Chrome sandbox escape chain, a WattBox sticker-to-root bug, and a dead Apache project

A use-after-free in Chrome's WebRTC stack lets an attacker run arbitrary code inside the browser sandbox by getting a user to visit a malicious page. The sandbox limits the blast radius, but this still gives an attacker a foothold, and it pairs nicely with CVE-2026-7343 above for a full escape. CVSS 9.8, no known exploitation yet.

Affected estate

Anyone managing endpoints running Google Chrome or Chromium-based browsers below version 147.0.7727.138, on any OS

How to check

Check inventory, endpoint management, or the vendor console for affected Chrome versions.

Action

Update Chrome to 147.0.7727.138 or later. Prioritize this alongside CVE-2026-7343 since the two bugs chain together for a sandbox escape.

Urgency

Patch within 24 hours

Why it matters

A use-after-free in Chrome's WebRTC stack lets an attacker run arbitrary code inside the browser sandbox by getting a user to visit a malicious page

Source

NVD

The Lua version of Apache Pony Mail has an HTTP request smuggling bug that lets an attacker take over admin accounts. Here's the catch: the project is retired and there will be no fix. The replacement ("Pony Mail Foal," written in Python) isn't affected but also isn't officially released yet. CVSS 9.8.

Affected estate

Anyone still running the Lua-based Apache Pony Mail instance

How to check

Check inventory, endpoint management, or the vendor console for affected Apache Pony Mail versions.

Action

Take your Pony Mail instance offline or restrict access to trusted users immediately. Migrate to the Python-based Pony Mail Foal or a different mailing list archive tool. No patch will be released for this.

Urgency

Patch immediately

Why it matters

The Lua version of Apache Pony Mail has an HTTP request smuggling bug that lets an attacker take over admin accounts

Source

NVD

Snap One WattBox 800 and 820 series power distribution units have hidden diagnostic HTTP endpoints that "authenticate" using only the device's MAC address and service tag. Both values are printed on the physical label. Anyone who can read the sticker (or a photo of it) gets root command execution on the device. CVSS 9.8.

Affected estate

Facilities teams, AV integrators, and MSPs managing Snap One WattBox 800 or 820 series units with firmware below 2.10.0.0

How to check

Check inventory, endpoint management, or the vendor console for affected WattBox versions.

Action

Update WattBox firmware to 2.10.0.0 or later. Until you can patch, make sure these devices are not reachable from untrusted networks, and treat any exposed device label information as compromised credentials.

Urgency

Patch immediately

Why it matters

Snap One WattBox 800 and 820 series power distribution units have hidden diagnostic HTTP endpoints that "authenticate" using only the device's MAC address and service tag

Source

NVD

A use-after-free in the Linux kernel's MPTCP connection lookup code can be triggered over the network. The CVSS is 9.8, but the EPSS score is very low (0.00068, 21st percentile), suggesting real-world exploitation is unlikely right now. Still, kernel-level memory corruption bugs deserve quick attention.

Affected estate

Teams running Azure Linux 3.0 (kernel 6.6.130.1-3) or CBL Mariner 2.0 (kernel 5.15.202.1-1), and anyone running upstream Linux kernels with MPTCP enabled

How to check

Check inventory, endpoint management, or the vendor console for affected Linux Kernel versions.

Action

Apply the updated kernel package for your distro and reboot. If you don't use MPTCP, disabling it (sysctl net.mptcp.enabled=0) buys you time until you can schedule the reboot.

Urgency

Patch this week

Why it matters

A use-after-free in the Linux kernel's MPTCP connection lookup code can be triggered over the network

Source

MSRC