Apache Thrift 9.4 RCE headlines a quiet five-patch day
A critical unauthenticated bug in Thrift's Node.js server, a Linux kernel USB gadget privesc, curl SMB connection reuse, a Go panic-crash on Windows, and an FRRouting BGP daemon crasher. Nothing exploited in the wild yet.
Nothing's on fire, but one of these deserves your attention fast. CVE-2026-43870 is a CVSS 9.4 in Apache Thrift's Node.js server component: remote, unauthenticated, no interaction required. If you expose that anywhere, bump it to the front of your queue. The rest are solid 7.5-7.8 fixes across the Linux kernel, curl, Go on Windows, and FRRouting. No active exploitation on any of them right now.
Today's CVEs
Sorted by urgencyCVE-2026-31721
MSRCA race condition in the Linux kernel's USB gadget HID function driver lets a local attacker trigger use-after-free memory corruption. Because the list and spinlock weren't initialized early enough, an attacker with local access could escalate privileges or crash the system. Exploitation requires local access to a system using USB gadget mode, which limits the blast radius.
- Included because
- local access required; USB gadget config needed; limited exposure surface
- Affected estate
- Azure Linux 3.0 systems running kernel 6.6.134.1-2 with USB gadget (f_hid) functionality enabled.
- How to check
- Run `uname -r` and check for 6.6.134.1-2. Confirm USB gadget modules are loaded with `lsmod | grep g_hid`.
- Action
- Update the kernel package via `tdnf update kernel` and reboot.
- Urgency
- Patch this week
- Why it matters
- Local privilege escalation or kernel panic on affected systems running USB gadget mode.
- Source
- Azure Linux advisory
Evidence trail
- NVD: View source
CVE-2026-43870
MSRCApache Thrift's Node.js web_server.js has multiple vulnerabilities that let a remote, unauthenticated attacker compromise the service. With a CVSS of 9.4, this is near the top of the scale. If you expose Thrift's Node.js server component to the network, treat this as urgent.
- Included because
- unauthenticated; network-facing; critical CVSS 9.4; multiple platforms affected
- Affected estate
- Azure Linux 3.0 with thrift 0.15.0-5 and CBL Mariner 2.0 with ceph 16.2.10-11 (which bundles Thrift).
- How to check
- Run `tdnf list installed thrift` or `tdnf list installed ceph` and compare to the affected versions.
- Action
- Run `tdnf update thrift` on azl3 and `tdnf update ceph` on cbl2. Restart any services that depend on Thrift's Node.js server.
- Urgency
- Patch within 24 hours
- Why it matters
- A CVSS 9.4 unauthenticated remote attack vector against a network service is a fast path to compromise.
- Source
- Azure Linux advisory
Evidence trail
- NVD: View source
CVE-2026-5773
MSRCA bug in curl causes it to incorrectly reuse an existing SMB connection for a different target. An attacker could exploit this to redirect SMB traffic or leak credentials to the wrong server. This matters most if your environment uses curl for SMB operations, which is uncommon but not unheard of in scripted workflows.
- Included because
- network-facing; credential exposure risk; common utility
- Affected estate
- Azure Linux 3.0 systems with curl 8.11.1-6 installed.
- How to check
- Run `curl --version` or `tdnf list installed curl` and confirm version 8.11.1-6.
- Action
- Run `tdnf update curl` and verify the new version.
- Urgency
- Patch this week
- Why it matters
- Credential leakage or misdirected SMB traffic if curl's SMB protocol support is in use.
- Source
- Azure Linux advisory
Evidence trail
- NVD: View source
CVE-2026-39836
MSRCGo's `net` package panics when it encounters a NUL byte in Dial or LookupPort calls on Windows. An attacker who can feed crafted input to a Go application's network dialing code can crash the process. This primarily affects Go applications running on Windows, but the Azure Linux packages include Go toolchain and Go-built dependencies like TensorFlow/TensorBoard.
- Included because
- denial of service; common runtime; multiple packages affected; attacker-controlled input path
- Affected estate
- Azure Linux 3.0 with golang 1.25.9-1 or 1.26.2-1, gcc 13.2.0-7, python-tensorboard 2.16.2-6, or tensorflow 2.16.1-11.
- How to check
- Run `go version` and `tdnf list installed golang gcc python-tensorboard tensorflow` to confirm affected versions.
- Action
- Run `tdnf update golang gcc python-tensorboard tensorflow`. Rebuild any locally compiled Go binaries with the updated toolchain.
- Urgency
- Patch this week
- Why it matters
- A crash in any Go service that accepts external input for network dialing can cause denial of service.
- Source
- Azure Linux advisory
Evidence trail
- NVD: View source
CVE-2026-37459
MSRCAn integer underflow in FRRouting lets a remote attacker crash the BGP daemon by sending a crafted BGP UPDATE message. If your routers peer with untrusted or semi-trusted BGP neighbors, an attacker can take down your routing plane. This affects FRR stable/10.0 through stable/10.6.
- Included because
- remotely exploitable; no authentication needed; network infrastructure; denial of service against routing plane
- Affected estate
- Azure Linux 3.0 systems running frr 10.5.0-3 with BGP enabled.
- How to check
- Run `vtysh -c 'show version'` or `tdnf list installed frr` to confirm version 10.5.0-3.
- Action
- Run `tdnf update frr`, then restart the FRR service with `systemctl restart frr`. Validate BGP sessions come back up cleanly.
- Urgency
- Patch within 24 hours
- Why it matters
- A single crafted BGP UPDATE can crash your routing daemon, causing a network outage for everything behind it.
- Source
- Azure Linux advisory
Evidence trail
- NVD: View source
One email, every weekday morning.
You're in. Check your inbox.
From the field notes
From this beat
Read the rest of the field notes →