Weekly Threat Landscape Digest – Week 22

1. CVE-2026-46062 ntfs3: fix integer overflow in run_unpack() volume boundary check

Overview

• Addresses an integer overflow vulnerability in the ntfs3 driver’s run_unpack() function related to volume boundary checks.

Impact

• Successful exploitation could lead to memory corruption, potentially allowing privilege escalation or arbitrary code execution.

Recommendations

• Apply available security updates from Microsoft to mitigate the vulnerability.

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46062

2. Critical Samba Vulnerability Enables Remote Code Execution Attacks

Overview

• CVE-2026-4480 affects the Samba printing subsystem by allowing unauthenticated attackers to execute arbitrary commands remotely.
• The vulnerability is triggered when Samba’s “print command” uses the %J substitution parameter without proper sanitization, enabling command injection.
• Exploitation involves submitting crafted print jobs that include shell meta characters in the %J variable.

Impact

• Maximum CVSS v3.1 score of 10.0, indicating critical severity.
• Attackers can gain full system control, leading to data breaches, lateral movement, and potential ransomware deployment.
• The flaw affects Linux and Unix environments running vulnerable Samba versions with certain print configurations.

Affected / Fixed Versions

• Vulnerable configurations use “print command” with unsanitized %J parameter.
• Systems using “printing = cups” or “printing = iprint” are not vulnerable.
• Fixed in Samba versions 4.22.10, 4.23.8, and 4.24.3.

Recommendations

• Immediately apply official patches from the Samba security page.
• As a temporary mitigation, enclose %J in single quotes (‘%J’) to reduce injection risk.
• Remove the %J parameter from the print command configuration if patching is delayed.
• Audit Samba configurations for risky print commands and restrict guest printing access.
• Monitor print job activity for suspicious behavior indicative of exploitation.

Reference: https://cybersecuritynews.com/samba-rce-vulnerability/

3. Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones

Overview

• Google released a Chrome Stable update addressing 151 security flaws across Windows, macOS, and Linux.
• The update includes 22 critical vulnerabilities affecting graphics, networking, media, UI components, and core browser infrastructure.
• Key issues include out-of-bounds writes, use-after-free, integer overflows, and insufficient validation of untrusted input.
• Notable CVEs: CVE-2026-9872 (GPU, out-of-bounds write), CVE-2026-9873 (Network, use-after-free), CVE-2026-9874 (Dawn, use-after-free), CVE-2026-9875 (WebGL, out-of-bounds read).
• Many vulnerabilities were found using Google’s internal fuzzers, sanitizers, and control-flow integrity techniques.

Impact

• Exploitation may enable sandbox escapes, remote code execution, and data corruption via malicious web content.
• Critical flaws primarily target browser graphics and rendering stacks such as ANGLE, Skia, WebGL, Dawn, XR, and Bluetooth.
• Additional high-severity vulnerabilities affect DOM, Accessibility, Site Isolation, WebCodecs, PDF, WebRTC, Passwords, Media, USB, and more.

Affected / Fixed Versions

• Chrome Stable updated to version 148.0.7778.216/217 on Windows, 148.0.7778.215/216 on macOS, and 148.0.7778.215 on Linux.

Recommendations

• Immediately upgrade Chrome to the latest stable version once available.
• Enterprises requiring earlier updates may switch to faster release channels.
• Monitor Chromium source logs for detailed fixes as they are gradually disclosed.

Reference: https://cybersecuritynews.com/151-chrome-vulnerabilities-patched/

4. Hackers exploit FortiClient EMS flaw to push infostealer malware

Overview

• Attackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS).
• The vulnerability allows unauthorized access to the EMS platform.
• Exploitation is used to deliver EKZ, an undocumented credential stealer malware.

Impact

• Unauthorized access to EMS enables attackers to deploy infostealer malware, risking credential theft and potential further compromise of managed endpoints.

Affected / Fixed Versions

• Affected: FortiClient EMS versions prior to patched update (specific versions not disclosed).
• Users are advised to apply vendor patches promptly once available.

Recommendations

• Apply Fortinet patches for CVE-2026-35616 as soon as released.
• Monitor EMS logs for suspicious authentication activity.
• Conduct endpoint scans for potential EKZ malware infections.

Reference: https://www.bleepingcomputer.com/news/security/hackers-exploit-forticlient-ems-flaw-to-push-infostealer-malware/

5. Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

Overview

• A critical security vulnerability in Gogs, an open-source self-hosted Git service, enables any authenticated user to perform remote code execution (RCE).
• The flaw is rated 9.4 on the CVSS scoring system by Rapid7.

Impact

• Remote code execution by any authenticated user under certain conditions, potentially compromising the affected system.

Recommendations

• Gogs users should monitor official updates and apply patches or mitigations once available to prevent exploitation.

Reference: https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html

6. New Gogs zero-day flaw lets hackers get remote code execution

Overview

• An unpatched zero-day vulnerability has been discovered in the Gogs self-hosted Git service.
• The flaw allows remote attackers to gain remote code execution (RCE) on publicly exposed Gogs instances.

Impact

• Successful exploitation enables attackers to execute arbitrary code remotely, potentially leading to full system compromise.

Recommendations

• Immediately restrict Internet-facing access to Gogs instances until a patch is released.
• Monitor affected systems for suspicious activity.
• Apply vendor-provided patches or mitigations as soon as they become available.

Reference: https://www.bleepingcomputer.com/news/security/new-gogs-zero-day-flaw-lets-hackers-get-remote-code-execution/

7. Zapier fixes bug chain that researchers say risked widespread account takeover

Overview

• Researchers at Token Security identified a chain of five vulnerabilities in Zapier’s automation platform that could have allowed attackers to take over millions of user accounts.
• The attack chain started from a flaw in user-written automation code and escalated to access sensitive internal resources, including private software images and a publishing key used in users’ browsers.
• Exploiting this chain would enable attackers to execute actions within Zapier as legitimate users, affecting connected third-party services without exposing their passwords or tokens externally.

Impact

• Potential widespread account takeover on a platform with millions of users and over 8,000 third-party integrations.
• Attackers could create or modify automations to send emails, move files, pull customer data, or post messages appearing as the user.
• Risks include amplified supply-chain attacks by abusing trusted connections.

Affected / Fixed Versions

• Vulnerabilities were reported in February 2026 and fully remediated by Zapier within three weeks.
• No evidence found of exploitation prior to the patch.

Recommendations

• Review automation logs for unauthorized activities.
• Reauthorize Zapier connections to sensitive systems as a precaution.
• Monitor similar automation platforms for analogous vulnerability chains.

Reference: https://cyberscoop.com/zapier-bug-chain-account-takeover-patched/