Go SSH host key bypass scores 9.1, NGINX rewrite bug close behind at 8.1
A Go knownhosts library flaw lets revoked SSH keys pass verification unchecked. Also: NGINX rewrite module exploit (8.1), Linux kernel privesc via skbuff corruption (7.8), dnsmasq DNS poisoning risk (7.5), and curl cookie leaks hitting Azure Linux packages.
Nothing's on fire yet, but don't sleep on this one. A CVSS 9.1 bug in Go's knownhosts library completely ignores revoked SSH host keys, which means your Go-based SSH clients will trust hosts they shouldn't. Pair that with an NGINX rewrite module bug at 8.1 and a kernel privesc, and you've got a five-patch day that deserves your attention before any of these start getting exploited.
Today's CVEs
Sorted by urgencyCVE-2026-42508
MSRCAn attacker can bypass SSH host key verification by presenting a key that should be revoked. The Go knownhosts library doesn't enforce the @revoked status, so your SSH clients built on this library will happily connect to a host whose key you explicitly revoked. CVSS 9.1, not yet exploited in the wild, but the auth bypass is straightforward if you rely on this library for host key checking.
- Included because
- CVSS 9.1; authentication bypass; affects common automation tooling
- Affected estate
- Azure Linux 3.0 systems running libcontainers-common 20240213-3, packer 1.9.5-13, or telegraf 1.31.0-19.
- How to check
- Run `tdnf list installed | grep -E 'libcontainers-common|packer|telegraf'` and compare the version to the patched release.
- Action
- Run `tdnf update libcontainers-common packer telegraf` to pull the fixed packages.
- Urgency
- Patch within 24 hours
- Why it matters
- Revoked SSH host keys are silently trusted, which lets an attacker impersonate a server you previously blacklisted.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-4890
MSRCA vulnerability in dnsmasq with a CVSS of 7.5. The upstream description is sparse, but dnsmasq handles DNS and DHCP for a lot of local networks. A network-level bug here could let an attacker disrupt or poison DNS resolution without authentication. No exploitation in the wild yet.
- Included because
- CVSS 7.5; network-facing service; common infrastructure component
- Affected estate
- Azure Linux 3.0 systems running dnsmasq 2.90-1.
- How to check
- Run `tdnf list installed dnsmasq` and verify the installed version.
- Action
- Run `tdnf update dnsmasq` and restart the service.
- Urgency
- Patch this week
- Why it matters
- Dnsmasq is a core DNS/DHCP service on many internal networks; a bug here can affect name resolution for your entire segment.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-6276
MSRCA stale custom cookie host in curl causes cookies to leak to the wrong server. If your tools or services use curl with custom cookie handling, an attacker who controls or redirects traffic could steal session cookies. CVSS 7.5, no wild exploitation reported. This affects several Azure Linux 3.0 packages that bundle or depend on curl, including cmake, mysql, and rust toolchains.
- Included because
- CVSS 7.5; cookie leak; curl is ubiquitous in build and runtime tooling
- Affected estate
- Azure Linux 3.0 systems running curl 8.11.1-6, cmake 3.30.3-13, mysql 8.0.46-1, rust 1.75.0-28, or rust 1.90.0-7.
- How to check
- Run `tdnf list installed | grep -E 'curl|cmake|mysql|rust'` and compare versions to patched releases.
- Action
- Run `tdnf update curl cmake mysql rust` to pull fixed packages.
- Urgency
- Patch this week
- Why it matters
- Cookie leakage can hand session tokens to an attacker, especially when curl is used for authenticated API calls or package downloads.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-9256
MSRCA vulnerability in NGINX's ngx_http_rewrite_module lets an attacker exploit rewrite rules to cause unintended behavior. CVSS 8.1, no known exploitation in the wild. If you use rewrite directives in your NGINX configs (and most of you do), this one deserves prompt attention, especially on internet-facing instances.
- Included because
- CVSS 8.1; internet-facing; extremely common web server/reverse proxy
- Affected estate
- Azure Linux 3.0 systems running nginx 1.28.3-1.
- How to check
- Run `nginx -v` or `tdnf list installed nginx` to confirm the installed version.
- Action
- Run `tdnf update nginx`, then `systemctl restart nginx`.
- Urgency
- Patch within 24 hours
- Why it matters
- NGINX is typically your front door. A bug in the rewrite module on an internet-facing proxy gives attackers a direct target.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-46300
MSRCA Linux kernel bug in skbuff coalescing drops the shared-frag marker, which can lead to local privilege escalation or a crash. CVSS 7.8. An attacker with local access could trigger this to escalate privileges on the host. Not exploited in the wild yet, but kernel memory corruption bugs tend to attract exploit development quickly.
- Included because
- CVSS 7.8; local privilege escalation; kernel-level bug in networking stack
- Affected estate
- Azure Linux 3.0 systems running kernel 6.6.139.1-1.
- How to check
- Run `uname -r` and confirm the running kernel version.
- Action
- Run `tdnf update kernel`, then reboot to activate the new kernel.
- Urgency
- Patch this week
- Why it matters
- Local privilege escalation in the kernel lets any user with shell access become root. On multi-tenant or container hosts, that's a full compromise.
- Source
- NVD
Evidence trail
- NVD: View source
One email, every weekday morning.
SubscribeFrom the field notes
From this beat
Read the rest of the field notes โ