FileInfo can escape from a Root in os — CVE-2026-27139

Summary

Advisory CVE-2026-27139. FileInfo can escape from a Root in os Vendor: Microsoft. Source: MSRC. Threat: low. CVSS 2.5. See the official advisory for details.

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• libssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-bounds CVE-2026-3731
• pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow CVE-2026-3713
• Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679
• An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability… CVE-2025-69644
• Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information.… CVE-2025-69645
• Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data.… CVE-2025-69646
• GNU Binutils thru 2.46 readelf contains a double free vulnerability… CVE-2025-69650
• GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability… CVE-2025-69649
• GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT)… CVE-2025-69652
• GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free… CVE-2025-69651
• Incorrect enforcement of email constraints in crypto/x509 CVE-2026-27137
• Panic in name constraint checking for malformed certificates in crypto/x509 CVE-2026-27138