What you need to know today.

Google Chrome users should update immediately to patch a critical use-after-free vulnerability in its USB handling, tracked as CVE-2026-11009. This flaw, alongside similar use-after-free bugs in Autofill (CVE-2026-11002) and Glic (CVE-2026-10990), could allow remote attackers to escape the browser sandbox via a malicious webpage. While Chromium security teams rated these as Medium, their critical CVSS scores and potential for sandbox escape warrant immediate attention. Further Chrome vulnerabilities include use-after-free bugs in Serial and WebShare on Android, rated High (CVE-2026-11012, CVE-2026-11010), and several Medium-severity flaws impacting Dawn, Payments, ANGLE, and Skia, potentially leading to information disclosure or UI spoofing.

Several vulnerabilities affecting GL.iNet GL-MT3000 routers demand urgent patching, including multiple command injection flaws. CVE-2026-11452, CVE-2026-11451, and CVE-2026-11450 all stem from improper handling of arguments in various components like SET_USER_PWD Handler, FTP Protocol Handler, and Path Normalization Handler, allowing attackers to execute arbitrary commands. Additionally, a SQL injection vulnerability in Chanjet CRM (CVE-2026-11456) and a Server-Side Request Forgery in perfree go-fastdfs-web (CVE-2026-11437) were disclosed, alongside a local privilege escalation in Clash Verge Rev (CVE-2026-26422).

Comodo Internet Security's firewall driver Inspect.sys contains a critical integer underflow vulnerability in its IPv6 packet parser, CVE-2026-49494. This flaw could allow an attacker to manipulate IPv6 packet lengths, potentially leading to system compromise. The vulnerability arises from an unsigned 64-bit payload-length value being decremented without proper bounds checking, which could be exploited to trigger unintended code execution or denial of service. Users of Comodo Internet Security should verify their product is updated to mitigate this risk.

Open vSwitch versions prior to v3.6.90 are vulnerable to a denial-of-service attack due to a missing upper-bound check in the udpif_set_threads() function, identified as CVE-2026-36499. An attacker with OVSDB write access can exploit this by requesting an excessive number of handler or revalidation threads, overwhelming the system. This vulnerability highlights the importance of secure configuration and timely patching for network infrastructure components, especially those managing complex traffic flows.