16-year-old KVM bug lets guest take over host
CVE‑2026‑53359, nicknamed Januscape, is a use‑after‑free bug in Linux KVM’s shadow MMU that has lingered for 16 years. It lets a malicious guest corrupt the host’s memory, enabling denial‑of‑service or full host compromise on both Intel and AMD x86 systems. Patch is available; update kernels now.
Attackers began leveraging the CVE‑2026‑48282 path‑traversal flaw in ColdFusion 2025.9, 2023.20 and earlier just two hours after Adobe released patches, achieving remote code execution on unpatched servers. Administrators must apply the emergency update immediately to stop active exploitation.
A hidden iframe can force Opera GX to auto‑install a GX Mod that injects universal CSS. The CSS leaks a signed‑in user's full Gmail address via attribute‑selector tricks, proving a zero‑click data exfiltration. Opera patched the issue in version 130.0.5847.89; no CVE was assigned.
Gitea patched a critical auth bypass (CVE‑2026‑20896) that let any IP spoof the X‑WEBAUTH‑USER header and assume any account, including admin. Within two weeks of disclosure, Sysdig observed threat actors probing roughly 6,200 internet‑facing instances, though no successful exploitation was seen yet. Operators must upgrade to 1.26.4 immediately.
Attackers are hijacking Microsoft’s OAuth 2.0 Device Authorization Grant, meant for TVs and IoT, to run phishing on the legit Microsoft Identity platform. Victims are lured to enter a one‑time code on a genuine Microsoft login page, letting criminals steal credentials without a fake URL. This flips the classic “check the domain” rule on its head.
Anthropic alleges Alibaba’s Qwen lab used nearly 25,000 fake accounts to run 28.8 million Claude queries between April 22 and June 5, a distillation campaign that copies model behavior without training costs. The attack skirts U.S. export controls and could fast‑track China’s AI capabilities, raising national‑security alarms.
Check Point uncovered a new modular C2 framework, Cavern (Cav3rn), used by an Iranian MOIS‑backed group to infiltrate Israeli IT providers. The .NET‑based tool employs multi‑format compilation and DLL side‑loading via SysAid updates, delivering bespoke modules for data theft, network scouting, and lateral movement.
QuimaRAT is a Java‑based RAT sold as Malware‑as‑a‑Service, capable of running on Windows, Linux and macOS. The seller offers a modular builder, loader and dropper that let criminals package the payload in dozens of formats and bypass native security controls.
ShinyHunters accessed Medtronic's corporate IT systems from April 13‑19, 2026, compromising personal and health data of about 3.8 million individuals. Medtronic says the breach did not affect medical devices or patient safety and is offering two years of credit‑monitoring services.
France’s ANSSI will stop certifying any security product lacking quantum‑resistant encryption starting in 2027, forcing government and critical infrastructure to adopt post‑quantum crypto. The deadline pushes vendors to have quantum‑safe solutions ready by 2030, turning certification into a de‑facto ban on legacy algorithms.
Citizen Lab confirmed that former Greek MEP Stelios Kouloglou, who served on the EU’s PEGA committee investigating spyware abuse, had his iPhone infected with Pegasus in Oct 2022 and again in Mar 2023. The breach has prompted civil‑society groups and lawmakers to demand an independent EU investigation and fast‑track implementation of the committee’s recommendations.
Researchers at HKUST show that the SkillCloak framework repackages malicious LLM agent skills with self‑extracting packing, achieving >90% bypass rates across eight scanners, exposing the weakness of appearance‑based defenses. Their follow‑up system, SkillDetonate, restores detection by sandboxing and data‑flow analysis, catching 97% of attacks.
Researchers at Shandong University introduced TrojPix, a covert channel that modulates imperceptible pixel values to turn ordinary video cables into radio antennas, achieving 8.1 Mbps over distances up to 208 m. The method requires only user‑level code, no hardware changes, highlighting a new high‑speed breach vector for isolated systems.
Subscribe free