⚠️ CRITICAL: Anviz CX7 & CX2 Lite firmware vuln (CVE-2026-35546) allows unauthenticated uploads — attackers can execute code & gain reverse shell. All versions affected. No mitigation yet. https://radar.offseq.com/threat/cve-2026-35546-cwe-306-in-anviz-anviz-cx7-firmware-147e04a2 #OffSeq #IoTSecurity #vulnerability

🚩 CRITICAL: CVE-2026-40572 impacts MinecAnton209 NovumOS < 0.24. Syscall 15 flaw allows local privilege escalation by mapping over kernel memory — patch to v0.24+ ASAP! https://radar.offseq.com/threat/cve-2026-40572-cwe-269-improper-privilege-manageme-6ff979fd #OffSeq #CVE202640572 #NovumOS #Infosec

🚨 CVE-2026-40258: CRITICAL path traversal in gramps-web-api (1.6.0-3.11.0). Owner-level users can write files outside intended dirs via crafted ZIPs. Upgrade to 3.11.1+ to mitigate! https://radar.offseq.com/threat/cve-2026-40258-cwe-22-improper-limitation-of-a-pat-00f841f8 #OffSeq #CVE202640258 #PathTraversal #Infosec

This Week in Security: Docker Auth, Windows Tools, and a Very Full Patch Tuesday

CVE-2026-34040 lets attackers bypass some Docker authentication plugins by allowing an empty request body. Present since 2024, this bug was caused by a previous fix to the auth workflow. In the 2024 bug, the authentication system could be tricked into passing a zero-length request to the authentication handler. In the modern vulnerability, the system can be tricked into removing a too-large authentication request and passing a zero-length request to the authentication handler.

In both cases, the authentication system may not properly handle the malformed request and allow creation of docker images with access to stored credentials and secrets.

Bugs like these are increasing in visibility because AI agents running in Docker, like OpenClaw, may be tricked via prompt injection into leveraging the vulnerability.

Windows CPU Tools Compromised

videocardz.com notes that the popular Windows monitoring software Cpu-Z and HWMonitor appear to have been compromised. Reports indicate that the download site was compromised, not the actual packages, but that it was redirecting update requests to packages including malware. While the site has been repaired, unfortunately it looks like there is no warning to users that the downloads were compromised for a period of time.

Anecdotally, there has been a rash of Discord account takeovers in the past week, where long-standing accounts in multiple servers have been compromised and turned into spambots. While there is no evidence these events are linked, clearly a new credential or authentication stealing malware is in play, which involves stealing credentials from Discord.

X.Org and XWayland Updated

The X.Org and XWayland servers saw security updates this week, fixing a handful of vulnerabilities involving uninitialized memory use, use-after-free, and reading beyond the end of a buffer.

The vulnerabilities are generally classified as “moderate”, but of course, don’t leave known vulnerabilities when you can avoid it! Fixed releases should find their way into distributions soon.

OpenSSL 4.0 Released

OpenSSL released version 4.0 this week, adding support for Encrypted Client Hello / ECH / RFC9849 as well as deprecating some older SSL 2.0 behavior.

Encrypted Client Hello is a new enhancement to TLS (nee SSL) client handshake. When a client connects to a TLS server like a website, one of the first packets sent is the Client Hello which contains the TLS version, supported algorithms, and importantly, the server name the client is connecting to. Including the server name in the hello message allows modern multi-homed and cloud-based websites to function, because it indicates which web server and SSL certificate should be used to handle the request, but exposes the hostname the user is connecting to.

With ECH, the hello message is split into multiple messages, with the true hostname encrypted inside the second, inner message. The outer message allows routing the request to a server responsible for decrypting the inner communication and dispatching the request to the proper server. It is possible, for instance, for an ISP to see that a user has connected to a website on the Cloudflare infrastructure, but not which website hosted on Cloudflare.

For individual sites, the value of ECH is debatable – without a central server to dispatch to the specific hosts, the outer hostname is still readable – but for sites hosted behind load balancers, there is additional protection for users against identification of browsing habits. Although it brings extra complexity, adding new standards like ECH at least moves the needle towards better user privacy and protection by default.

Rockstar games breached (again)

Rockstar Games (of Grand Theft Auto and Red Dead Redemption fame) has been breached by a ransomware/extortion group. If this sounds familiar, in 2022 the company was breached and early GTA 6 gameplay was stolen.

This go around, the breach was actually of the data warehousing company Snowflake, via another service, Anodot. Used for cloud monitoring and analytics, Bleeping Computer reports that an Anodot breach was used to access Snowflake data, which is now used to extort Rockstar.

Rockstar says the data stolen does not impact players or the functioning of the company, and they will not be paying the ransom.

Linux Kernel Certificate OOB

Linux Kernel 7.0 releases this week, and includes a fix to out-of-bounds memory access in certificate handling. The fix is also being back-ported to stable and LTS kernel versions (Linux 6.4, 6.6 LTS, 6.12 LTS, 6.18 LTS, and 6.19) so be on the lookout for updates!

The out-of-bounds bug lies in the kernel keyring API; any user on the system can submit an invalid certificate to the kernel keyring. In this specific case the impact seems limited to a kernel crash instead of arbitrary privilege escalation.

NIST no Longer Enriching CVE

The NIST organization is no longer enriching CVE entries in the National Vulnerability Database, except for those in the Known Exploited Vulnerabilities catalog, used in federal government, or those in designated critical software. Previously, the NIST NVD provided additional information and severity rankings for reported vulnerabilities. Citing a lack of funding and an overwhelming number of reported vulnerabilities, they will no longer provide updated severity scores or details.

It’s understandable, but a net loss to the security community, and the Internet at large, when we lose analysis and commentary on risks. CVE details and risks are often self-assigned by the vendor, which can lead in some cases to a culture of “malicious compliance” where the released information is technically correct and complete, but contains little or no actual detail and assumes the least impactful interpretations. Third-party evaluation and classification by organizations like NIST offered additional context and analysis to identify the truly critical reports.

Patch Tuesday, Everybody Panic!

OK – don’t actually panic, but if you’re a Microsoft user, you already know. This month’s Patch Tuesday — the scheduled day for Microsoft updates, for anyone lucky enough not to have to observe — includes over 160 security updates. This makes it the second largest Patch Tuesday ever. It includes a fix to the publicly available Bluehammer exploit for bypassing Windows Defender, and over 60 patches for browser vulnerabilities.

Additionally, Chrome published fixes for 20 vulnerabilities, and Adobe published fixes for Reader, with evidence on both that the bugs are already being publicly exploited.

This is your monthly reminder to stay on top of security updates whenever they are available, on whatever platform you use. Unknown zero-day exploits might get all the attention, but outdated software with known, patched bugs can be the biggest vector for exploits and malware. Once a bug is known and patched, there is no reason to save the exploit for targeted attacks; the days and weeks after a bug is publicly fixed can be a wave of automated exploits, and many of the largest attacks use vulnerabilities fixed weeks or months prior.

Botconf Talks Streaming

Finally, a quick aside for anyone interested in pursing more related content, the Botconf EU conference about fighting botnets and malware is streaming the conference content; by the time this post goes live the conference is likely to be concluded, but the talk streams are accessible!

hackaday.com/2026/04/17/this-w…