Linux ksmbd RCE at 9.8, Azure Cloud Shell injection at 9.6, and a Thrift TLS bypass
Two critical, no-auth bugs top the list: a use-after-free in Linux's in-kernel SMB server (CVE-2026-31718, CVSS 9.8) and command injection in Azure Cloud Shell (CVE-2026-35428, CVSS 9.6). Also covers a hostname verification skip in Apache Thrift's Java TLS transport and an info leak in Edge Copilot Chat.
Two criticals landed this morning, neither exploited in the wild yet, but both ugly enough to move on now. CVE-2026-31718 is a use-after-free in ksmbd, the in-kernel Linux SMB server, with a CVSS 9.8 and no auth required. Right behind it, CVE-2026-35428 is a command injection bug in Azure Cloud Shell at CVSS 9.6. Three more round out the list, all 7.x, all worth a look before the weekend.
Today's CVEs
Sorted by urgencyCVE-2026-8083
NVDAn attacker can remotely inject SQL through the user-save endpoint in SourceCodester Pharmacy Sales and Inventory System 1.0. No authentication appears to be required, and a public exploit already exists. If you're running this app, anyone on the network can read or modify your database.
- Included because
- unauthenticated; remotely exploitable; public exploit available; SQL injection
- Affected estate
- SourceCodester Pharmacy Sales and Inventory System 1.0, specifically the /ajax.php?action=save_user endpoint.
- How to check
- Check for the presence of /ajax.php on your web server. If the app is deployed, you're exposed.
- Action
- Block external access to the application or take it offline. Apply a vendor patch if one becomes available.
- Urgency
- Patch immediately
- Why it matters
- Public exploit code means any attacker can dump or modify your pharmacy database right now.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-31718
MSRCA use-after-free bug in ksmbd (the in-kernel SMB server on Linux) lets a remote attacker potentially execute code or crash the system by triggering a race condition through durable file handle scavenging. CVSS 9.8 makes this critical. If you expose ksmbd to the network, an attacker may not need credentials to trigger it.
- Included because
- unauthenticated; network-facing kernel module; CVSS 9.8; remote code execution risk
- Affected estate
- Azure Linux 3.0 systems running kernel 6.6.137.1-2 with ksmbd enabled. Any other Linux kernel build shipping the affected ksmbd code may also be vulnerable.
- How to check
- Run `uname -r` to confirm kernel version and `lsmod | grep ksmbd` to see if ksmbd is loaded.
- Action
- Update the kernel package via your package manager (tdnf or equivalent) and reboot.
- Urgency
- Patch within 24 hours
- Why it matters
- A CVSS 9.8 use-after-free in a network-facing kernel module can mean remote code execution with kernel privileges.
- Source
- Azure Linux advisory
Evidence trail
- NVD: View source
CVE-2026-35428
NVDA command injection bug in Azure Cloud Shell lets an unauthenticated attacker spoof actions over the network. CVSS 9.6 puts this near the top of the severity scale. Microsoft hasn't published deep technical details yet, but the combination of command injection and no auth requirement makes this one to act on fast.
- Included because
- unauthenticated; internet-facing; CVSS 9.6; command injection; cloud management surface
- Affected estate
- Azure Cloud Shell instances across Azure tenants.
- How to check
- Confirm whether your tenant has Azure Cloud Shell enabled in the Azure Portal under Cloud Shell settings.
- Action
- Apply any Microsoft-released mitigation. If Cloud Shell is not business-critical, consider disabling it via Azure Policy until a fix is confirmed.
- Urgency
- Patch immediately
- Why it matters
- Unauthenticated command injection at CVSS 9.6 in a cloud management tool could let an attacker spoof actions in your Azure environment.
- Source
- Microsoft Security Response Center
Evidence trail
- NVD: View source
CVE-2026-43869
MSRCApache Thrift's TSSLTransportFactory in Java doesn't properly verify hostnames during TLS connections. An attacker in a network position to intercept traffic (think man-in-the-middle) could impersonate a Thrift service endpoint without triggering a certificate error. This only matters if your Java services use Thrift's built-in TLS transport.
- Included because
- common library; TLS bypass; man-in-the-middle risk; CVSS 7.3
- Affected estate
- Java applications using Apache Thrift TSSLTransportFactory for TLS. Azure Linux 3.0 with thrift 0.15.0-5.
- How to check
- Check your Thrift package version: `tdnf list installed | grep thrift` on Azure Linux, or check your Maven/Gradle dependency for libthrift version.
- Action
- Update the thrift package to the patched version via your package manager or dependency file.
- Urgency
- Patch this week
- Why it matters
- Without hostname verification, a man-in-the-middle attacker can impersonate your Thrift service endpoints despite TLS being enabled.
- Source
- Apache Thrift advisory
Evidence trail
- NVD: View source
CVE-2026-33111
NVDA command injection flaw in Copilot Chat within Microsoft Edge lets an unauthenticated attacker leak information over the network. CVSS 7.5 with an information disclosure impact. If your users rely on Edge's Copilot Chat, an attacker could potentially extract sensitive data from chat sessions or the browser context.
- Included because
- unauthenticated; network exploitable; common browser; information disclosure; CVSS 7.5
- Affected estate
- Microsoft Edge installations with Copilot Chat feature enabled.
- How to check
- Check Edge version via edge://settings/help or query installed software versions through your endpoint management tool (Intune, SCCM, etc.).
- Action
- Push the latest Edge update to all managed endpoints. Optionally disable Copilot Chat via the CopilotChatEnabled group policy until the update is confirmed.
- Urgency
- Patch this week
- Why it matters
- An unauthenticated attacker could use this to extract information from user browser sessions via Copilot Chat.
- Source
- Microsoft Security Response Center
Evidence trail
- NVD: View source
One email, every weekday morning.
You're in. Check your inbox.
From the field notes
From this beat
Read the rest of the field notes →