PATCHGRID · Vendor Releases · Patch Priority

Vendor patches, prioritized for humans.

Weekly digest of material security releases from the vendors most enterprise stacks actually run — Microsoft, Apple, Google, Mozilla, VMware, Cisco, Fortinet, Palo Alto, Okta, Cloudflare, Ubuntu. Each release is tagged IMMEDIATE, THIS WEEK, or ROUTINE based on KEV overlap, exploitation evidence, and attack-surface exposure.

RSS ↗ KEV-as-backlog →
How I Prioritize

Three priority tiers.

Not every vendor patch deserves your attention this week. These are the heuristics I apply when triaging a release — consistent with the patching priority framework I've published separately.

Priority tiers — what the tags mean reference
Immediate This Week Routine
ImmediateActive exploitation confirmed. CVE appears in CISA KEV within 7 days of release. Patch or mitigate within 24-48 hours.
This WeekCritical CVSS (9.0+) in an internet-facing or widely-deployed component. No KEV listing yet, but the exploit path is obvious from the advisory. Patch within the current maintenance window.
RoutineStandard monthly update. No active exploitation, no novel attack class. Goes through your normal test → stage → prod cycle.
Vendors on the Radar

The 38-vendor watch list.

Every vendor below publishes at a cadence I actively monitor. Each card describes their release rhythm, the components I prioritize, and the heuristic I use to decide if a given CVE gets IMMEDIATE treatment versus the normal patch window. Organized by category — tap any vendor to expand.

Endpoint Security · AV · EDR · XDR

🦅 CrowdStrike — Falcon sensor & cloud rolling · channel files daily
CadenceSensor point releases every 2-4 weeks; cloud-side channel file updates multiple times daily.
Watch forSensor self-protection bypass, kernel-driver CVEs, cloud API auth advisories. Post-July-2024 I also watch channel-file rollout behavior closely.
Priority stanceSensor driver CVE = Immediate. Channel file changes = Routine but validated in a staged ring.
🛡️ SentinelOne — Singularity agent monthly releases · GA ring
CadenceMonthly agent releases with GA / EA / early-access rings. Out-of-band for kernel advisories.
Watch forRanger network-discovery CVEs, Singularity Identity module (post-Attivo acquisition), and macOS system-extension advisories.
Priority stanceAnything touching the kernel or LSASS-interaction paths ships on the GA ring within a week.
🟦 Microsoft Defender — for Endpoint / XDR monthly + MDAV daily
CadenceMDE platform updates monthly via Windows Update; MDAV engine + signatures multiple times daily.
Watch forMpSigStub / NIS engine CVEs (they're weirdly frequent), and Attack Surface Reduction rule regressions.
Priority stanceEngine CVEs are often silently deployed by Microsoft; track against KB article vs observed engine version on endpoints.
🟧 Broadcom / Symantec — Endpoint Protection quarterly platform · signatures daily
CadenceQuarterly platform versions (14.x RU-series); signature content continuous.
Watch forSEPM management-console advisories (on-prem + cloud), LiveUpdate server CVEs, and any IPS-engine bypass.
Priority stanceManagement console on-prem RCE = Immediate. Pointed attack surface for ransomware affiliates.
🔵 Sophos — Intercept X · Firewall · Central monthly + firewall hotfixes
CadenceCentral / Intercept X monthly; XG/XGS firewall hotfixes as needed (often out-of-band for webadmin CVEs).
Watch forSophos Firewall webadmin auth bypasses — repeat offender in KEV. UTM end-of-life transitions.
Priority stanceAny firewall webadmin or userportal-exposed CVE = Immediate.
🟢 ESET — PROTECT · Endpoint · Server monthly module updates
CadenceESET PROTECT console + endpoint modules updated monthly; engine updates via LiveGrid continuous.
Watch forMail Security / Mail Plugin CVEs, and the occasional ecosystem advisory on smaller-footprint OS (NetWare, OS/2 — yes, still shipped).
Priority stanceMail-security gateway CVEs jump to This Week regardless of CVSS.
🟥 Trend Micro — Vision One · Deep Security · Apex One monthly + critical PAs
CadenceMonthly maintenance; critical patch advisories (PAs) out-of-band. Deep Security Manager advisories are the ones to watch.
Watch forApex One console RCEs (historic KEV regulars), Deep Security Manager auth bypasses, and IM-EDR agent tamper advisories.
Priority stanceApex One / Deep Security management console = Immediate. Endpoint agent = This Week.
🐻 Bitdefender — GravityZone monthly
CadenceGravityZone console + endpoint monthly; engine continuous.
Watch forAdmin-console CVEs on on-prem deployments; historically strong quality, but when issues land they land in the management plane.
Priority stanceCloud console = managed for you. On-prem = treat console CVEs as This Week.

