#CVE

Linux DirtyDecrypt (CVE-2026-31635): RxGK page cache LPE on CONFIG_RXGK kernels

DirtyDecrypt PoC proves local root via Linux RxGK page cache writes on Fedora, Arch, and Tumbleweed with CONFIG_RXGK=y. NVD describes CVE-2026-31635 only as a DoS; Ubuntu LTS and Debian stable stock kernels are not affected. Check commands and container mitigation included.

MiniPlasma SYSTEM LPE on patched Windows 11: cldflt.sys CVE-2020-17103 reappears

Chaotic Eclipse's MiniPlasma takes SYSTEM on fully patched Windows 11 May 2026 by re-triggering CVE-2020-17103 in cldflt.sys, the same bug James Forshaw reported in 2020 and Microsoft supposedly fixed that December. Will Dormann confirmed the PoC works; the latest Insider Canary blocks it. No new CVE assigned yet, and the regression sits next to the actively exploited CVE-2025-62221 in the same driver.

YellowKey BitLocker bypass via WinRE opens encrypted drives with a USB stick, GreenPlasma CTFMON LPE drops the same day, Chaotic Eclipse calls it a backdoor

Chaotic Eclipse released YellowKey and GreenPlasma PoCs one day after May 2026 Patch Tuesday. A USB-borne FsTx folder plus a Ctrl-key reboot drops cmd.exe inside WinRE on a BitLocker-protected machine. Covers WinRE-only behavior, the CTFMON SYSTEM elevation path, the RedSun silent-patch dispute, and what defenders can actually do while unpatched.

OpenClaw Claw Chain: 4 CVEs from OpenShell TOCTOU to MCP loopback owner spoof

What to patch, rotate, and grep after OpenClaw 2026.4.22. Walks CVE-2026-44112/44113/44115/44118 as one chain on agent runtime, with detection log fields and 24h/1w response steps.

Composer CVE-2026-45793: GITHUB_TOKEN leaks to CI logs via regex miss

Composer 2.9.8/2.2.28 fix CVE-2026-45793: GitHub's new GITHUB_TOKEN includes hyphens that Composer's old regex rejects, leaking the token into CI logs as plaintext.

Fragnesia (CVE-2026-46300): Linux page cache LPE survives Dirty Frag mitigations

Fragnesia (CVE-2026-46300) overwrites the Linux page cache via XFRM ESP-in-TCP. The Dirty Frag workaround still applies, but IPsec hosts need to check side effects first.

Microsoft May 2026 Patch Tuesday: Netlogon, DNS Client RCE vs ZeroLogon/SIGRed

137 CVEs, no zero-days. Netlogon and DNS Client RCEs (both CVSS 9.8) lead — compared against ZeroLogon/SIGRed, with patch priority tiers and detection notes for SOC teams.

nginx CVE-2026-42945: rewrite heap overflow in 0.6.27–1.30.0, RCE without ASLR

CVE-2026-42945 hits nginx 0.6.27–1.30.0 rewrite module with heap overflow. CVSS 9.2 but only fires on specific rewrite+capture+set patterns. How to check with nginx -T and what to patch.

NIST NVD goes risk-based: which SCA tools still miss Deferred CVEs

NVD API queries: kernel CVEs return Analyzed but SuperAGI CVE-2026-6584 stays Deferred with no CPE. Maps Snyk, Trivy, Grype, Dependabot, OSV-Scanner reliance on NVD vs GHSA/OSV.

Ollama CVE-2026-7482: crafted GGUF leaks heap memory from exposed API servers

Out-of-bounds read in Ollama's GGUF loader before 0.17.1. If your Ollama API is network-accessible, a crafted model file can exfiltrate env vars, API keys, system prompts, and conversation fragments from process memory.

PCPJack credential stealer chains 5 CVEs to worm through Docker, Kubernetes, Redis, and RayML

SentinelOne's PCPJack report broken down: initial access via Next.js and WordPress CVEs, lateral movement through Docker sockets, Kubernetes Secrets, Redis cron rewrite, and RayML job injection. IOCs and hardening steps included.

PAN-OS CVE-2026-0300 root RCE via Captive Portal already exploited with AD enumeration and SOCKS tunneling

PA-Series and VM-Series with User-ID Authentication Portal exposed to untrusted traffic. CL-STA-1132 achieved root RCE, wiped crash logs, enumerated AD, and deployed EarthWorm and ReverseSocks5. Patches start May 13; interim mitigations and forensic indicators for exposed portals.