PatchaPalooza — Microsoft Patch Tuesday CVEshttps://patchapalooza.com/2026-03-19T13:36:28.000ZLatest Microsoft Patch Tuesday vulnerabilities tracked by PatchaPalooza.CVE-2026-4224: Stack overflow parsing XML with deeply nested DTD content modelshttps://patchapalooza.com/cve/CVE-2026-42242026-03-19T13:36:28.000ZStack overflow parsing XML with deeply nested DTD content modelsCVE-2026-4111: Libarchive: infinite loop denial of service in rar5 decompression via archive_read_data() in libarchivehttps://patchapalooza.com/cve/CVE-2026-41112026-03-18T13:36:47.000ZLibarchive: infinite loop denial of service in rar5 decompression via archive_read_data() in libarchiveCVE-2026-4105: Systemd: systemd: privilege escalation via improper access control in registermachine d-bus methodhttps://patchapalooza.com/cve/CVE-2026-41052026-03-17T00:02:38.000ZSystemd: systemd: privilege escalation via improper access control in registermachine d-bus methodCVE-2026-3942: Chromium: CVE-2026-3942 Incorrect security UI in PictureInPicturehttps://patchapalooza.com/cve/CVE-2026-39422026-03-13T17:20:30.000ZChromium: CVE-2026-3942 Incorrect security UI in PictureInPictureCVE-2026-3941: Chromium: CVE-2026-3941 Insufficient policy enforcement in DevToolshttps://patchapalooza.com/cve/CVE-2026-39412026-03-13T17:20:29.000ZChromium: CVE-2026-3941 Insufficient policy enforcement in DevToolsCVE-2026-3940: Chromium: CVE-2026-3940 Insufficient policy enforcement in DevToolshttps://patchapalooza.com/cve/CVE-2026-39402026-03-13T17:20:28.000ZChromium: CVE-2026-3940 Insufficient policy enforcement in DevToolsCVE-2026-3939: Chromium: CVE-2026-3939 Use after free in WebViewhttps://patchapalooza.com/cve/CVE-2026-39392026-03-13T17:20:27.000ZChromium: CVE-2026-3939 Use after free in WebViewCVE-2026-3938: Chromium: CVE-2026-3938 Insufficient policy enforcement in Clipboardhttps://patchapalooza.com/cve/CVE-2026-39382026-03-13T17:20:26.000ZChromium: CVE-2026-3938 Insufficient policy enforcement in ClipboardCVE-2026-3937: Chromium: CVE-2026-3937 Incorrect security UI in Downloadshttps://patchapalooza.com/cve/CVE-2026-39372026-03-13T17:20:25.000ZChromium: CVE-2026-3937 Incorrect security UI in DownloadsCVE-2026-3936: Chromium: CVE-2026-3936 Use after free in WebViewhttps://patchapalooza.com/cve/CVE-2026-39362026-03-13T17:20:24.000ZChromium: CVE-2026-3936 Use after free in WebViewCVE-2026-3935: Chromium: CVE-2026-3935 Incorrect security UI in WebAppInstallshttps://patchapalooza.com/cve/CVE-2026-39352026-03-13T17:20:23.000ZChromium: CVE-2026-3935 Incorrect security UI in WebAppInstallsCVE-2026-3934: Chromium: CVE-2026-3934 Insufficient policy enforcement in ChromeDriverhttps://patchapalooza.com/cve/CVE-2026-39342026-03-13T17:20:22.000ZChromium: CVE-2026-3934 Insufficient policy enforcement in ChromeDriverCVE-2026-3932: Chromium: CVE-2026-3932 Insufficient policy enforcement in PDFhttps://patchapalooza.com/cve/CVE-2026-39322026-03-13T17:20:21.000ZChromium: CVE-2026-3932 Insufficient policy enforcement in PDFCVE-2026-3931: Chromium: CVE-2026-3931 Heap buffer overflow in Skiahttps://patchapalooza.com/cve/CVE-2026-39312026-03-13T17:20:20.000ZChromium: CVE-2026-3931 Heap buffer overflow in SkiaCVE-2026-3930: Chromium: CVE-2026-3930 Unsafe navigation in Navigationhttps://patchapalooza.com/cve/CVE-2026-39302026-03-13T17:20:19.000ZChromium: CVE-2026-3930 Unsafe navigation in NavigationCVE-2026-3929: Chromium: CVE-2026-3929 Side-channel information leakage in ResourceTiminghttps://patchapalooza.com/cve/CVE-2026-39292026-03-13T17:20:18.000ZChromium: CVE-2026-3929 Side-channel information leakage in ResourceTimingCVE-2026-3928: Chromium: CVE-2026-3928 Insufficient policy enforcement in Extensionshttps://patchapalooza.com/cve/CVE-2026-39282026-03-13T17:20:17.000ZChromium: CVE-2026-3928 Insufficient policy enforcement in ExtensionsCVE-2026-3927: Chromium: CVE-2026-3927 