AI Platforms · LLM APIs · ML Infrastructure

🤖 OpenAI — API · ChatGPT Enterprise · Azure OpenAI advisory-driven · trust portal
CadenceNo scheduled release calendar; status-page + trust portal advisories. Azure OpenAI follows Microsoft's cadence for platform CVEs.
Watch forAPI key leakage patterns, Assistants API / tool-use prompt-injection advisories, ChatGPT Enterprise SSO + data-residency changes.
Priority stanceAny advisory affecting API-key handling or tool-use sandboxing = Immediate from a data-leakage perspective, not a CVE perspective.
🧠 Anthropic — Claude API · Claude for Enterprise advisory-driven · trust.anthropic.com
CadenceTrust portal advisories; model-card security updates as capabilities change. Computer-use and tool-use add new attack surfaces.
Watch forTool-use sandboxing, computer-use permission model, data-handling policy deltas between tiers.
Priority stanceTreat tool-use and agentic capabilities like browser JS runtimes — assume new privileges require a fresh threat model. See Prompt injection: the OWASP of AI.
💎 Google — Gemini · Vertex AI · Workspace AI monthly platform · advisories as needed
CadenceVertex AI follows Google Cloud release notes; Workspace AI advisories via Admin console + status page.
Watch forGemini-for-Workspace data-access scope changes, Vertex private endpoint CVEs, IAM scope creep on new AI features.
Priority stanceAny change to default data-access scope = audit DLP + admin logs same week.
🦙 Meta — Llama · Llama Guard · PyTorch model drops + PyTorch CVEs
CadenceModel releases on their own schedule; PyTorch ecosystem CVEs flow through standard CVE channels.
Watch forPyTorch pickle-deserialization CVEs (repeat offender), Llama Guard classifier bypasses, and model-weight provenance issues on HuggingFace mirrors.
Priority stancePyTorch CVEs that affect model loading = This Week because pickle is a code-execution primitive.
⚡ NVIDIA — AI Enterprise · NeMo · Triton · GPU drivers quarterly security bulletins
CadenceQuarterly security bulletins (GPU display driver, CUDA, AI Enterprise stack); out-of-band for Triton Inference Server.
Watch forTriton model-loading CVEs, GPU display driver EoP chains, and the CUDA toolkit installer advisories.
Priority stanceTriton exposed to untrusted model uploads = Immediate. Display driver LPE = This Week.
🤗 Hugging Face — Hub · Transformers · Inference Endpoints rolling · advisories as needed
CadenceTransformers library pushes weekly-ish; Hub advisories for malicious model discoveries.
Watch forMalicious model uploads (pickle-based RCE in from_pretrained), Spaces sandbox escapes, and ecosystem typosquats.
Priority stanceIf your CI loads models directly from the Hub, pin hashes and treat new Transformers CVEs as This Week.

