Cve 2026 12018
The latest Cve 2026 12018 coverage — news, analysis, and updates from the WindowsNews.AI desk.
FBI Warns of Kali365: New Phishing Service Hijacks Microsoft 365 Accounts via Device Code Scam
The FBI has issued a warning about Kali365, a phishing-as-a-service platform distributed via Telegram that exploits OAuth device code authentication to compromise Microsoft 365 accounts. By tricking users into entering a device code on a legitimate Microsoft login page, attackers can obtain OAuth tokens that bypass multi-factor authentication, giving them persistent access to emails, files, and cloud services. Organizations are urged to implement Conditional Access policies and educate users to mitigate this token-theft threat.
June 15 KEV Update: Two New Actively Exploited Flaws Hit Enterprise SD-WAN and Web Hosting Platforms
CISA added two actively exploited vulnerabilities to its KEV Catalog on June 15, 2026: a path traversal flaw in Cisco Catalyst SD-WAN Manager (CVE-2026-20262) and a symlink risk in the LiteSpeed cPanel Plugin (CVE-2026-54420). Both warrant immediate remediation given confirmed in-the-wild attacks, posing severe risks to enterprise networking and shared hosting environments.
Critical Chrome WebMIDI Bug Opens Windows PCs to Sandbox Escape Attacks
A critical Chrome use-after-free vulnerability in WebMIDI allowed attackers to escape the browser's sandbox on Windows, potentially leading to full system compromise. Google fixed the flaw in Chrome 149.0.7827.115, and users must update immediately. The incident highlights the risks of powerful browser APIs that interact directly with the operating system.
Mac Chrome Users Urged to Patch Critical Sandbox Escape (CVE-2026-12009)
Google has released a critical security update for Chrome on macOS, fixing CVE-2026-12009—a sandbox escape vulnerability in the Chromium Accessibility component. The flaw, rated Critical, affects all Chrome for Mac versions before 149.0.7827.115 and could allow an attacker who has compromised the renderer to break out of the sandbox and execute arbitrary code. Users are strongly urged to update immediately.
Google Patches Critical Chrome Android Bug CVE-2026-12010 That Enables Sandbox Escape via GPU Overflow
Google released Chrome 149.0.7827.115 for Android on June 11, 2026, to fix CVE-2026-12010, a critical heap buffer overflow in the GPU process that enables sandbox escape. The vulnerability allows attackers to break out of Chrome's sandbox on unpatched devices, potentially chaining with renderer bugs for full remote code execution. Android users are urged to update immediately to close this high-severity attack vector.
High-Severity Autofill Flaw in Chrome 149 Fixed: Update to 149.0.7827.115 Now
Google has patched a high-severity use-after-free vulnerability in Chrome's Autofill feature (CVE-2026-12015) that could allow a remote attacker with a compromised renderer to escape the sandbox and take over a victim's PC. The fix, shipped in Chrome 149.0.7827.115 on June 11, 2026, addresses a memory corruption flaw that puts Windows users at heightened risk. Users should update immediately to protect against potential exploitation.
Google Patches High-Severity Use-After-Free Flaw in Chrome’s Media Engine on Windows
Google has fixed a high-severity use-after-free vulnerability (CVE-2026-12013) in Chrome’s Media component that exclusively affects Windows users. The flaw, disclosed on June 11, 2026, is patched in Chrome version 149.0.7827.115 and could allow remote code execution via crafted media content. All Chrome users on Windows are urged to update immediately.
Chrome 149 Emergency Fix Closes CVE-2026-12017 — High‑Severity Site Isolation Bypass via Extensions
CVE-2026-12017 is a high‑severity Chrome Extensions flaw that breaks Chromium’s Site Isolation, allowing a compromised renderer to steal cross‑site data via a crafted HTML page. Fixed in Chrome 149.0.7827.114 for Windows and Mac, the bug saw active exploitation before the patch. Users should update immediately and audit installed extensions to reduce future risk.
Chrome 149 Patches High-Severity Cast Use-After-Free Bug Exploitable Over LAN
Google Chrome version 149.0.7827.115 patches CVE-2026-12014, a high-severity use-after-free bug in the Cast component that allows local network attackers to execute code. The NVD advisory also contained a CPE mismatch that confused enterprise scanners, delaying detection. Users and IT admins are urged to update immediately and consider disabling Media Router on untrusted networks.
Urgent Chrome Update Closes Mojo Vulnerability That Gives Attackers Windows Admin Rights
Google disclosed CVE-2026-12018, a high-severity Mojo IPC flaw in Chrome for Windows that enables local privilege escalation. Patched in version 149.0.7827.115, the vulnerability could let attackers gain OS-level privileges from a low-integrity process. Users and enterprises should update immediately to mitigate the risk.
Critical Chrome RCE Flaw CVE-2026-12007 Patched: Update Windows Browsers to 149.0.7827.115 Now
Google has released an emergency Chrome update (149.0.7827.115) for Windows to fix CVE-2026-12007, a critical use-after-free remote code execution vulnerability already exploited in the wild. The flaw in Chrome's Core component can be triggered by a malicious webpage, allowing attackers full system control. All Windows users are urged to patch immediately.
DPAPISnoop Weaponizes Windows CREDHIST for Offline Password Hash Extraction
DPAPISnoop, a new open-source tool by researcher Cryptika, extracts historical password hashes from Windows' DPAPI CREDHIST file. These hashes can be cracked offline, exposing years of previous credentials and enabling lateral movement. The release highlights the need for stronger DPAPI protections and careful password-history policies.
Chrome 149.0.7827.115 Closes DevTools Sandbox Escape That Left Windows Exposed
Google released Chrome 149.0.7827.115 to patch CVE-2026-12016, a high-severity DevTools sandbox escape vulnerability that could allow remote code execution on Windows. The flaw requires DevTools to be open, putting developers and testers at heightened risk. A related CPE metadata mismatch caused confusion for enterprise vulnerability scanners, delaying patch verification.