Kyungdong Kim(kancho)

Linux mainline quietly shipped a fix for a remote kernel heap overflow in the iSCSI target. It fires during login, before the CHAP password is ever checked. No CVE. The commit just says "validate CHAP_R length before base64 decode." Only watch CVE feeds? You missed it. 🧵

Related Link 👇 https://t.co/hQsJHxRVnK

The slickest catch: one feature flag rerouted Kerberos PAC decoding to a new path across THREE binaries - LSASS, Credential Guard (LsaIso), the Kerberos client lib. Kerberos & LSASS did get CVEs this month. The advisories just don't show this cross-binary shape.

Microsoft's June 2026 Patch Tuesday set a record: ~200 CVEs, the biggest list ever. We diffed ~130 of the patched binaries. Even at 200 CVEs, the advisories don't describe everything that changed. Here's what the diffs show that the CVE text doesn't 🧵

7-Zip 26.01's changelog lists exactly ONE security fix. We diffed the source, 26.00 -> 26.01. It silently shipped 14 MORE. "Some bugs were fixed" was doing a lot of heavy lifting. 🧵

🦅 Silent Patch Watch Vendors often ship real security fixes as "minor bug fixes" — no CVE, no advisory. Every Thursday we diff a release and show the one that actually mattered, so you can update before attackers notice. Follow + 🔖 for the first issue this week.

Does anyone remember the 'CVE-2026-21509' in January 2026? To learn more about the patching mechanism for CVE-2026-21509, please follow the link below. https://t.co/6QNwLbtggt Thank you.

Windows Remote Desktop Licensing Service Pre-auth RCE (CVE-2024-38077) Analysis https://t.co/bObMB5TIUR