Database Platforms · Data Warehouses

🏛️ Oracle — Database · WebLogic · Fusion Middleware quarterly CPU · Jan / Apr / Jul / Oct
CadenceCritical Patch Update (CPU) on the Tuesday nearest the 17th of Jan / Apr / Jul / Oct. 300-500 CVEs per drop across the full Oracle stack.
Watch forWebLogic pre-auth RCEs (KEV regulars), Fusion Middleware auth bypasses, E-Business Suite auth issues, Database listener CVEs.
Priority stanceWebLogic internet-facing = Immediate. Core Database listener CVEs = This Week. MySQL (Oracle-owned) tracked separately.
📘 Microsoft SQL Server — all supported versions via Patch Tuesday · monthly
CadenceCU (Cumulative Update) model — rolled into Patch Tuesday for GDR; SQL-specific CUs out-of-band. Reporting Services has its own cadence.
Watch forSSRS RCE CVEs (multiple per year), XML-parser issues, and the occasional xp_cmdshell-adjacent advisory. Don't forget Azure SQL Managed Instance.
Priority stanceAnything exposed on TCP 1433 to untrusted networks = Immediate regardless of CVSS.
🐘 PostgreSQL — community core + major forks quarterly + out-of-band
CadenceQuarterly minor releases (second Thursday of Feb/May/Aug/Nov); out-of-band for security-only.
Watch forCREATE FUNCTION security-context CVEs, libpq client-side bugs, and any EXPLAIN / row-security bypass. Also watch managed forks (AWS RDS, Azure Database for PostgreSQL, Supabase).
Priority stanceServer-side auth-context CVEs = This Week. Client-only = Routine.
🍃 MongoDB — Community · Enterprise · Atlas advisory-driven + major releases
CadenceAdvisories at alerts.mongodb.com; Atlas handled by MongoDB with customer-visible status notes.
Watch forWire-protocol auth CVEs, driver-side BSON deserialization issues, and Ops Manager / Cloud Manager console bugs.
Priority stanceSelf-hosted with any internet exposure = Immediate — the MongoDB-exposed-to-internet problem still hasn't gone away.
🐬 MySQL / MariaDB — CE + Percona Oracle CPU + community out-of-band
CadenceMySQL follows Oracle CPU quarterly; MariaDB + Percona push more frequently. Managed (RDS MySQL, Aurora, Azure DB for MySQL) handled by provider.
Watch forInnoDB storage-engine bugs, replication-auth advisories, and the connector libraries shipped with ORMs.
Priority stanceServer-side authenticated CVEs = This Week. Unauth (rare) = Immediate.
❄️ Snowflake — Data Cloud · Native Apps continuous · trust.snowflake.com
CadenceContinuous deployment by Snowflake; customer-facing advisories via trust portal.
Watch forNetwork-policy default changes, OAuth integration advisories, and key-based auth rollout windows. The 2024 credential-stuffing campaign is the reference case.
Priority stanceAny advisory affecting authentication flow = validate MFA + network policies same day.
🔴 Redis — OSS · Stack · Enterprise advisories + major releases
CadenceAdvisories on redis.io; managed (ElastiCache, Azure Cache, Redis Cloud) handled by provider.
Watch forLua-sandbox escape CVEs (recurring), module loading vulnerabilities, and unauth-exposed instances (still happening).
Priority stanceAny module-loading or Lua CVE in a self-hosted deployment = Immediate.
🔍 Elastic — Elasticsearch · Kibana · Logstash irregular · via discuss.elastic.co
CadenceSecurity announcements via discuss.elastic.co; version bumps monthly-ish.
Watch forKibana RCE chains (multiple in recent years), script-engine sandbox escapes, and Logstash input-plugin bugs.
Priority stanceKibana internet-facing = Immediate. Elasticsearch with disabled security = same.

