Windows update

1. CVE-2025-1149 GNU Binutils ld xmalloc.c xstrdup memory leak

   Information published.

2. CVE-2026-35414 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

   Information published.

3. CVE-2026-41140 Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

   Information published.

4. CVE-2026-42506 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

   Information published.

5. CVE-2026-42502 Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

   Information published.

6. CVE-2026-27136 Invoking duplicate attributes can cause XSS in golang.org/x/net/html

   Information published.

7. CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

   Information published.

8. CVE-2026-39827 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

   Information published.

9. CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

   Information published.

10. CVE-2026-39828 Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

    Information published.

11. CVE-2026-46598 Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

    Information published.

12. CVE-2026-9150 Libsolv: stack-based buffer overflow in libsolv's debian metadata parser when handling sha384/sha512 checksums

    Information published.

13. CVE-2026-9149 Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file

    Information published.

14. CVE-2026-43964 Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

    Information published.

15. CVE-2026-25680 Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

    Information published.

16. CVE-2024-7598 Network restriction bypass via race condition during namespace termination

    Information published.

17. CVE-2025-29923 go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment

    Information published.

18. CVE-2026-25541 Bytes is vulnerable to integer overflow in BytesMut::reserve

    Information published.

19. CVE-2025-60876 BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).

    Information published.

20. CVE-2020-8561 Webhook redirect in kube-apiserver

    Information published.

21. CVE-2021-25740 Holes in EndpointSlice Validation Enable Host Network Hijack

    Information published.

22. CVE-2025-61729 Excessive resource consumption when printing error string for host certificate validation in crypto/x509

    Information published.

23. CVE-2025-61727 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509

    Information published.

24. CVE-2025-5791 Users: `root` appended to group listings

    Information published.

25. CVE-2025-9403 jqlang jq JSON jq_test.c run_jq_tests assertion

    Information published.

26. CVE-2025-58160 Tracing logging user input may result in poisoning logs with ANSI escape sequences

    Information published.

27. CVE-2025-58188 Panic when validating certificates with DSA public keys in crypto/x509

    Information published.

28. CVE-2025-58183 Unbounded allocation when parsing GNU sparse map in archive/tar

    Information published.

29. CVE-2025-61725 Excessive CPU consumption in ParseAddress in net/mail

    Information published.

30. CVE-2025-58186 Lack of limit when parsing cookies can cause memory exhaustion in net/http

    Information published.

31. CVE-2025-61724 Excessive CPU consumption in Reader.ReadResponse in net/textproto

    Information published.

32. CVE-2025-46327 Go Snowflake Driver has race condition when checking access to Easy Logging configuration file

    Information published.

33. CVE-2024-58251 In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    Information published.

34. CVE-2025-46394 In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    Information published.

35. CVE-2025-3198 GNU Binutils objdump bucomm.c display_info memory leak

    Information published.

36. CVE-2013-1633 easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.

    Information published.

37. CVE-2024-58266 The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection.

    Information published.

38. CVE-2023-27043 The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

    Information published.

39. CVE-2025-1176 GNU Binutils ld elflink.c _bfd_elf_gc_mark_rsec heap-based overflow

    Information published.

40. CVE-2025-1178 GNU Binutils ld libbfd.c bfd_putl64 memory corruption

    Information published.

41. CVE-2025-1151 GNU Binutils ld xmemdup.c xmemdup memory leak

    Information published.

42. CVE-2025-1150 GNU Binutils ld libbfd.c bfd_malloc memory leak

    Information published.

43. CVE-2025-1180 GNU Binutils ld elf-eh-frame.c _bfd_elf_write_section_eh_frame memory corruption

    Information published.

44. CVE-2025-1152 GNU Binutils ld xstrdup.c xstrdup memory leak

    Information published.

45. CVE-2026-29181 OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

    Information published.

46. CVE-2026-27144 Miscompilation allows memory corruption via CONVNOP-wrapped array copy in cmd/compile

    Information published.

47. CVE-2026-32282 TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

    Information published.

48. CVE-2026-40226 In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.

    Information published.

49. CVE-2026-5928 Static buffer overflow in deprecated nis_local_principal

    Information published.

50. CVE-2026-6357 pip self-update functionality can import newly installed modules after wheel installation

    Information published.