OpenSSL CMS forgery bug scores 9.1, plus a buffer overflow in Apache mod_proxy_html
CVE-2026-34182 lets attackers forge S/MIME and CMS-signed messages that pass validation. Apache's mod_proxy_html has a remotely exploitable buffer overflow (CVSS 7.5), and there's a Linux kernel privesc in the Topcliff SPI driver. Nothing exploited in the wild yet, but that OpenSSL one needs patching fast.
Heads up: OpenSSL dropped a CVSS 9.1 CMS forgery bug (CVE-2026-34182) that lets attackers forge signed or enveloped messages that pass validation. If you process S/MIME email or run code-signing workflows, that's a real problem. Nobody's exploiting it yet, but the impact ceiling is high, so don't wait on this one.
Today's CVEs
Sorted by urgencyCVE-2026-34182
MSRCOpenSSL's CMS AuthEnvelopedData handling has a bug that lets an attacker forge signed or enveloped messages that look valid. If your systems process CMS-signed content (think S/MIME email or code-signing workflows), a forged message could bypass authenticity checks entirely. CVSS 9.1, so the impact is high, but no exploitation in the wild yet and EPSS is very low.
- Included because
- CVSS 9.1; affects a core crypto library; wide dependency chain across multiple packages
- Affected estate
- Azure Linux 3.0 systems running openssl 3.3.5-5, nodejs 24.14.1-3, edk2 20240524git3e722403cd16-17, qemu 9.1.0-7, or cloud-hypervisor 51.1.56-1.
- How to check
- Run `tdnf list installed openssl nodejs edk2 qemu cloud-hypervisor` and compare versions against the affected list.
- Action
- Run `tdnf update openssl nodejs edk2 qemu cloud-hypervisor` to pull the patched packages.
- Urgency
- Patch within 24 hours
- Why it matters
- Forged CMS messages bypassing verification could let an attacker inject trusted-looking content into your pipeline.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-46301
MSRCA use-after-free bug in the Linux kernel's Topcliff PCH SPI driver can be triggered during device unbind. A local attacker with access to trigger driver unbind operations could escalate privileges or crash the system. This only affects you if you're running hardware that uses the Topcliff PCH SPI controller, which is uncommon outside certain embedded Intel platforms.
- Included because
- CVSS 7.8; local privilege escalation; requires specific hardware driver to be loaded
- Affected estate
- Azure Linux 3.0 systems running kernel 6.6.139.1-1.
- How to check
- Run `uname -r` and check if it matches 6.6.139.1-1. Also check `lsmod | grep spi_topcliff_pch` to see if the affected driver is loaded.
- Action
- Run `tdnf update kernel` and schedule a reboot.
- Urgency
- Patch this week
- Why it matters
- A local privilege escalation via a use-after-free could give an attacker full kernel control.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-53689
MSRCA vulnerability in libnfs 5.0.2 on Azure Linux 3.0. Details are sparse (no description provided), but the CVSS 7.1 score suggests a significant impact, likely involving NFS client-side operations. If you mount NFS shares using libnfs, treat this as a real risk until more details surface.
- Included because
- CVSS 7.1; limited detail increases uncertainty; common NFS client library
- Affected estate
- Azure Linux 3.0 systems with libnfs 5.0.2-1 installed.
- How to check
- Run `tdnf list installed libnfs` and confirm the version.
- Action
- Run `tdnf update libnfs` to install the patched version.
- Urgency
- Patch this week
- Why it matters
- libnfs bugs can affect any workload mounting NFS shares, and the lack of a public description makes risk assessment harder.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-12143
MSRCThe form-data library fails to escape carriage returns, line feeds, and quotes in multipart field names and filenames. An attacker who controls input to a form-data request can inject arbitrary HTTP headers (CRLF injection), potentially smuggling requests or poisoning responses. This surfaces in the python-tensorboard package on Azure Linux 3.0, which bundles or depends on the vulnerable library.
- Included because
- CVSS 7.5; network-exploitable; CRLF injection in a common library pattern
- Affected estate
- Azure Linux 3.0 systems with python-tensorboard 2.16.2-6 installed.
- How to check
- Run `tdnf list installed python-tensorboard` and confirm the version. Also check `pip show tensorboard` if installed via pip.
- Action
- Run `tdnf update python-tensorboard` to install the fixed version.
- Urgency
- Patch this week
- Why it matters
- CRLF injection can be chained into request smuggling or session hijacking if the service handles untrusted input in multipart form fields.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-34355
MSRCA buffer overflow in Apache HTTP Server's mod_proxy_html module lets a remote attacker send crafted content through the reverse proxy that overflows a buffer. If you use mod_proxy_html to rewrite HTML in proxied responses, this is exploitable over the network without authentication. No exploitation in the wild yet, but buffer overflows in internet-facing web servers deserve fast attention.
- Included because
- CVSS 7.5; unauthenticated; internet-facing; buffer overflow in widely deployed web server
- Affected estate
- Azure Linux 3.0 systems running httpd 2.4.67-1 with mod_proxy_html loaded.
- How to check
- Run `httpd -v` to confirm the version and `httpd -M | grep proxy_html` to check if the module is loaded.
- Action
- Run `tdnf update httpd` and restart the service with `systemctl restart httpd`.
- Urgency
- Patch within 24 hours
- Why it matters
- A buffer overflow in an internet-facing reverse proxy module can lead to remote code execution with no authentication required.
- Source
- NVD
Evidence trail
- NVD: View source
One email, every Wednesday morning.
SubscribeFrom the field notes
From this beat
Read the rest of the field notes โ