Researcher Hyunwoo Kim disclosed Dirty Frag yesterday after an unrelated third party broke the embargo five days early. The flaw chains two Linux kernel page-cache write bugs (xfrm-ESP and RxRPC) to give any local user root access on every major distribution - Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Like Dirty Pipe and last week's Copy Fail, it's a deterministic logic bug with no race condition required and no kernel panic on failure. PoC is public on GitHub. The ESP variant patch was merged into the netdev tree on May 7 but distribution kernels remain unpatched. No CVE assigned yet because the embargo broke early.
Palo Alto Networks confirmed Wednesday that attackers are exploiting a zero-day in its firewall login portal to run code as root on PA-Series and VM-Series firewalls. CVE-2026-0300 (CVSS 9.3) is a buffer overflow in the User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers send crafted packets and execute code without any login. Palo Alto Unit 42 attributed the activity to CL-STA-1132, a likely state-sponsored cluster that started probing on April 9 and achieved RCE a week later. Attackers deploy tunneling tools and enumerate Active Directory using the firewall's service account. First patches arrive May 13. Shadowserver counts 5,800+ exposed VM-Series firewalls.
Researchers disclosed a critical unauthenticated remote code execution flaw in Hugging Face's LeRobot, the open-source framework used to train and deploy ML models on physical robots. CVE-2026-25874 sits in the framework's web interface, which by default listens on all network interfaces with no authentication - quick for demos, but a hard fail when the demo box ends up on a corporate network. There is no patch yet. Hugging Face has been notified but hasn't released a fix. Particularly serious because LeRobot is usually attached to actual robotic hardware, so a compromise can mean unsafe physical actions.
Update on the Windows Defender zero-day situation: Huntress now confirms attackers are chaining the three flaws leaked April 3 by a researcher called 'Chaotic Eclipse' to deploy a custom tunneling agent named 'BeigeBurrow' on victim systems. Microsoft patched one of the three (BlueHammer, CVE-2026-33825) on April 14, but the other two are still unpatched two weeks later: RedSun lets attackers gain SYSTEM privileges even on patched machines, and UnDefend stops Defender from receiving signature updates - effectively turning off the antivirus. CISA gave federal agencies until May 6 to deploy the BlueHammer patch.
Kaspersky disclosed PhantomRPC at Black Hat Asia on April 24, an architectural flaw in how Windows handles a core internal communication system called RPC (Remote Procedure Call). When a privileged Windows process tries to talk to an RPC server that isn't running, the operating system doesn't check whether the thing answering is the real one - so a low-privileged attacker can stand up a fake RPC server, intercept the call, and inherit SYSTEM-level access. All Windows versions are affected. Kaspersky demonstrated five different exploitation paths and published the research tools on GitHub. Microsoft has not released a patch.
A critical sandbox-escape flaw in Cohere AI's open-source Terrarium project lets code running inside the sandbox break out and execute arbitrary commands as root on the host Node.js process. Terrarium is a Python sandbox built on Pyodide (a browser- and Node.js-compatible Python distribution running in WebAssembly) and deployed as a Docker container to safely run untrusted code submitted by users or generated by a large language model. That exact use case makes the blast radius real: any AI product using Terrarium to evaluate LLM-generated Python code is giving its models a direct path to root on the container and, from there, potentially on the host. The flaw (CVE-2026-5752, CVSS 9.3) stems from JavaScript prototype chain traversal in the Pyodide WebAssembly environment: sandboxed code can reach parent and global object prototypes to manipulate objects in the host, a technique SentinelOne describes as prototype pollution bypassing the intended security boundaries. Exploitation needs local access to the sandbox but no special privileges or user interaction. The project has been starred 312 times and forked 56 times. Because Cohere is no longer actively maintaining Terrarium, the flaw is unlikely to ever be patched. Security researcher Jeremy Brown reported the issue.
Just days after Microsoft patched BlueHammer (CVE-2026-33825) in Tuesday's Patch Tuesday, the same researcher 'Chaotic Eclipse' (aka Nightmare-Eclipse) has released a second Microsoft Defender local privilege escalation zero-day called RedSun. The exploit works on fully-patched Windows 10, Windows 11, and Windows Server systems with Windows Defender enabled, even after installing this week's April updates. The flaw abuses Defender's cloud file rollback behavior: when Defender detects a file with a 'cloud tag' it tries to restore it to its original location without validating the target path. The exploit uses NTFS junctions and opportunistic locks to redirect the write to C:\Windows\System32, overwriting system files like TieringEngineService.exe to gain SYSTEM privileges. Huntress Labs is reporting all three recently-leaked Windows Defender zero-days (BlueHammer, RedSun, and UnDefend) are now being exploited in the wild. The researcher has threatened to drop more severe RCE exploits in protest of how Microsoft handled their disclosure process. No patch available for RedSun yet. Working PoC code is public on GitHub.
An unpatched zero-day in Adobe Acrobat Reader has been actively exploited since at least November 2025 using booby-trapped PDF documents. The exploit, discovered by EXPMON researcher Haifei Li, works on the latest version of Adobe Reader without any user interaction beyond opening the file. It abuses privileged Acrobat JavaScript APIs (util.readFileIntoStream and RSS.addFeed) to silently harvest local files, OS details, language settings, and the Reader version from the victim's machine, then sends everything to an attacker-controlled server. The PDFs use Russian-language lures related to the oil and gas industry. The attack is a two-stage operation: the first pass fingerprints the target, and if the system meets the attacker's criteria, a follow-on RCE or sandbox escape payload is delivered. Only 5 out of 64 antivirus engines on VirusTotal detected the sample. No CVE has been assigned and no patch is available.
A frustrated security researcher published working exploit code for an unpatched Windows local privilege escalation flaw after Microsoft's Security Response Center mishandled the disclosure. The researcher, posting as Chaotic Eclipse, dropped the proof-of-concept on GitHub on April 3 with the message "I was not bluffing Microsoft." Will Dormann of Tharsos confirmed the exploit works - it combines a TOCTOU race condition with path confusion to access the SAM database containing local account password hashes, enabling escalation to SYSTEM privileges. The exploit is confirmed working on Windows desktop but unreliable on Windows Server. The researcher deliberately included bugs in the PoC, but the underlying technique is now public and weaponizable.
TrustStrike Labs