@patchhawk_ profile picture
PatchHawk @patchhawk_
Joined June 2026
  • Tweets 21
  • Following 1
  • Followers 32
Photos and videos
Microsoft's June 2026 Patch Tuesday set a record: ~200 CVEs, the biggest list ever. We diffed ~130 of the patched binaries. Even at 200 CVEs, the advisories don't describe everything that changed. Here's what the diffs show that the CVE text doesn't 🧵
1
5
7
285
more replies
The slickest catch: one feature flag rerouted Kerberos PAC decoding to a new path across THREE binaries - LSASS, Credential Guard (LsaIso), the Kerberos client lib. Kerberos & LSASS did get CVEs this month. The advisories just don't show this cross-binary shape.
1
2
3
145
The lesson: a record ~200 CVEs still isn't the whole picture. The binary diffs carry hardening the advisories never spell out. We read them so you don't have to. 🦅 PatchHawk #PatchTuesday #infosec
2
3
124
7-Zip 26.01's changelog lists exactly ONE security fix. We diffed the source, 26.00 -> 26.01. It silently shipped 14 MORE. "Some bugs were fixed" was doing a lot of heavy lifting. 🧵
1
5
10
2,660
more replies
Takeaway: treat 26.01 as a security release, not a point fix. Upgrade from 26.00 even if you think the NTFS CVE doesn't touch you, because 14 more code paths got safer and the changelog won't say so. 🦅 PatchHawk #7zip #infosec
1
3
4
328
Related Link 👇 securitylab.github.com/advis…

GHSL-2026-140: Heap Buffer Write Overflow in 7-Zip

A heap buffer overflow vulnerability (GHSL-2026-140) exists in 7-Zip version 26.00, caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing...

securitylab.github.com
2
2
186
Linux mainline quietly shipped a fix for a remote kernel heap overflow in the iSCSI target. It fires during login, before the CHAP password is ever checked. No CVE. The commit just says "validate CHAP_R length before base64 decode." Only watch CVE feeds? You missed it. 🧵
1
4
3
235
more replies
These are mainline -rc fixes: Cc: stable, no CVE yet by design. CVEs land later, on backport. We read the merge graph so you see them now, not after the feed catches up. 🦅 PatchHawk #LinuxKernel #infosec
1
2
2
106
Related Link 👇 github.com/torvalds/linux/co…

scsi: target: iscsi: Validate CHAP_R length before base64 decode · torvalds/linux@85db739

chap_server_compute_hash() allocates client_digest as kzalloc(chap->digest_size) and then, for BASE64-encoded responses, passes chap_r directly to chap_base64_decode() without checking wheth...

github.com
2
2
102
Load more