Incorrect security UI in PictureInPicturehttps://patchapalooza.com/cve/CVE-2026-39272026-03-13T17:20:16.000ZChromium: CVE-2026-3927 Incorrect security UI in PictureInPictureCVE-2026-3926: Chromium: CVE-2026-3926 Out of bounds read in V8https://patchapalooza.com/cve/CVE-2026-39262026-03-13T17:20:15.000ZChromium: CVE-2026-3926 Out of bounds read in V8CVE-2026-3925: Chromium: CVE-2026-3925 Incorrect security UI in LookalikeCheckshttps://patchapalooza.com/cve/CVE-2026-39252026-03-13T17:20:14.000ZChromium: CVE-2026-3925 Incorrect security UI in LookalikeChecksCVE-2026-3924: Chromium: CVE-2026-3924 Use after free in WindowDialoghttps://patchapalooza.com/cve/CVE-2026-39242026-03-13T17:20:13.000ZChromium: CVE-2026-3924 Use after free in WindowDialogCVE-2026-3923: Chromium: CVE-2026-3923 Use after free in WebMIDIhttps://patchapalooza.com/cve/CVE-2026-39232026-03-13T17:20:12.000ZChromium: CVE-2026-3923 Use after free in WebMIDICVE-2026-3922: Chromium: CVE-2026-3922 Use after free in MediaStreamhttps://patchapalooza.com/cve/CVE-2026-39222026-03-13T17:20:11.000ZChromium: CVE-2026-3922 Use after free in MediaStreamCVE-2026-3921: Chromium: CVE-2026-3921 Use after free in TextEncodinghttps://patchapalooza.com/cve/CVE-2026-39212026-03-13T17:20:10.000ZChromium: CVE-2026-3921 Use after free in TextEncodingCVE-2026-3920: Chromium: CVE-2026-3920 Out of bounds memory access in WebMLhttps://patchapalooza.com/cve/CVE-2026-39202026-03-13T17:20:09.000ZChromium: CVE-2026-3920 Out of bounds memory access in WebMLCVE-2026-3919: Chromium: CVE-2026-3919 Use after free in Extensionshttps://patchapalooza.com/cve/CVE-2026-39192026-03-13T17:20:08.000ZChromium: CVE-2026-3919 Use after free in ExtensionsCVE-2026-3918: Chromium: CVE-2026-3918 Use after free in WebMCPhttps://patchapalooza.com/cve/CVE-2026-39182026-03-13T17:20:07.000ZChromium: CVE-2026-3918 Use after free in WebMCPCVE-2026-3917: Chromium: CVE-2026-3917 Use after free in Agentshttps://patchapalooza.com/cve/CVE-2026-39172026-03-13T17:20:06.000ZChromium: CVE-2026-3917 Use after free in AgentsCVE-2026-3916: Chromium: CVE-2026-3916 Out of bounds read in Web Speechhttps://patchapalooza.com/cve/CVE-2026-39162026-03-13T17:20:05.000ZChromium: CVE-2026-3916 Out of bounds read in Web SpeechCVE-2026-3915: Chromium: CVE-2026-3915 Heap buffer overflow in WebMLhttps://patchapalooza.com/cve/CVE-2026-39152026-03-13T17:20:04.000ZChromium: CVE-2026-3915 Heap buffer overflow in WebMLCVE-2026-3914: Chromium: CVE-2026-3914 Integer overflow in WebMLhttps://patchapalooza.com/cve/CVE-2026-39142026-03-13T17:20:03.000ZChromium: CVE-2026-3914 Integer overflow in WebMLCVE-2026-3913: Chromium: CVE-2026-3913 Heap buffer overflow in WebMLhttps://patchapalooza.com/cve/CVE-2026-39132026-03-13T17:20:00.000ZChromium: CVE-2026-3913 Heap buffer overflow in WebMLCVE-2026-3910: Chromium: CVE-2026-3910 Inappropriate implementation in V8https://patchapalooza.com/cve/CVE-2026-39102026-03-13T21:11:14.000ZChromium: CVE-2026-3910 Inappropriate implementation in V8CVE-2026-3909: Chromium: CVE-2026-3909 Out of bounds write in Skiahttps://patchapalooza.com/cve/CVE-2026-39092026-03-16T17:09:34.000ZChromium: CVE-2026-3909 Out of bounds write in SkiaCVE-2026-3904: https://patchapalooza.com/cve/CVE-2026-39042026-03-13T00:03:00.000ZCVE-2026-3805: use after free in SMB connection reusehttps://patchapalooza.com/cve/CVE-2026-38052026-03-13T00:03:13.000Zuse after free in SMB connection reuseCVE-2026-3784: wrong proxy connection reuse with credentialshttps://patchapalooza.com/cve/CVE-2026-37842026-03-13T00:02:44.000Zwrong proxy connection reuse with credentialsCVE-2026-3783: token leak with redirect and netrchttps://patchapalooza.com/cve/CVE-2026-37832026-03-13T00:02:16.000Ztoken leak with redirect and netrcCVE-2026-3731: libssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-boundshttps://patchapalooza.com/cve/CVE-2026-37312026-03-20T00:38:05.000Zlibssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-boundsCVE-2026-3713: pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflowhttps://patchapalooza.com/cve/CVE-2026-37132026-03-11T00:03:59.000Zpnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflowCVE-2026-3644: Incomplete control character validation in http.cookieshttps://patchapalooza.com/cve/CVE-2026-36442026-03-19T13:36:37.000ZIncomplete control character validation in http.cookiesCVE-2026-3634: Libsoup: libsoup: http header injection and response splitting via crlf injection in content-type headerhttps://patchapalooza.com/cve/CVE-2026-36342026-03-21T00:02:26.000ZLibsoup: libsoup: http header injection and response splitting via crlf injection in content-type headerCVE-2026-3633: Libsoup: libsoup: header and http request injection via crlf injectionhttps://patchapalooza.com/cve/CVE-2026-36332026-03-21T00:02:43.000ZLibsoup: libsoup: header and http request injection via crlf injectionCVE-2026-3632: Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnameshttps://patchapalooza.com/cve/CVE-2026-36322026-03-21T00:02:34.000ZLibsoup: libsoup: http smuggling and server-side request forgery via malformed hostnamesCVE-2026-3545: Chromium: CVE-2026-3545 Insufficient data validation in Navigationhttps://patchapalooza.com/cve/CVE-2026-35452026-03-06T20:23:08.000ZChromium: CVE-2026-3545 Insufficient data validation in NavigationCVE-2026-3544: Chromium: CVE-2026-3544 Heap buffer overflow in WebCodecshttps://patchapalooza.com/cve/CVE-2026-35442026-03-06T20:23:07.000ZChromium: CVE-2026-3544 Heap buffer overflow in WebCodecsCVE-2026-3543: Chromium: CVE-2026-3543 Inappropriate implementation in V8https://patchapalooza.com/cve/CVE-2026-35432026-03-06T20:23:06.000ZChromium: CVE-2026-3543 Inappropriate implementation in V8CVE-2026-3542: Chromium: CVE-2026-3542 Inappropriate implementation in WebAssemblyhttps://patchapalooza.com/cve/CVE-2026-35422026-03-06T20:23:05.000ZChromium: CVE-2026-3542 Inappropriate implementation in WebAssemblyCVE-2026-3541: Chromium: CVE-2026-3541 Inappropriate implementation in CSShttps://patchapalooza.com/cve/CVE-2026-35412026-03-06T20:23:04.000ZChromium: CVE-2026-3541 Inappropriate implementation in CSSCVE-2026-3540: Chromium: CVE-2026-3540 Inappropriate implementation in WebAudiohttps://patchapalooza.com/cve/CVE-2026-35402026-03-06T20:23:03.000ZChromium: CVE-2026-3540 Inappropriate implementation in WebAudioCVE-2026-3539: Chromium: CVE-2026-3539 Object lifecycle issue in DevToolshttps://patchapalooza.com/cve/CVE-2026-35392026-03-06T20:23:02.000ZChromium: CVE-2026-3539 Object lifecycle issue in DevToolsCVE-2026-3538: Chromium: CVE-2026-3538 Integer overflow in Skiahttps://patchapalooza.com/cve/CVE-2026-35382026-03-06T20:23:01.000ZChromium: CVE-2026-3538 Integer overflow in SkiaCVE-2026-3537: Chromium: CVE-2026-3537 Object lifecycle issue in PowerVRhttps://patchapalooza.com/cve/CVE-2026-35372026-03-11T06:00:00.000ZChromium: CVE-2026-3537 Object lifecycle issue in PowerVRCVE-2026-3536: Chromium: CVE-2026-3536 Integer overflow in ANGLEhttps://patchapalooza.com/cve/CVE-2026-35362026-03-06T20:22:56.000ZChromium: CVE-2026-3536 Integer overflow in ANGLECVE-2026-3494: MariaDB Server Audit Plugin Comment Handling Bypasshttps://patchapalooza.com/cve/CVE-2026-34942026-03-14T00:37:11.000ZMariaDB Server Audit Plugin Comment Handling BypassCVE-2026-3479: pkgutil.get_data() does not enforce documented restrictionshttps://patchapalooza.com/cve/CVE-2026-34792026-03-21T00:03:01.000Zpkgutil.get_data() does not enforce documented restrictionsCVE-2026-3381: Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlibhttps://patchapalooza.com/cve/CVE-2026-33812026-03-17T13:37:36.000ZCompress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlibCVE-2026-3338: PKCS7_verify Signature Validation Bypass in AWS-LChttps://patchapalooza.com/cve/CVE-2026-33382026-03-06T00:38:11.000ZPKCS7_verify Signature Validation Bypass in AWS-LCCVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LChttps://patchapalooza.com/cve/CVE-2026-33362026-03-06T00:38:19.000ZPKCS7_verify Certificate Chain Validation Bypass in AWS-LCCVE-2026-32778: https://patchapalooza.com/cve/CVE-2026-327782026-03-19T00:01:59.000ZCVE-2026-32777: https://patchapalooza.com/cve/CVE-2026-327772026-03-19T00:01:43.000ZCVE-2026-32776: https://patchapalooza.com/cve/CVE-2026-327762026-03-19T00:01:27.000ZCVE-2026-32775: https://patchapalooza.com/cve/CVE-2026-327752026-03-21T00:36:45.000ZCVE-2026-32766: astral-tokio-tar insufficiently validates PAX extensions during extractionhttps://patchapalooza.com/cve/CVE-2026-327662026-03-21T00:02:18.000Zastral-tokio-tar insufficiently validates PAX extensions during extractionCVE-2026-32249: NFA regex engine NULL pointer dereference affects Vim < 9.2.0137https://patchapalooza.com/cve/CVE-2026-322492026-03-17T00:39:07.000ZNFA regex engine NULL pointer dereference affects Vim < 9.2.0137CVE-2026-32194: Microsoft Bing Images Remote Code Execution Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-321942026-03-19T06:00:00.000ZMicrosoft Bing Images Remote Code Execution VulnerabilityCVE-2026-32191: Microsoft Bing Images Remote Code Execution Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-321912026-03-19T06:00:00.000ZMicrosoft Bing Images Remote Code Execution VulnerabilityCVE-2026-32169: Azure Cloud Shell Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-321692026-03-19T06:00:00.000ZAzure Cloud Shell Elevation of Privilege VulnerabilityCVE-2026-31802: node-tar Symlink Path Traversal via Drive-Relative Linkpathhttps://patchapalooza.com/cve/CVE-2026-318022026-03-14T00:01:17.000Znode-tar Symlink Path Traversal via Drive-Relative LinkpathCVE-2026-30922: pyasn1 Vulnerable to Denial of Service via Unbounded Recursionhttps://patchapalooza.com/cve/CVE-2026-309222026-03-21T00:02:51.000Zpyasn1 Vulnerable to Denial of Service via Unbounded RecursionCVE-2026-29786: node-tar: Hardlink Path Traversal via Drive-Relative Linkpathhttps://patchapalooza.com/cve/CVE-2026-297862026-03-11T00:02:00.000Znode-tar: Hardlink Path Traversal via Drive-Relative LinkpathCVE-2026-27601: Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attackhttps://patchapalooza.com/cve/CVE-2026-276012026-03-17T13:38:08.000ZUnderscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attackCVE-2026-27459: pyOpenSSL DTLS cookie callback buffer overflowhttps://patchapalooza.com/cve/CVE-2026-274592026-03-21T00:37:02.000ZpyOpenSSL DTLS cookie callback buffer overflowCVE-2026-27448: pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callbackhttps://patchapalooza.com/cve/CVE-2026-274482026-03-21T00:36:53.000ZpyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callbackCVE-2026-27142: URLs in meta content attribute actions are not escaped in html/templatehttps://patchapalooza.com/cve/CVE-2026-271422026-03-17T13:38:34.000ZURLs in meta content attribute actions are not escaped in html/templateCVE-2026-27139: FileInfo can escape from a Root in oshttps://patchapalooza.com/cve/CVE-2026-271392026-03-12T13:36:01.000ZFileInfo can escape from a Root in osCVE-2026-27138: Panic in name constraint checking for malformed certificates in crypto/x509https://patchapalooza.com/cve/CVE-2026-271382026-03-14T00:37:26.000ZPanic in name constraint checking for malformed certificates in crypto/x509CVE-2026-27137: Incorrect enforcement of email constraints in crypto/x509https://patchapalooza.com/cve/CVE-2026-271372026-03-14T00:37:36.000ZIncorrect enforcement of email constraints in crypto/x509CVE-2026-27135: nghttp2 Denial of service: Assertion failure due to the missing state validationhttps://patchapalooza.com/cve/CVE-2026-271352026-03-21T00:37:11.000Znghttp2 Denial of service: Assertion failure due to the missing state validationCVE-2026-2673: OpenSSL TLS 1.3 server may choose unexpected key agreement grouphttps://patchapalooza.com/cve/CVE-2026-26732026-03-17T00:02:24.000ZOpenSSL TLS 1.3 server may choose unexpected key agreement groupCVE-2026-26148: Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261482026-03-11T06:00:00.000ZMicrosoft Azure AD SSH Login extension for Linux Elevation of Privilege VulnerabilityCVE-2026-26144: Microsoft Excel Information Disclosure Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261442026-03-10T06:00:00.000ZMicrosoft Excel Information Disclosure VulnerabilityCVE-2026-26141: Hybrid Worker Extension (Arc‑enabled Windows VMs) Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261412026-03-10T06:00:00.000ZHybrid Worker Extension (Arc‑enabled Windows VMs) Elevation of Privilege VulnerabilityCVE-2026-26139: Microsoft Purview Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261392026-03-19T06:00:00.000ZMicrosoft Purview Elevation of Privilege VulnerabilityCVE-2026-26138: Microsoft Purview Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261382026-03-19T06:00:00.000ZMicrosoft Purview Elevation of Privilege VulnerabilityCVE-2026-26137: Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261372026-03-19T06:00:00.000ZMicrosoft 365 Copilot BizChat Elevation of Privilege VulnerabilityCVE-2026-26136: Microsoft Copilot Information Disclosure Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261362026-03-19T06:00:00.000ZMicrosoft Copilot Information Disclosure VulnerabilityCVE-2026-26134: Microsoft Office Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261342026-03-10T06:00:00.000ZMicrosoft Office Elevation of Privilege VulnerabilityCVE-2026-26133: M365 Copilot Information Disclosure Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261332026-03-12T06:00:00.000ZM365 Copilot Information Disclosure VulnerabilityCVE-2026-26132: Windows Kernel Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261322026-03-10T06:00:00.000ZWindows Kernel Elevation of Privilege VulnerabilityCVE-2026-26131: .NET Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261312026-03-10T06:00:00.000Z.NET Elevation of Privilege VulnerabilityCVE-2026-26130: ASP.NET Core Denial of Service Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261302026-03-10T06:00:00.000ZASP.NET Core Denial of Service VulnerabilityCVE-2026-26128: Windows SMB Server Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261282026-03-10T06:00:00.000ZWindows SMB Server Elevation of Privilege VulnerabilityCVE-2026-26127: .NET Denial of Service Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261272026-03-10T06:00:00.000Z.NET Denial of Service VulnerabilityCVE-2026-26125: Payment Orchestrator Service Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261252026-03-05T07:00:00.000ZPayment Orchestrator Service Elevation of Privilege VulnerabilityCVE-2026-26124: Microsoft ACI Confidential Containers Elevation of Privilege Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261242026-03-06T07:00:00.000ZMicrosoft ACI Confidential Containers Elevation of Privilege VulnerabilityCVE-2026-26123: Microsoft Authenticator Information Disclosure Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261232026-03-10T06:00:00.000ZMicrosoft Authenticator Information Disclosure VulnerabilityCVE-2026-26122: Microsoft ACI Confidential Containers Information Disclosure Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261222026-03-06T07:00:00.000ZMicrosoft ACI Confidential Containers Information Disclosure VulnerabilityCVE-2026-26121: Azure IOT Explorer Spoofing Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261212026-03-10T06:00:00.000ZAzure IOT Explorer Spoofing VulnerabilityCVE-2026-26120: Microsoft Bing Tampering Vulnerabilityhttps://patchapalooza.com/cve/CVE-2026-261202026-03-19T06:00:00.000ZMicrosoft Bing Tampering Vulnerability