Cve 2026 25681
The latest Cve 2026 25681 coverage — news, analysis, and updates from the WindowsNews.AI desk.
Windows 11's Long-Awaited Bing Web Results Toggle Is Finally Being Tested
Microsoft is finally testing a native Settings toggle that lets Windows 11 users disable Bing web results in Start menu and taskbar search without registry hacks. The feature, appearing in Insider builds, provides a straightforward off-switch to restore fast, local-only searches, addressing long-standing performance, relevance, and privacy complaints.
Windows 11 June 2026 Update KB5094126 Triggers Widespread Freezes and BitLocker Recovery Prompts
Microsoft’s June 2026 Patch Tuesday update KB5094126 for Windows 11 24H2 and 25H2 is causing widespread system freezes, BitLocker recovery prompts, boot failures, and broken cloud integration in File Explorer. Uninstalling the update resolves the issues, but users are advised to pause updates until Microsoft provides a fix. The problems appear tied to TPM measurement changes and potential driver conflicts.
AMD Firmware Update AGESA 1.2.7.0 Disables TSME on Consumer Ryzen, Eroding Trust
AMD's AGESA 1.2.7.0 firmware update silently disables Transparent Secure Memory Encryption (TSME) on consumer Ryzen 5000 and 7000 processors, leaving systems vulnerable to physical memory attacks while identical Pro and EPYC chips retain the feature. The opaque change has sparked backlash over product segmentation and user trust, with motherboard vendors failing to adequately warn users. Windows 11 users relying on TSME for enhanced security face a downgrade dilemma with no official resolution from AMD.
Microsoft Flags Medium XSS Bug in Go x/net/html After May 2026 Patch
Microsoft assigns CVE-2026-25681 to a medium-severity XSS vulnerability in the Go golang.org/x/net/html package, following the Go project's May 2026 fix. Windows-hosted applications using unpatched versions are at risk, and the advisory guides developers and administrators to update their dependencies immediately.
CVE-2026-25680: Go HTML Parser Flaw Triggers DoS Alert for Windows Server Administrators
A newly disclosed vulnerability in Go’s golang.org/x/net library (CVE-2026-25680) allows attackers to crash Windows servers by sending malicious HTML. The flaw affects all versions before 0.55.0 and requires Windows administrators to immediately update any Go-based applications that process HTML. The bug has a CVSS score of 7.5 and can be exploited without authentication, making it a high-priority patch.
Windows Security to Add Secure Boot Readiness Indicator for Certificate Migration in April 2026
Microsoft plans to integrate a Secure Boot readiness indicator into the Windows Security app beginning April 2026, as part of the ongoing 2023 certificate migration. The feature will display clear status messages—Ready, Update needed, or Not available—directly in the Device security pane, helping both consumers and IT admins verify that their systems have applied the required UEFI revocation updates. This move simplifies what has long been a complex validation process and aligns with Microsoft's strategy to make advanced security features more transparent and accessible.
RSA Key Exchange Flaw in GnuTLS Prompts Emergency Patch for Azure Linux 3.0
Microsoft released an out-of-band patch for CVE-2026-5260, a high-severity GnuTLS RSA key exchange vulnerability in Azure Linux 3.0 that could allow attackers to decrypt TLS traffic. Immediate updating, cipher configuration review, and certificate rotation are urged to prevent potential man-in-the-middle attacks.
Microsoft Exposes ‘Mastra’ Supply Chain Attack: Over 140 npm Packages Poisoned in Account Hijack
In June 2026, Microsoft Threat Intelligence revealed a major npm supply chain attack dubbed Mastra. A compromised maintainer account led to over 140 packages being laced with malware, threatening developers worldwide. The incident highlights the critical need for stringent account security and dependency verification in modern software development.
GnuTLS PKCS#12 Parsing Flaw (CVE-2026-42015) Exposes Windows Hybrid Systems to Remote Attacks
Microsoft has disclosed CVE-2026-42015, a critical off-by-one memory corruption vulnerability in the GnuTLS library's PKCS#12 parsing that affects Windows hybrid environments including WSL and containers. Patches are available via Windows Update and updated Linux packages, but administrators must update both Windows and all WSL/container instances to fully mitigate the risk of remote code execution.
Microsoft patches CVE-2026-42013 GnuTLS bug allowing TLS certificate validation bypass via oversized SAN fields
Microsoft has disclosed CVE-2026-42013, a vulnerability in the GnuTLS library that affects several Microsoft products. An oversized Subject Alternative Name in a TLS certificate can cause GnuTLS to fall back to less secure Common Name validation, enabling man-in-the-middle attacks. Microsoft has released patches for affected components, and administrators should apply updates immediately to prevent certificate spoofing.
Microsoft Sounds Alarm Over GnuTLS CVE-2026-42012: A TLS Bypass Hitting Windows Where It Hurts
Microsoft warns that CVE-2026-42012, a GnuTLS certificate validation bypass, affects Windows through hidden dependencies in WSL, developer tools, and cloud components. The flaw lets attackers spoof server identities, demanding urgent patching across multiple products. The incident underscores the critical need for robust dependency management in modern operating systems.
Go SSH Agent Flaw Bypasses Key Confirmation, Exposing Systems to Silent Key Abuse
CVE-2026-39833 exposes a critical flaw in Go’s SSH agent that silently ignored the confirm constraint, allowing attackers to use SSH keys without user approval. The bug affects golang.org/x/crypto/ssh/agent before version 0.52.0 and could lead to stealthy lateral movement in affected systems. Immediate update to v0.52.0 and key rotation are strongly advised.
Microsoft Alerts Developers: Rust Cargo Cache Poisoning Vulnerability (CVE-2026-5223) Exposes Build Pipelines
A medium-severity vulnerability in Rust's Cargo allows local attackers to poison the package cache via symlinks, potentially injecting malicious code into builds. Microsoft issued an advisory in June 2026, urging developers to update Cargo and secure build pipelines. The flaw highlights supply chain risks in shared and ephemeral development environments.