What you need to know today.

WolfSSL ships emergency patch bundle fixing 13 vulnerabilities, including a PQC hybrid key-share use-after-free and a DTLS 1.3 heap overflow exploitable pre-authentication. The wolfSSL 5.9.1 release addresses a cluster of high-severity flaws spanning TLS 1.3, DTLS 1.3, PKCS#7, and certificate validation. CVE-2026-7531 is an incomplete-fix follow-up to CVE-2026-5460: a malicious TLS 1.3 server can still trigger a use-after-free in the PQC hybrid key-share cleanup path by sending a truncated KeyShare. CVE-2026-6679 is a heap buffer overflow in the DTLS 1.3 ACK serialization path reachable before the connecting peer authenticates, caused by integer truncation when computing the ACK record-number list length. CVE-2026-6681 allows PKCS#7 decoded content to be written past the bounds of the caller-supplied output buffer because the decode path ignores the outputSz parameter. Additional fixes cover an ML-KEM ARM64 NEON ciphertext comparison that only checks half the input (CVE-2026-6330), weakening IND-CCA2 security; a CRL critical extension bypass (CVE-2026-6450); a TLS 1.3 post-handshake authentication issue where a server could accept a Finished message without a client Certificate (CVE-2026-55962); an un-negotiated Raw Public Key accepted in place of X.509 chain validation (CVE-2026-55960); an out-of-bounds write in SetSuitesHashSigAlgo (CVE-2026-6325); an X.509 name constraint bypass via Subject Common Name (CVE-2026-6731); an iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined (CVE-2026-7532); a chain intermediate CA with keyCertSign missing being accepted as a signing CA (CVE-2026-55964); and continued acceptance of SHA-1/MD5 in certificate processing (CVE-2026-6412). Organizations using wolfSSL in embedded, IoT, or TLS-termination products should prioritize upgrading to 5.9.1, particularly for the pre-authentication DTLS overflow and the PQC use-after-free, which could enable remote compromise without valid credentials.

KubeVirt exposes unauthenticated virtqemud proxy on all interfaces when DisableTLS migration setting is enabled, rated high-risk with an 8.5 CVSS. CVE-2026-13325 affects the virt-handler-rhel9 component of KubeVirt, the Kubernetes virtualization add-on. When the DisableTLS migration setting is toggled on, the migration authentication mechanism is removed entirely, causing the virtqemud proxy to listen on all network interfaces without any authentication. An attacker who can reach the proxy can interact with the QEMU management interface, potentially migrating or manipulating running virtual machines. The vulnerability carries a risk score of 0.55 (high) and a CVSS of 8.5, reflecting the low complexity and network-based attack vector. KubeVirt is widely deployed in enterprise Kubernetes clusters for running VM workloads alongside containers, making this a critical configuration-dependent flaw. Operators should audit their KubeVirt migration settings, ensure DisableTLS is not enabled, and apply any available patches from the KubeVirt project.

Cacti open-source monitoring framework ships version 1.2.31 fixing five vulnerabilities, including SQL injection, path traversal, and session fixation. CVE-2026-40083 is a SQL injection through unsanitized unserialize and implode calls in managers.php, where $selected_items is passed directly into a SQL query without parameterization. CVE-2026-40084 is a path traversal through the Report format_file parameter, enabling arbitrary file read in two stages. CVE-2026-40082 is a session fixation flaw: session_regenerate_id() is never called after successful login, allowing an attacker to fixate a session ID and hijack an authenticated session. CVE-2026-40080 is an open redirect that uses a substring check (str_contains($referer, CACTI_PATH_URL)) rather than a proper host comparison, enabling phishing redirection. CVE-2026-40941 is a package import signature validation bypass that allows self-signed packages to be imported. All five vulnerabilities affect Cacti versions 1.2.30 and prior. Cacti is widely used for network graphing and performance monitoring in enterprise environments. The SQL injection and path traversal in particular could lead to credential theft or lateral movement within monitored networks. Administrators should upgrade to Cacti 1.2.31 immediately.

Renesas TSIP TLS 1.3 driver contains an out-of-bounds write in the transcript buffer that fails to abort on capacity overflow. CVE-2026-55958 affects the Renesas TSIP (Trusted Secure IP) hardware TLS 1.3 implementation. In tsip_StoreMessage(), the capacity check guarding the fixed-size message bag (MSGBAG_SIZE) correctly detects an overflow and sets an error code, but the function does not return after setting the error — execution falls through to an XMEMCPY that writes past the buffer boundary. This out-of-bounds write could corrupt adjacent memory in the secure enclave or cause a denial of service. The vulnerability is particularly concerning for Renesas TSIP users in automotive, industrial control, and IoT deployments where hardware-accelerated TLS is relied upon for secure boot and firmware update channels. No public exploit is reported, but the nature of the bug — a missing return after error detection — makes it trivially triggerable by an oversized TLS 1.3 message. Affected firmware should be updated as soon as vendor patches are available.

jq JSON processor vulnerable to denial of service via integer overflow on 32-bit systems. CVE-2026-54679 affects jq, the widely used command-line JSON processor. On 32-bit architectures, an integer overflow in memory allocation can lead to a buffer overrun, causing a crash or denial of service when processing crafted JSON input. The vulnerability carries a CVSS of 5.5 and a medium risk score of 0.36. While jq is not typically exposed as a network service, it is commonly used in CI/CD pipelines, log processing scripts, and infrastructure automation where untrusted JSON may be ingested. The impact is limited to 32-bit systems, which are increasingly rare in server environments but still prevalent in embedded Linux and legacy systems. Users on 32-bit platforms should update jq to the latest version; 64-bit users are unaffected.