829 matches found
June 9, 2026—KB5094042 (Monthly Rollup)
None None...
June 9, 2026—KB5094041 (Monthly Rollup)
None None...
May 12, 2026-Security and Quality Rollup for .NET Framework 3.5 for Windows Server 2012 R2 (KB5087049)
None None...
CVE-2026-33390
Summary: CVE-2026-33390 affects Arc sensors’ synchronization in Guardian/CMC prior to version 26.2.0. The root cause is an incorrect privilege assignment where Arc sensors receive CLI permissions during sync, allowing an authenticated user with limited privileges to issue administrative CLI comma...
CVE-2026-33390 Incorrect privilege assignment for Arc sensors in Guardian/CMC before 26.2.0
An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions. An authenticated user with limited privileges can push administrative CLI commands through the sync, altering the device configuration, and/or affectin...
Incorrect privilege assignment for Arc sensors in Guardian/CMC before 26.2.0
Summary An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions. Impact An authenticated user with limited privileges can push administrative CLI commands through the sync, altering the device configuration,...
GO-2026-5523 Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks in github.com/basekick-labs/arc
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks in github.com/basekick-labs/arc...
GO-2026-5457 Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS in github.com/basekick-labs/arc
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS in github.com/basekick-labs/arc...
Astra Linux – Vulnerability in RustC
In the standard library of Rust before version 1.29.0, there is weak synchronization in the Arc::getmut method. This synchronization issue can lead to memory safety issues due to race conditions...
CVE-2026-12348
Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing...
CVE-2026-12348
CVE-2026-12348 concerns Arc Search for Android. The entry describes an address bar spoofing flaw caused by a window.open race condition, enabling a remote attacker to render attacker-controlled content while displaying a trusted domain in the address bar (phishing risk). The CVSSv3.1 vector is pr...
PT-2026-49836
Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing...
CVE-2026-46690
unboundedspsc is an "unbounded" extension of boundedspscqueue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches...
CVE-2026-46690
Summary: CVE-2026-46690 affects the unbounded-spsc crate (0.2.0 and earlier). The vulnerability originates from an unsafe TRANSMUTE in Sender::send (DISCONNECTED branch) that reinterprets a raw pointer to a Producer as a Consumer, creating a fake Arc and enabling out-of-bounds access. This race w...
May 12, 2026—Hotpatch KB5087423 (OS Build 26100.32772)
None None...
GHSA-P2J4-C4G6-RPF5 Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks
Summary Arc's user-SQL validator internal/api/query.go:ValidateSQLRequest blocked only readparquet and arcpartitionagg via regex denylist. The broader DuckDB I/O function family — readcsvauto, readcsv, readjson, readjsonauto, readtext, readblob, glob, parquetmetadata, parquetschema, readxlsx, etc...
GHSA-6M57-8R3P-PQX6 unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race
Summary Sender::send in src/lib.rs contains an unsafe block in the DISCONNECTED arm that transmutes a raw pointer mut Producer into the bytes of a value-level Consumer. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level o...
unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race
Summary Sender::send in src/lib.rs contains an unsafe block in the DISCONNECTED arm that transmutes a raw pointer mut Producer into the bytes of a value-level Consumer. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level o...
PT-2026-45016
Content removed...
MAL-2026-4481 Malicious code in arc-diag-util (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95f08d97107d726a6ae90afbf8e354b84a7e13d4a236bc8766180a362cc8344c On npm install, the package's postinstall hook runs id to capture the installer's uid/gid/group identity and opens a raw TCP socket to...