the mainline Linux kernel since version 2.6.36. "This 'CrackArmor' advisory exposes a confused deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restricti...

Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software that, if successfully exploited, could result in remote code execution. The vulnerabilities are as follows - CVE-2026-21666 (CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server. CVE-2026-21667 (CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server. CVE-2026-21668 (CVSS score: 8.8) - A vulnerability that allows an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. CVE-2026-21672 (CVSS score: 8.8) - A vulnerability that allows local privilege escalation on Windows-based Veeam Backup & Replication servers. CVE-2026-21708 (CVSS score: 9.9) - A vulnerability that allows a Backup Viewer to perform remote code execution as the postgres user. The sho...

Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of “yeah… this is probably going to show up in real incidents sooner than we’d like.” The pattern this week feels familiar in a slightly annoying way. Old tricks are getting polished. New research shows how flimsy certain assumptions really are. A couple of things that make you stop mid-scroll and think, “wait… people are actually pulling this off?” There’s also the usual mix of strange corners of the ecosystem doing strange things — infrastructure behaving a little too professionally for comfort, tools showing up where they absolutely shouldn’t, and a few cases where the weakest link is still just… people clicking stuff they probably shouldn’t. Anyway. If you’ve got five minutes and a mild curiosity about what attackers, researchers, and the broader internet gremlins were up to lately, this week’...

Apple on Wednesday backported fixes for a security flaw in iOS, iPadOS, and macOS Sonoma to older versions after it was found to be used as part of the Coruna exploit kit . The vulnerability, tracked as CVE-2023-43010 , relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content. The iPhone maker said the issue was addressed with improved handling.  "This fix associated with the Coruna exploit kit was shipped in iOS 17.2 on December 11th, 2023," Apple said in an advisory. "This update brings that fix to devices that cannot update to the latest iOS version." Fixes for CVE-2023-43010 were originally released by Apple in the following versions - iOS 17.2 and iPadOS 17.2 macOS Sonoma 14.2 Safari 17.2 The latest round of fixes brings it to older versions of iOS and iPadOS - iOS 15.8.7 and iPadOS 15.8.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPa...