Cyber Threat Brief — June 9 2026
⚠️ This report is AI-generated. Always validate findings.
1. Chrome V8 OOB Read/Write Zero-Day — CVE-2026-11645
TL;DR: Google patched the 5th Chrome zero-day of 2026 today — a high-severity V8 OOB read/write (CVSS 8.8) exploited in the wild. Update to Chrome 149.0.7827.102+ immediately.
What’s New:
- OOB read/write in V8 JavaScript engine enables sandbox code execution via crafted HTML page
- Heap corruption can bypass ASLR, lowering the bar for chained RCE
- Reported April 27 by researcher ‘303f06e3’; $55,000 bounty awarded
- Fixed in Chrome 149.0.7827.102 (Linux) / .103 (Windows/macOS), rolling out now
- Google withholding exploitation details per standard zero-day policy
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Chrome < 149.0.7827.102 | Vulnerable Version | T1189 | Endpoint inventory / SCCM | Force-update or block |
| Suspicious browser child processes | Behavior | T1189 / T1059 | EDR (Sysmon EID 1, CrowdStrike) | Hunt for chrome.exe spawning cmd/powershell/wscript |
| Crafted HTML pages via email/ads | Delivery | T1566.002 | Proxy logs, email gateway | Monitor for unusual redirects to exploit kit domains |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Chrome-specific exploitation rule; need browser child process hunt |
| Elastic | Suspicious Browser Child Process (macOS) | Windows/Linux coverage gap |
| Sigma | proc_creation_win_browsers_suspicious_child_process.yml | Partial — triggers on known child process patterns only |
Sources: Help Net Security, BleepingComputer, SecurityWeek
2. NGINX Heap Buffer Overflow — CVE-2026-42945
TL;DR: An 18-year-old heap buffer overflow in NGINX’s rewrite module (CVSS 9.2) has public RCE PoCs and confirmed active exploitation since May 16. Affects every NGINX build from 0.6.27 to 1.30.0. Patch to 1.30.1+.
What’s New:
- State mismatch in script engine:
is_argsflag from length-calculation phase leaks into copy phase, causingngx_escape_urito write past allocated buffer - PoC delivers 349 safe padding bytes + 2,000 URI-escapable chars (
+) for deterministic 4,000-byte heap overflow - With ASLR disabled: full RCE. With ASLR enabled: worker crash (DoS), plus cross-request heap-shaping technique documented to defeat ASLR
- VulnCheck canary systems flagged exploitation May 16, three days after May 13 disclosure
- GitHub PoCs:
cipherspy/CVE-2026-42945-POC,p3Nt3st3r-sTAr/CVE-2026-42945-POC - Also impacts NGINX Plus R32–R36 and Ingress-NGINX in Kubernetes environments
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| NGINX < 1.30.1 / Plus < R37 | Vulnerable Version | T1190 | Asset inventory | Patch immediately |
Rewrite rules with unnamed PCRE captures + ? in replacement | Config Prerequisite | T1190 | nginx.conf audit | Identify exposed configs |
HTTP requests with 2000+ + chars in URI | Exploit Payload | T1190 | WAF / access.log | Block or alert on anomalous URI length |
| NGINX worker crash/restart loops | Exploitation Indicator | T1499.004 | error.log, systemd journal | Alert on rapid worker respawns |
| Heap spray via crafted POST bodies | Exploit Technique | T1190 | PCAP / WAF | Inspect large POST followed by rewrite-triggering GET |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No NGINX-specific exploitation rule |
| Elastic | None | No coverage for NGINX heap overflow patterns |
| Sigma | None | No rule for NGINX worker crash patterns or URI anomaly |
Sources: SecurityWeek (exploitation begins), Help Net Security, Akamai analysis, SecurityOnline PoC disclosure
3. Microsoft Exchange OWA Zero-Day (XSS to Session Hijack) — CVE-2026-42897
TL;DR: Unpatched Exchange OWA XSS (CVSS 8.1) exploited ITW since May 14 via crafted email — JavaScript executes in authenticated OWA session, enabling mailbox takeover. No permanent patch; Patch Tuesday is tomorrow June 10.
What’s New:
- Crafted email opened in OWA triggers XSS — arbitrary JS in victim’s authenticated session
- Enables: session token theft, mailbox impersonation, email rule manipulation, settings modification
- Affects Exchange Server 2016, 2019, and Subscription Edition (on-prem only; Exchange Online not affected)
- Microsoft disclosed May 14, deployed EEMS emergency mitigation same day
- CISA KEV added May 15, federal deadline was May 29
- No permanent patch after 26 days; next Patch Tuesday is tomorrow June 10
- EEMS mitigation reported to cause side-effects for some orgs (OWA rendering issues)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Emails with embedded JS/XSS payloads to OWA | Delivery | T1566.001 | Exchange message tracking, email gateway | Scan inbound HTML email for script injection |
| OWA session token exfiltration | Exploitation | T1539 | IIS W3SVC logs, proxy logs | Hunt for unusual OWA session reuse from different IPs |
| New inbox rules created post-exploitation | Persistence | T1137.005 | Exchange audit log (Set-InboxRule) | Alert on rule creation with external forwarding |
| EEMS mitigation enabled | Mitigation | — | Exchange Health Checker | Verify EEMS active on all OWA servers |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Exchange Audit Log Monitoring (generic) | No specific CVE-2026-42897 XSS payload detection |
| Elastic | None specific | No OWA XSS exploitation rule |
| Sigma | None specific | Gap: need rule for suspicious Set-InboxRule after OWA XSS indicators |
Sources: Dark Reading, SecurityWeek, TechTimes (mitigation gaps), Microsoft Tech Community
Status Updates
- CVE-2026-20245 (Cisco SD-WAN Manager): Still no patch; 7th SD-WAN zero-day of 2026; Mandiant-reported ITW exploitation continues; monitor /var/log/scripts.log for anomalies. Original brief.
- CVE-2026-41089 (Windows Netlogon): Active exploitation ongoing per Belgium CCB; ensure May 2026 Patch Tuesday applied to all domain controllers; hunt for anomalous Netlogon service crashes (EID 7034/1000). Original brief.
- CVE-2026-42897 (Exchange OWA): Patch Tuesday tomorrow June 10 — monitor for permanent fix release. [See threat #3 above].