CVE-2026-46690

Summary: CVE-2026-46690 affects the unbounded-spsc crate (0.2.0 and earlier). The vulnerability originates from an unsafe TRANSMUTE in Sender::send (DISCONNECTED branch) that reinterprets a raw pointer to a Producer as a Consumer, creating a fake Arc and enabling out-of-bounds access. This race w...

May 12, 2026—Hotpatch KB5087423 (OS Build 26100.32772)

May 12, 2026—Hotpatch KB5087423 OS Build 26100.32772 This update applies to Windows Server 2025 Datacenter & Standard machines connected to Azure Arc. To learn more about differences between security updates, optional non-security preview updates, out-of-band OOB updates, and continuous innovatio...

June 9, 2026—KB5094041 (Monthly Rollup)

June 9, 2026—KB5094041 Monthly Rollup Important The installation of this Extended Security Update ESU might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012 R2. For a successful installation, please make sure all Subset of endpoints for ESU only a...

June 9, 2026—KB5094042 (Monthly Rollup)

June 9, 2026—KB5094042 Monthly Rollup Important The installation of this Extended Security Update ESU might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012. For a successful installation, please make sure all Subset of endpoints for ESU only are...

GHSA-P2J4-C4G6-RPF5 Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks

Summary Arc's user-SQL validator internal/api/query.go:ValidateSQLRequest blocked only readparquet and arcpartitionagg via regex denylist. The broader DuckDB I/O function family — readcsvauto, readcsv, readjson, readjsonauto, readtext, readblob, glob, parquetmetadata, parquetschema, readxlsx, etc...

unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race

Summary Sender::send in src/lib.rs contains an unsafe block in the DISCONNECTED arm that transmutes a raw pointer mut Producer into the bytes of a value-level Consumer. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level o...

GHSA-6M57-8R3P-PQX6 unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race

Summary Sender::send in src/lib.rs contains an unsafe block in the DISCONNECTED arm that transmutes a raw pointer mut Producer into the bytes of a value-level Consumer. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level o...

PT-2026-45016

Content removed...

MAL-2026-4481 Malicious code in arc-diag-util (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95f08d97107d726a6ae90afbf8e354b84a7e13d4a236bc8766180a362cc8344c On npm install, the package's postinstall hook runs id to capture the installer's uid/gid/group identity and opens a raw TCP socket to...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: ARC: mm: fix leakage of memory allocated for PTE Since the commit d9820ff “ARC: mm: switch pgtablet back to struct page ”, a memory leakage problem occurred. Memory allocated for page table entries wasn’t released during process...

May 12, 2026—KB5087471 (Monthly Rollup)

May 12, 2026—KB5087471 Monthly Rollup Important The installation of this Extended Security Update ESU might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012 R2. For a successful installation, please make sure all Subset of endpoints for ESU only a...

May 12, 2026-Security and Quality Rollup for .NET Framework 3.5 for Windows Server 2012 R2 (KB5087049)

May 12, 2026-Security and Quality Rollup for .NET Framework 3.5 for Windows Server 2012 R2 KB5087049 Applies to: Microsoft .NET Framework 3.5 Important The installation of this Extended Security Update ESU might fail when you try to install it on an Azure Arc-enabled device that is running Window...

May 12, 2026—KB5087470 (Monthly Rollup)

May 12, 2026—KB5087470 Monthly Rollup Important The installation of this Extended Security Update ESU might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012. For a successful installation, please make sure all Subset of endpoints for ESU only are...

Astra Linux - уязвимость в rustc

In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::getmut method. This synchronization issue can be lead to memory safety issues through race conditions...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.114.0 <=0.120.0), ai.ancf.lmos:arc-memory-mongo-spring-boot-starter (>=0.114.0 <=0.120.0) +4727 more potentially affected by CVE-2026-40973 via org.springframework.boot:spring-boot (>=3.4.0 <=3.4.13)

org.springframework.boot:spring-boot MAVEN version =3.4.0, =0.114.0, =0.114.0, =0.114.0, =0.114.0, =0.5.0, =0.8.0, =1.17.0, =1.17.0, =1.17.0, =0.0.1, =0.0.1, =0.25.7-rc.64, =0.25.7-rc.68 and more Source cves: CVE-2026-40973 Source advisory: OSV:GHSA-WWPQ-F5C3-7HVX...

ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +20513 more potentially affected by CVE-2026-40974 via org.springframework.boot:spring-boot-autoconfigure (>=3.0.0 <=3.5.13)

org.springframework.boot:spring-boot-autoconfigure MAVEN version =3.0.0, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.0.4, =0.6.0 - ai.ancf.lmos:lmos-router-hybrid-spring-boot-starter =0.1.0 - ai.ancf.lmos:lmos-router-llm-in-spring-cloud-gateway-demo =0.1.0 -...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013785)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013785 advisory. In the Linux kernel, the following vulnerability has been resolved: serial: arcuart: fix ofiomap leak in arcserialprobe Smatch reports:...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010788)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010788 advisory. In the Linux kernel, the following vulnerability has been resolved: serial: arcuart: fix ofiomap leak in arcserialprobe Smatch reports:...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007452)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007452 advisory. In the Linux kernel, the following vulnerability has been resolved: serial: arcuart: fix ofiomap leak in arcserialprobe Smatch reports:...

April 14, 2026—KB5082127 (Monthly Rollup)

April 14, 2026—KB5082127 Monthly Rollup Important The installation of this Extended Security Update ESU might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012. For a successful installation, please make sure all Subset of endpoints for ESU only ar...