Enterprise SaaS · Platforms · Collaboration

⚙️ SAP — HANA · S/4HANA · NetWeaver · BTP monthly · Security Patch Day · 2nd Tuesday
CadenceSAP Security Patch Day on the second Tuesday of every month. 10-40 notes typically.
Watch forNetWeaver Application Server auth bypasses (KEV regulars), SAP GUI privilege-escalation, and BTP / Fiori exposed admin endpoints.
Priority stanceNetWeaver with Internet Communication Manager exposed = Immediate. Internal-only = This Week.
☁️ Salesforce — Core · Commerce · Marketing Cloud 3 major releases/year + weekly patches
CadenceThree major releases (Spring/Summer/Winter); trust.salesforce.com advisories continuously; Apex / Lightning security updates monthly.
Watch forConnected-app OAuth scope issues, guest-user data-exposure advisories, Apex-class permissions bugs. The 2023 guest-user incidents remain reference cases.
Priority stanceAny advisory on guest-user or connected-app scope = audit within 48 hours.
🔧 ServiceNow — Now Platform · Utah / Vancouver / Washington 2 family releases/year + patches
CadenceTwo family releases per year; patch releases monthly. HI portal for advisories.
Watch forACL / data-access advisories (2023 public-data exposure remains a reference), UI Builder custom widget issues, and script-include injection.
Priority stanceACL / widget / public-facing record issues = Immediate.
🐙 Atlassian — Jira · Confluence · Bitbucket Server monthly + out-of-band
CadenceMonthly Critical Security Advisories; out-of-band for Confluence Data Center CVEs (frequent).
Watch forConfluence Data Center auth-bypass + RCE chains (recurring KEV). Jira Service Management SSRFs. Bitbucket Server auth issues.
Priority stanceAny Confluence Data Center CVE with CVSS 9+ = Immediate. Treat it as pre-breach.
🐈 GitHub · GitLab — Enterprise Server + SaaS GHES monthly · GitLab patch + major
CadenceGHES monthly + patch releases; GitLab CE/EE patch releases bi-weekly, major monthly. SaaS handled by provider with trust-portal advisories.
Watch forCI runner escape CVEs, OAuth / SAML bugs, repository-access scope issues, and webhook-token advisories.
Priority stanceSelf-hosted runner or repository-access scope CVE = Immediate. Webhook / OAuth token bugs = This Week.
📞 Zoom — Client · Rooms · Workplace monthly Tuesdays + OOB
CadenceMonthly bulletin on the second Tuesday; client-side pushed via auto-update. Zoom Rooms firmware on its own cadence.
Watch forClient auth-bypass / privilege-escalation, Rooms device firmware CVEs, and the Zoom app installer vectors (macOS particularly).
Priority stanceClient auto-update is fine in most orgs; Rooms firmware needs tracked deployment.
🔴 Adobe — Acrobat · Reader · ColdFusion · Commerce monthly · 2nd Tuesday
CadenceAPSB advisories on Patch Tuesday; out-of-band for ColdFusion and Commerce (Magento).
Watch forColdFusion pre-auth RCE (repeat offender in KEV), Acrobat Reader document-parsing chains, Commerce admin auth bypass.
Priority stanceColdFusion internet-facing = Immediate. Acrobat Reader = This Week.

Open Source · Runtimes · Containers

🌐 Apache — httpd · Tomcat · Struts · ActiveMQ project-specific cadence
CadencePer-project release cycles; security@apache.org coordinated disclosure.
Watch forStruts pre-auth RCE (KEV mainstay since Equifax), Tomcat session-management advisories, httpd mod_proxy SSRFs, ActiveMQ OpenWire RCEs.
Priority stanceStruts internet-facing = Immediate. Same for ActiveMQ on 61616 exposed.
🚀 nginx — OSS + Plus security releases as needed
CadenceSecurity releases published to nginx.org with CVE numbers; Plus via F5 MyF5 portal.
Watch forHTTP/3 + QUIC module CVEs (growing surface), mod_ssl issues, and third-party module compatibility.
Priority stanceHTTP/3 QUIC CVEs on internet-edge = This Week. Core HTTP CVEs = Immediate.
🔐 OpenSSL — 3.x + FIPS provider advisories + quarterly releases
CadenceSecurity advisories with severity rating (CRITICAL / HIGH / MODERATE / LOW). Sev-CRITICAL is extremely rare.
Watch forX.509 parsing CVEs, TLS state-machine issues, and FIPS-provider compliance deltas.
Priority stanceHIGH-severity affecting certificate parsing = Immediate. Most MODERATE ones can batch.
🐳 Docker · containerd · runc continuous releases
CadenceDocker Engine, containerd, runc follow independent release cadences; advisories via GitHub Security Advisories.
Watch forrunc container-escape CVEs (Leaky-Vessels class, CVE-2024-21626 etc.), containerd socket-exposure issues, Docker Desktop macOS/Windows privilege escalation.
Priority stanceAny container-escape primitive = Immediate on any multi-tenant host.
⎈ Kubernetes · kube-apiserver · ingress quarterly minors + patches
CadenceQuarterly minor releases; patch releases monthly. kubernetes.io/security announces CVEs with severity.
Watch foringress-nginx admission-controller RCEs, kube-apiserver authz bypasses, service-account token-binding issues, and kubelet read-only port misconfigs.
Priority stanceingress-nginx admission controller CVE = Immediate. API-server CVEs on hosted (EKS/GKE/AKS) handled by provider.
🦕 Node.js · Python · .NET · Go · Rust per-runtime cadence
CadenceNode.js monthly (even-numbered LTS); Python security-only patches; .NET Patch Tuesday; Go quarterly + OOB; Rust 6-weekly.
Watch forNode.js crypto + fs.promises CVEs, Python pip install pre-execution issues, .NET deserialization advisories, Go net/http path-traversal, Rust std library memory safety (rare but notable).
Priority stanceRuntime advisories feed through application teams; track via SBOM. Any deserialization = This Week.
Release Log

