Lead story
Patch Tuesday from Hell: 206 Microsoft Fixes, a Chrome Zero-Day, and a Veeam RCE Land on the Same Day
Yesterday was one of the busiest patch days on record. Microsoft dropped fixes for 206 vulnerabilities — the largest Patch Tuesday haul the company has ever shipped — including three zero-days that were publicly known before a patch existed. That last part matters: public disclosure without a patch is an open invitation, and defenders were essentially running blind on at least some of these for a window of time.
The three zero-days span a range of severity. One involves a Windows privilege escalation flaw that was already being discussed in the wild. A separate disclosure that got its own headlines: a researcher known as Nightmare Eclipse had a notably public feud with Microsoft about responsible disclosure timelines, and the patch for at least one of their reported flaws appears to have landed in this batch. The dynamic — researcher going loud, vendor scrambling — is a reminder that the coordination between finders and fixers is still far from smooth.
But Microsoft wasn't the only one shipping urgent fixes. Google issued an emergency update for Chrome addressing CVE-2026-11645, an out-of-bounds memory access bug in V8 — Chrome's JavaScript engine — that's already being exploited in the wild. This is Chrome's fifth exploited zero-day of 2026. Google paid the discovering researcher a $55,000 bounty. The fix is in Chrome 149.0.7827.103; if you haven't restarted your browser recently, you're probably still running a vulnerable version. Chrome is ubiquitous across Australian enterprise desktops and consumer devices alike.
Veeam also joined the party, patching CVE-2026-44963, a remote code execution flaw in Backup & Replication with a CVSS score of 9.4. Any authenticated domain user could exploit it to run arbitrary code on the backup server. Backup servers are crown-jewel infrastructure — they're what organisations reach for when ransomware hits. A compromised backup server turns a bad day into a catastrophic one. Veeam has been a recurring ransomware target for years; patches here should be treated as drop-everything urgent. Australian organisations using Veeam in domain-joined environments — extremely common across enterprise and government — should prioritise this immediately.
SAP also patched 15 vulnerabilities, four of them critical, affecting NetWeaver and Commerce Cloud. NetWeaver in particular has been a persistent target for nation-state actors this year, and SAP environments tend to sit at the heart of enterprise finance and supply chain operations.
Adobe rounded out patch day with fixes for 123 vulnerabilities across its portfolio, nearly half of them in Experience Manager — Adobe's enterprise web content platform. Arbitrary code execution bugs in a platform that sits on public-facing web infrastructure deserve immediate attention.
The volume here is genuinely worrying in aggregate. CyberScoop noted fears about a "roaring flood of error-riddled software" materialising — and this patch cycle looks like evidence of that. The same AI-assisted vulnerability discovery tools that help defenders find bugs faster are also accelerating the pace at which offensive researchers and threat actors locate them. The patch window — the time between a fix being available and attackers weaponising the vulnerability — is shrinking.
What to do: Prioritise the Chrome update (browser restart, now), Veeam Backup & Replication (patch before the weekend), and the three Microsoft zero-days. SAP NetWeaver follows closely. If your organisation uses Check Point VPN products, CISA has given US federal agencies just 72 hours to patch a separate authentication bypass being actively used by Qilin ransomware affiliates — treat that timeline as a reasonable benchmark regardless of jurisdiction.