Originally reported by The Hacker News, Ars Technica Security, SANS ISC, MSRC Security Updates
TL;DR
Google disclosed active exploitation of a Qualcomm Android vulnerability while Microsoft warned of OAuth redirect campaigns targeting government entities. Meanwhile, SloppyLemming APT actors launched dual malware chains against Pakistan and Bangladesh governments.
Google confirmed active exploitation of CVE-2026-21385 in Android devices, combined with government-targeted campaigns using OAuth redirect abuse and APT activity against Pakistan and Bangladesh governments.
Google disclosed that CVE-2026-21385, a high-severity buffer over-read vulnerability in Qualcomm's Graphics component, has been actively exploited in the wild. The vulnerability carries a CVSS score of 7.8 and affects Android devices using the impacted Qualcomm component.
According to Qualcomm's advisory, the flaw stems from "memory corruption when adding user-supplied data without checking available buffer space." Google's confirmation of active exploitation elevates this from a routine patch to an immediate security concern for Android device users.
Microsoft's threat intelligence team identified a sophisticated phishing campaign leveraging OAuth URL redirection mechanisms to bypass conventional email and browser security defenses. The attacks specifically target government and public-sector organizations.
Unlike traditional OAuth token theft campaigns, these attacks redirect victims to attacker-controlled infrastructure without directly compromising authentication tokens. This technique allows threat actors to establish initial access while evading detection mechanisms designed to identify OAuth abuse patterns.
Arctic Wolf researchers attributed a year-long campaign to the SloppyLemming threat cluster, targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. The campaign, active from January 2025 through January 2026, employed dual attack chains delivering BurrowShell malware and a Rust-based payload.
The use of dual attack chains suggests sophisticated threat actor capabilities and redundancy planning, indicating sustained interest in compromising South Asian government networks.
Security researchers highlighted emerging risks from AI agents operating through the Model Context Protocol (MCP). As organizations deploy prompt-driven AI agents with access to enterprise applications and APIs, traditional identity management frameworks struggle to provide visibility and control over these autonomous systems.
The research characterizes AI agents as "identity dark matter" - powerful entities with broad access privileges but limited governance oversight. This represents a growing attack surface as MCP adoption accelerates in enterprise environments.
Google's implementation of developer verification requirements for Android app distribution has sparked industry debate about maintaining Android's open ecosystem while enhancing security. The changes mirror Apple's App Store model but raise questions about preserving Android's historical openness to alternative distribution methods.
Security practitioners must evaluate whether these restrictions meaningfully reduce malware distribution or primarily serve to consolidate Google's platform control.
Microsoft's Security Response Center published information on multiple vulnerabilities across various components:
CVE-2026-23217: RISC-V trace snapshot deadlock in SBI ecallCVE-2026-23220: ksmbd infinite loop vulnerabilityCVE-2026-23224: erofs use-after-free issue in file-backed mountsCVE-2026-28418: Vim heap-based buffer overflow in Emacs tags parsingCVE-2026-1979: mruby use-after-free in VM executionCVE-2025-71237: nilfs2 potential block overflow causing system hangsCVE-2025-61145: libtiff double free vulnerability in tiffcrop.cCVE-2025-71162: Tegra ADMA use-after-free vulnerabilityCVE-2022-4304: OpenSSL RSA decryption timing oracleCVE-2023-45229: EDK II Network Package out-of-bounds readThese disclosures span kernel components, image processing libraries, and cryptographic implementations, requiring systematic patching across diverse system components.
Originally reported by The Hacker News, Ars Technica Security, SANS ISC, MSRC Security Updates