Specific releases, chronological.

The watch list above is the roster; the log below is what actually dropped. Each entry is a specific release with priority call and KEV overlap.

🪟 Microsoft — Patch Tuesday April 2026 121 CVEs · 3 critical
Released2026-04-14, Tuesday
Total CVEs121
Critical3
KEV overlap2 CVEs added to CISA KEV within 48 hours
Highlight CVECVE-2026-29104 · Exchange Server · post-auth RCE in Transport service, CVSS 9.1, PoC circulating privately within 72h

Patch priority call

Immediate for Exchange Server; This Week for the rest. The Exchange CVE requires authentication but every Exchange install has thousands of low-privilege mailboxes that meet that bar, and the Transport service runs as SYSTEM — this is the same shape as ProxyLogon and ProxyNotShell, and defenders who learned nothing from 2021 will learn again. If you are still running on-prem Exchange in 2026, you have a two-day window: patch, then run the Microsoft Exchange Health Checker script, then check for webshells in \inetpub\wwwroot\aspnet_client and under the OWA virtual directory. The other two critical CVEs are in RRAS and HTTP.sys — both exploitable but only relevant if you are exposing those services, which almost nobody should be. For the 115 non-critical fixes, the only standout is a Windows Kernel EoP (CVE-2026-29087) that is already in KEV by Wednesday; prioritize it on domain controllers and privileged access workstations. See patching-priority framework for how I stage a month like this.

Immediate (Exchange) Microsoft
🌐 Google Chrome — 135.0.7049.84 emergency 1 CVE · 1 critical (0-day)
Released2026-04-02, Thursday (out-of-band)
Total CVEs1
Critical1
KEV overlap1 (added same day as Chrome release)
Highlight CVECVE-2026-3071 · V8 JavaScript engine · type-confusion leading to sandboxed RCE, exploited in the wild per TAG

Patch priority call

Immediate. When Google ships a single-CVE emergency build and attributes in-the-wild exploitation to TAG, the exploit is typically already in a commercial spyware toolchain and has been for weeks before disclosure — the pattern from the last eight V8 zero-days is consistent. Force Chrome update enterprise-wide tonight via Intune, Jamf, Workspace, or your MDM of choice; do not wait for the user-driven "Relaunch Chrome" prompt to cycle through, because the average user ignores it for 4+ days. The companion action: confirm Edge (same V8 engine) and any Electron-based app in your fleet (Slack, Teams, Notion, 1Password desktop, VS Code) gets its own patch cycle — Electron lags Chromium by 1 to 3 weeks and is the long tail of this CVE. For managed Chromebooks, this is a forced restart. For BYOD, you cannot force anything; update your threat model accordingly.

