This Week in Security: Docker Auth, Tools for Windows, and the Most Full Episode Tuesday

CVE-2026-34040 allows attackers to bypass some Docker authentication plugins by allowing an empty request body. Currently as of 2024, this bug was caused by a previous fix to the auth workflow. In the 2024 bug, the authentication system could be tricked into passing a zero-length request to the authentication handler. In modern vulnerabilities, the system can be tricked into removing a very large authentication request and passing a zero-length request to the authentication handler.

In both cases, the authentication system may mishandle a malicious request and allow the creation of docker images with access to databases and secrets.

Bugs like this are becoming increasingly visible because AI agents using Docker, such as OpenClaw, can be tricked by quick injection into exploiting the vulnerability.

videocardz.com notes that popular Windows monitoring software Cpu-Z and HWMonitor appear to be vulnerable. Reports indicate that the download site was compromised, not the actual packages, but that it was redirecting update requests to packages that included malware. While the site has been fixed, unfortunately there appears to be no warning to users that downloads have been compromised for some time.

Undoubtedly, there has been a rash of Discord account takeovers in the past week, where long-standing accounts on multiple servers have been compromised and turned into spambots. While there is no evidence that these events are connected, there is apparently new evidence or evidence of malware theft at play, including stealing Discord information.

IX.Org and XWayland Updated

The X.Org and XWayland servers saw security updates this week, fixing several vulnerabilities including uninitialized memory usage, usage after freeing, and reading beyond the end of the buffer.

The risk is usually classified as “moderate”, but of course, don’t leave a known risk if you can’t avoid it! A fixed release should find its way to distribution soon.

OpenSSL 4.0 Released

OpenSSL released version 4.0 this week, adding support for Encrypted Client Hello / ECH / RFC9849 and deprecating some old SSL 2.0 behavior.

Client Encrypted Hello is a new TLS (and SSL) client handshake enhancement. When a client connects to a TLS server such as a website, one of the first packets sent is the Client Hello which contains the TLS version, supported algorithms, and importantly, the name of the server the client is connecting to. Including the server name in the hello message allows modern multi-hosted and cloud-based websites to work, because it indicates which web server and SSL certificate should be used to handle the request, but reveals the host name the user is connecting to.

With ECH, the greeting message is split into multiple messages, with the actual host name encrypted within a second, inner message. An external message allows forwarding a request to a server that is responsible for decrypting the internal communication and sending the request to the appropriate server. It is possible, for example, for an ISP to see that a user has connected to a website on Cloudflare’s infrastructure, but not. which the website is hosted on Cloudflare.

For individual sites, the value of ECH is disputed – without a central server to be sent to certain hosts, the name of the external host is still readable – but for sites managed behind load balancers, there is more protection for users against the identification of browsing habits. Although it brings more complexity, adding new standards like ECH at least moves the needle towards better user privacy and automatic protection.

Rockstar Games has been hacked (again)

Rockstar Games (for Grand Theft Auto again Red Dead Redemption fame) was breached by a ransomware/extortion group. If this sounds familiar, in 2022 the company was breached and the original GTA 6 game was stolen.

This time around, the breach actually belonged to the data storage company Snowflake, by using another one service, Anodot. Used for cloud monitoring and analysis, Bleeping Computer reports that the Anodot breach was used to access Snowflake data, which is now being used to defraud Rockstar.

Rockstar says the stolen data doesn’t affect players or the company’s operations, and they won’t pay a ransom.

Linux Kernel OOB Certification

Linux Kernel 7.0 is being released this week, and includes a fix for out-of-bounds memory access in certificate management. The fix is ​​also backported to stable versions and the LTS kernel (Linux 6.4, 6.6 LTS, 6.12 LTS, 6.18 LTS, and 6.19) so watch out for updates!

The out-of-bounds bug lies in the kernel keyring API; any user on the system can submit an invalid certificate to the kernel key. In this particular case the impact seems to be limited to kernel crashes rather than arbitrary privilege escalation.

NIST no longer develops CVE

The NIST organization no longer develops CVE entries in the National Vulnerability Database, except for those in the known Vulnerability Exploitation Catalog, used by the federal government, or those in selected critical software. Previously, NIST NVD provided additional information and severity levels for reported vulnerabilities. Citing a lack of funds and a very large number of reported risks, they will no longer provide updated risk scores or information.

It’s understandable, but it’s a complete loss to the security community, and the Internet in general, when we lose analysis and commentary on risks. Details of CVEs and vulnerabilities are often provided by the vendor itself, which can lead in some cases to a culture of “brutal compliance” where leaked information is available. technically speaking it is correct and complete, but contains little or no detail and assumes meanings of very little effect. Third-party testing and classification by organizations such as NIST provides additional context and analysis for truly valuable reports.

Patch Tuesday, Everyone’s Afraid!

OK – don’t actually panic, but if you’re a Microsoft user, you already know. This month’s Patch Tuesday – Microsoft’s scheduled update day, for anyone lucky enough not to notice – includes more than 160 security updates. This makes it the second largest Patch Tuesday. It includes fixes for the publicly available Bluehammer exploit to bypass Windows Defender, and patches for more than 60 browser vulnerabilities.

Additionally, Chrome published fixes for 20 vulnerabilities, and Adobe published fixes for Reader, with evidence from both that the bugs are already being exploited publicly.

This is your monthly reminder to stay up to date with security updates whenever they become available, on whatever platform you use. Unknown zero-day exploits may get your attention, but outdated software with known, patched bugs can be a huge vector for exploitation and malware. Once a bug is known and patched, there is no reason to maintain exploits for targeted attacks; days and weeks after a public bug fix can be a wave of automated exploits, and many of the biggest attacks exploit vulnerabilities that were fixed weeks or months ago.

Botconf Talks Stream

Finally, as a quick aside for anyone interested in pursuing more related content, the Botconf EU conference on combating botnets and malware is streaming the conference content; by the time this post goes live the conference will likely be over, but the talk stream is still available!