February Patch Releases Address Actively Exploited Windows Zero-Days and High-Severity Chrome Vulnerabilities
A broad set of February security updates shipped across major vendors, led by Microsoft releasing fixes for 59 Windows flaws, including six actively exploited zero-days affecting multiple Windows components with impacts spanning security feature bypass, privilege escalation, and denial-of-service. Adobe also issued updates across creative products (e.g., Audition, After Effects, InDesign, Lightroom Classic), stating it is not aware of in-the-wild exploitation of the addressed issues.
SAP published fixes for two critical vulnerabilities: CVE-2026-0488 (CVSS 9.9), a code/SQL injection issue in SAP CRM and SAP S/4HANA that could enable arbitrary SQL execution and full database compromise, and CVE-2026-0509 (CVSS 9.6), a missing authorization check in SAP NetWeaver AS ABAP/ABAP Platform that could allow low-privileged users to perform background RFC actions without required S_RFC authorization (mitigations include a kernel update and profile parameter changes). Separately, Google/Chromium released Chrome/Chromium 144 updates addressing 11 CVEs including high-severity issues in V8 and Blink (notably CVE-2026-1220, a V8 race condition), with no confirmed public reporting of active exploitation for those Chrome bugs at the time of publication; Intel and Google also reported multiple vulnerabilities in Intel TDX 1.5 (including CVE-2025-32007, CVE-2025-27940, CVE-2025-30513, CVE-2025-27572, CVE-2025-32467).
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
February 2026 Patch Tuesday Security Updates for Microsoft Windows and Adobe Products
Microsoft and Adobe released their **February 2026 Patch Tuesday** security updates, with Microsoft addressing **58 vulnerabilities** and reporting **six actively exploited zero-day flaws** as part of the month’s fixes. Microsoft also continued its rollout of **replacements for expiring Secure Boot certificates** and shipped the Windows 10 **KB5075912** Extended Security Update (ESU) for eligible systems (e.g., Windows 10 Enterprise LTSC and ESU-enrolled devices), updating builds to **19045.6937** (Windows 10) and **19044.6937** (LTSC 2021). In addition to security fixes, KB5075912 includes reliability remediation for an issue where some **Secure Launch-capable** PCs with **VSM** enabled could not shut down or hibernate after January 2026 security updates. Adobe published **nine security bulletins** covering **44 CVEs** across products including *After Effects, Audition, InDesign, Adobe Bridge, Lightroom Classic,* and multiple *Substance 3D* applications, with several issues rated **Critical** and potentially leading to **code execution** (notably in *After Effects* and *Substance 3D Stager*). Adobe stated that, at release time, none of the addressed vulnerabilities were listed as publicly known or under active attack, contrasting with Microsoft’s disclosure of in-the-wild exploitation for multiple zero-days in the same Patch Tuesday cycle.
1 months ago
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
6 days ago
Google Patches Two Actively Exploited Chrome Zero-Days
Google released an urgent **Chrome stable channel** update to address two **high-severity zero-day vulnerabilities** that the company says are being **actively exploited in the wild**. The patched versions are `146.0.7680.75/76` for **Windows and macOS** and `146.0.7680.75` for **Linux**, with rollout occurring over days to weeks. The flaws were reported internally by Google on March 10, and Google said access to additional bug details may remain restricted until most users have updated. The two vulnerabilities are **CVE-2026-3909**, an **out-of-bounds write in Skia**, and **CVE-2026-3910**, an **inappropriate implementation in V8**. Both components are high-value targets because they sit in Chrome’s rendering and JavaScript execution paths, creating opportunities for malicious webpages to trigger memory corruption or unsafe browser behavior that could lead to **arbitrary code execution**. The update is a substantive security release rather than routine product news because Google explicitly confirmed that exploits exist for both issues, making rapid patching a priority for enterprises and end users.
Today