Immediate Google / Chrome
🍎 Apple — iOS 18.5 / macOS 15.5 24 CVEs · 4 critical (WebKit chain, in-the-wild)
Released2026-03-31, Tuesday
Total CVEs24
Critical4 (3 chained in the wild)
KEV overlap3 (the chained WebKit + kernel CVEs)
Highlight CVECVE-2026-24441 · WebKit · memory corruption via crafted web content, chained with CVE-2026-24443 (kernel) for full device takeover; Citizen Lab credit, used against journalists

Patch priority call

Immediate for anyone in an elevated-risk role — executives, legal, journalists, activists, M&A deal teams, security staff who carry sensitive data on device. Enforce via MDM (Jamf Pro, Intune, Kandji, Mosyle) as a required minimum OS version with a 48-hour grace period; block access to corporate email and VPN below that version. For everyone else, This Week is fine, but do not let it slip into the following Patch Tuesday cycle because iOS users drift faster than Windows users and the WebKit component is reachable from any rendered HTML in Mail preview, iMessage link unfurls, and in-app browsers. Turn on Lockdown Mode for the named at-risk group if you have not already — it meaningfully reduces the WebKit and JavaScriptCore attack surface and the usability cost is lower than most security leads assume. Remember Apple will not backport to iOS 17; any device on the older major version is now a known-vulnerable asset and should be on a documented replacement plan.

Immediate (at-risk) Apple / iOS
🪟 Microsoft — Patch Tuesday March 2026 82 CVEs · 5 critical
Released2026-03-10, Tuesday
Total CVEs82
Critical5
KEV overlap1 within 10 days
Highlight CVECVE-2026-21199 · Microsoft Outlook · NTLM hash leak via crafted meeting invite, no user interaction (preview pane triggers), CVSS 8.1

Patch priority call

This Week, but the Outlook NTLM-leak CVE deserves Immediate treatment in any environment that still has NTLM enabled on domain controllers or on internet-exposed services. The exploitation pattern is straightforward: attacker sends a meeting invite with a UNC path pointing at an attacker-controlled SMB host, Outlook renders the invite, Windows helpfully authenticates with the user's NTLM hash. That hash is crackable offline or usable directly via relay attacks against LDAP, SMB, and AD-CS. Patch Outlook, yes — but also take this month to run Get-ADDefaultDomainPasswordPolicy, confirm your Exchange Online transport rules block external-sender UNC paths, and stand up the Entra ID NTLM decommissioning plan that Microsoft has been asking you to start since 2024. The other four critical CVEs are in the expected places (Windows Hyper-V, SharePoint, Azure Connected Machine Agent); patch on the normal two-week cycle unless you expose those services directly.

This Week Microsoft
☁️ VMware — vCenter out-of-band advisory 1 CVE · 1 critical (unauth RCE)
Released2026-02-27, Friday (out-of-band)
Total CVEs1 (VMSA-2026-0004)
Critical1
KEV overlap1 (added within 5 days of advisory)
Highlight CVECVE-2026-21144 · vCenter Server DCERPC protocol · unauthenticated heap overflow leading to RCE as root on the vCenter appliance, CVSS 9.8

Patch priority call

Immediate — drop everything. vCenter is the most valuable pivot point in almost any virtualized environment: compromising it grants full control of every ESXi host and every VM on the cluster, plus typically domain-admin-equivalent credentials cached in vCenter service accounts. Unauth RCE on vCenter is a once-or-twice-a-year event and every time it has happened (CVE-2021-21972, CVE-2021-21985, the 2023 DCERPC family) mass exploitation followed within 10 to 14 days. Patch tonight if possible. If you cannot patch tonight, the mitigation is strict: confirm vCenter management interfaces are not reachable from the user VLAN or the internet; put an ACL on the management interface that allows only the PAM jump hosts (CyberArk, Delinea, Teleport) on TCP 443/902/2012. Do not accept "it's behind the firewall" as an answer — every vCenter breach of the last five years was "behind the firewall." After patching, check vpxd.log and sps.log for anomalous DCERPC calls in the 30 days prior; the PoC was in private circulation before disclosure.

