Dirty Frag is a local privilege escalation that writes to the Linux page cache via ESP-in-UDP and RxRPC receive paths. The algif_aead workaround from Copy Fail doesn't help, and the two attack paths complement each other to bypass Ubuntu's AppArmor restrictions on user namespaces.
Android's May 2026 bulletin patches CVE-2026-0073, a Wireless ADB auth bypass from mishandled EVP_PKEY_cmp return values. Adjacent network attackers bypass mutual TLS and get shell-level RCE on Android 14 through 16-qpr2. AOSP diff and impact breakdown included.
CVE-2026-26268, fixed in Cursor 2.5, allowed AI agents to rewrite insufficiently protected .git config and Git hooks, leading to out-of-sandbox RCE on the next Git operation.
CVE-2026-31431 Copy Fail is a Linux kernel local privilege escalation bug that lets an unprivileged user write 4 controlled bytes into the page cache via AF_ALG + algif_aead. On containers and CI runners it turns into host compromise.
A regression in cryptographic signature validation introduced a CVSS 9.1 flaw into .NET 10.0. The Data Protection API implemented HMAC verification incompletely, opening the door to padding oracle attacks and forged authentication tokens.
The WordPress plugin Vertex Addons for Elementor (<= v1.6.4) has a broken authorization check in activate_required_plugins() that lets Subscriber-level users install and activate arbitrary plugins. CWE-862, CVSS 8.8.
CVE-2026-34197 (CVSS 8.8), an RCE in Apache ActiveMQ Classic that lurked for 13 years, was added to the CISA KEV catalog. Authenticated attackers can achieve remote code execution via the Jolokia API. Affects versions below 5.19.4 and 6.0.0–6.2.2.
NIST has changed NVD's operational policy. Full CVE enrichment is over — only CISA KEV, federal software, and EO 14028 critical software will be prioritized.
Microsoft's second-largest Patch Tuesday ever. SharePoint Server XSS zero-day (CVSS 6.5) confirmed in active exploitation and added to CISA KEV. Windows Defender BlueHammer LPE (CVSS 7.8) has a full public PoC. Also includes a wormable IKE RCE at CVSS 9.8.
CISA added 7 actively exploited vulnerabilities to the KEV catalog including FortiClient EMS SQL injection (CVSS 9.1). Federal deadline is April 16 for Fortinet, April 27 for the remaining six.
A CVSS 9.4 file upload vulnerability in ShowDoc, disclosed in 2020, was first observed being exploited in the wild by VulnCheck Canaries in April 2026. Over 2,000 exposed instances remain, primarily in China.