Chromium: CVE-2026-13021 Inappropriate implementation in DeviceBoundSessionCredentials

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

CVE-2026-13021

Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: High...

CVE-2026-13021

Inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: High...

Google Chrome < 149.0.7827.196 Multiple Vulnerabilities

The version of Google Chrome installed on the remote macOS host is prior to 149.0.7827.196. It is, therefore, affected by multiple vulnerabilities as referenced in the 202606stable-channel-update-for-desktop0482630350 advisory. - Use after free in Autofill. CVE-2026-13038 - Use after free in WebG...

Google Chrome < 149.0.7827.196 Multiple Vulnerabilities

The version of Google Chrome installed on the remote Windows host is prior to 149.0.7827.196. It is, therefore, affected by multiple vulnerabilities as referenced in the 202606stable-channel-update-for-desktop0482630350 advisory. - Use after free in Autofill. CVE-2026-13038 - Use after free in...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: net: xdp: Device-bound programs are not allowed to be attached in the generic mode. Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadat...

CVE-2026-43007

A flaw was found in the accel/qaic component of the Linux kernel. When a user process terminates before the device's deactivation transaction for a Device-Bound Context DBC is fully processed, the host system can become out of sync with available DBCs. This can lead to a denial of service, where ...

Google Chrome Update Disrupts Infostealer Cookie Theft

Google adds Device Bound Session Credentials DBSC to Chrome 146, using hardware keys to block infostealer use of stolen session cookies on Windows...

Google Rolls Out DBSC in Chrome 146 to Block Session Theft on Windows

Google has made Device Bound Session Credentials DBSC generally available to all Windows users of its Chrome web browser, months after it began testing the security feature in open beta. The public availability is currently limited to Windows users on Chrome 146, with macOS expansion planned in a...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-004130)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004130 advisory. A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver,...

Abacre Restaurant Point of Sale Insecure Storage

All versions of Abacre Restaurant Point of Sale POS up to 15.0.0.1656 leave device-bound license keys in process memory insecurely...

CVE-2025-60791

Easywork Enterprise 2.1.3.354 is vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory after a failed activation attempt. The keys can be obtained by attaching a debugger or analyzing the process/memory dump an...

EUVD-2025-5977

Malicious code in bioql PyPI...

Google Launches DBSC Open Beta in Chrome and Enhances Patch Transparency via Project Zero

Google has announced that it's making a security feature called Device Bound Session Credentials DBSC in open beta to ensure that users are safeguarded against session cookie theft attacks. DBSC, first introduced as a prototype in April 2024, is designed to bind authentication sessions to a devic...

iommu/arm-smmu: Defer probe of clients after smmu device bound

...

SUSE CVE-2025-21808

In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadata. This means the...

DEBIAN-CVE-2025-21808

In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadata. This means the...

CVE-2025-21808

In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadata. This means the...

UBUNTU-CVE-2025-21808

In the Linux kernel, the following vulnerability has been resolved: net: xdp: Disallow attaching device-bound programs in generic mode Device-bound programs are used to support RX metadata kfuncs. These kfuncs are driver-specific and rely on the driver context to read the metadata. This means the...

CVE-2025-21808

CVE-2025-21808: Linux kernel vulnerability in net: xdp where device-bound programs could be attached in generic mode, causing metadata kfuncs to run in an invalid context and crash. The fix adds a guard to disallow attaching device-bound programs in generic XDP mode, preventing invalid-context ex...