Immediate VMware / Broadcom
🪟 Microsoft — Patch Tuesday February 2026 56 CVEs · 2 critical
Released2026-02-10, Tuesday
Total CVEs56
Critical2
KEV overlap0 at release; 1 added 21 days later
Highlight CVECVE-2026-14011 · Windows LDAP client · heap overflow via crafted referral response, CVSS 8.8, theoretical wormable but no in-the-wild exploitation observed

Patch priority call

Routine. This is the quietest Patch Tuesday of Q1 2026 and you should treat it as a catch-up month: use the cycle to clean up the backlog from January, validate that your Intune/WSUS/Tanium deployment metrics are actually hitting 95%+ within the SLA window you claim in the audit reports, and rehearse the rollback procedure on a canary ring because you will need it during a louder month. The LDAP client CVE is worth noting only because client-side LDAP bugs have a bad history of becoming wormable once a public exploit drops; keep an eye on it for the next 60 days and move to Immediate if a working PoC lands. Do not skip the Azure fixes — the monthly Azure rollup includes a Machine Configuration extension fix (CVE-2026-14039) that affects Arc-enabled servers and tends to get ignored by on-prem teams who do not realize they inherited Arc agents from the hybrid identity project. Check your Arc inventory.

Routine Microsoft
🛡️ Fortinet — FortiGate SSL-VPN advisory 1 CVE · 1 critical (pre-auth, exploited)
Released2026-02-05, Thursday (FG-IR-26-011)
Total CVEs1 (plus 3 lower-severity in same bulletin)
Critical1
KEV overlap1 (added within 24 hours)
Highlight CVECVE-2026-22017 · FortiOS SSL-VPN · pre-auth heap overflow in web portal, CVSS 9.8, exploited in the wild per Fortinet PSIRT and Shadowserver honeypot data

Patch priority call

Immediate. If you have FortiGate SSL-VPN exposed to the internet — and if your FortiGate is edge, you almost certainly do — you should have patched before finishing this paragraph. The CVE is pre-auth, the PoC was in private circulation before disclosure, and Shadowserver is showing thousands of honeypot hits within 48 hours of the advisory. This is the third FortiGate SSL-VPN pre-auth in roughly 18 months; at some point the architectural conclusion has to be that SSL-VPN on edge appliances is a business decision, not a security one, and the decision is getting harder to defend. Tactical response: patch to the fixed firmware listed in FG-IR-26-011, then assume compromise during the exposure window — check /var/log/sslvpnd for unusual POST requests to /remote/ endpoints, check VPN user accounts for additions you did not make, and rotate every local admin credential on the appliance. Strategic: start the migration to ZTNA (Cloudflare, Zscaler ZPA, Netskope Private Access, Tailscale). The SSL-VPN replacement conversation is overdue in most shops.

Immediate Fortinet
🐧 Ubuntu — LTS kernel update (USN-7184-1) 6 CVEs · 1 high (local privesc)
Released2026-04-05, Sunday
Total CVEs6
Critical0 (1 high, 5 medium)
KEV overlap0 at release
Highlight CVECVE-2026-1108 · Linux kernel netfilter (nf_tables) · use-after-free, local unprivileged user to root, affects 22.04 LTS and 24.04 LTS

Patch priority call

This Week for multi-tenant or shared-compute Linux fleets; Routine for single-tenant production workloads that do not run untrusted code. Netfilter local-privesc bugs are the most-exploited Linux kernel class of the last five years — every container-escape scenario involving a shared kernel (Kubernetes nodes with nodes shared across teams, Jenkins build runners, GitLab Runners, university HPC clusters, any multi-tenant VPS) treats this as an urgent fix, because a low-privilege pod or user who reaches root on the node effectively reaches root on every workload on that host. Single-tenant production DB servers with no interactive user accounts and no container runtime can wait for the normal maintenance window. Apply via unattended-upgrades if configured, or apt-get install --only-upgrade linux-image-generic with a scheduled reboot — livepatch covers most of these for Ubuntu Pro subscribers but confirm the exact CVE is in the livepatch feed before relying on it; some netfilter UAFs require a full reboot to fully remediate. Red Hat, Debian, and SUSE will ship equivalents within the week.

This Week Linux / Ubuntu

What's not in PatchGrid

I don't cover every vendor bulletin — that's what NVD is for. What lives here is the subset with one of: active exploitation, broad deployment footprint, management-plane exposure, or an exceptionally clean primitive (unauth RCE with a trivial exploit path). If a CVE doesn't fit any of those, it's routine maintenance and I don't clutter the grid with it.