LodeHQSubscribe →

16-year-old KVM bug lets guest take over host

Infosec · 2026-07-06

Vulnerabilities & Exploits
16‑Year‑Old KVM Use‑After‑Free Lets Guest VM Take Over Host3 MIN

CVE‑2026‑53359, nicknamed Januscape, is a use‑after‑free bug in Linux KVM’s shadow MMU that has lingered for 16 years. It lets a malicious guest corrupt the host’s memory, enabling denial‑of‑service or full host compromise on both Intel and AMD x86 systems. Patch is available; update kernels now.

Adobe ColdFusion CVE‑2026‑48282 Exploited Within Hours of Disclosure2 MIN

Attackers began leveraging the CVE‑2026‑48282 path‑traversal flaw in ColdFusion 2025.9, 2023.20 and earlier just two hours after Adobe released patches, achieving remote code execution on unpatched servers. Administrators must apply the emergency update immediately to stop active exploitation.

Opera GX auto‑installs malicious mods, exposing Gmail addresses4 MIN

A hidden iframe can force Opera GX to auto‑install a GX Mod that injects universal CSS. The CSS leaks a signed‑in user's full Gmail address via attribute‑selector tricks, proving a zero‑click data exfiltration. Opera patched the issue in version 130.0.5847.89; no CVE was assigned.

Gitea Docker Auth Bypass Patched, Yet Threat Actors Already Scanning 6,200 Deployments5 MIN

Gitea patched a critical auth bypass (CVE‑2026‑20896) that let any IP spoof the X‑WEBAUTH‑USER header and assume any account, including admin. Within two weeks of disclosure, Sysdig observed threat actors probing roughly 6,200 internet‑facing instances, though no successful exploitation was seen yet. Operators must upgrade to 1.26.4 immediately.

Threats & Malware
Device Code Phishing Hijacks Microsoft’s Legit Login Flow7 MIN

Attackers are hijacking Microsoft’s OAuth 2.0 Device Authorization Grant, meant for TVs and IoT, to run phishing on the legit Microsoft Identity platform. Victims are lured to enter a one‑time code on a genuine Microsoft login page, letting criminals steal credentials without a fake URL. This flips the classic “check the domain” rule on its head.

Alibaba allegedly harvested Claude AI with 28.8 M‑query distillation attack3 MIN

Anthropic alleges Alibaba’s Qwen lab used nearly 25,000 fake accounts to run 28.8 million Claude queries between April 22 and June 5, a distillation campaign that copies model behavior without training costs. The attack skirts U.S. export controls and could fast‑track China’s AI capabilities, raising national‑security alarms.

Iranian MOIS Group Deploys Modular Cavern Framework Against Israeli IT Firms3 MIN

Check Point uncovered a new modular C2 framework, Cavern (Cav3rn), used by an Iranian MOIS‑backed group to infiltrate Israeli IT providers. The .NET‑based tool employs multi‑format compilation and DLL side‑loading via SysAid updates, delivering bespoke modules for data theft, network scouting, and lateral movement.

Cross‑Platform Java RAT QuimaRAT Offered as Low‑Cost MaaS4 MIN

QuimaRAT is a Java‑based RAT sold as Malware‑as‑a‑Service, capable of running on Windows, Linux and macOS. The seller offers a modular builder, loader and dropper that let criminals package the payload in dozens of formats and bypass native security controls.

Breaches & Industry News
Medtronic breach exposes 3.8 M records, no device impact5 MIN

ShinyHunters accessed Medtronic's corporate IT systems from April 13‑19, 2026, compromising personal and health data of about 3.8 million individuals. Medtronic says the breach did not affect medical devices or patient safety and is offering two years of credit‑monitoring services.

Privacy, Policy & Governance
ANSSI bans non‑quantum‑safe products, thrusting France into post‑quantum crypto3 MIN

France’s ANSSI will stop certifying any security product lacking quantum‑resistant encryption starting in 2027, forcing government and critical infrastructure to adopt post‑quantum crypto. The deadline pushes vendors to have quantum‑safe solutions ready by 2030, turning certification into a de‑facto ban on legacy algorithms.

EU MEP on spyware probe found infected with Pegasus, sparking urgent call for action2 MIN

Citizen Lab confirmed that former Greek MEP Stelios Kouloglou, who served on the EU’s PEGA committee investigating spyware abuse, had his iPhone infected with Pegasus in Oct 2022 and again in Mar 2023. The breach has prompted civil‑society groups and lawmakers to demand an independent EU investigation and fast‑track implementation of the committee’s recommendations.

Research & Tools
SkillCloak lets malicious AI coding skills dodge every static scanner2 MIN

Researchers at HKUST show that the SkillCloak framework repackages malicious LLM agent skills with self‑extracting packing, achieving >90% bypass rates across eight scanners, exposing the weakness of appearance‑based defenses. Their follow‑up system, SkillDetonate, restores detection by sandboxing and data‑flow analysis, catching 97% of attacks.

TrojPix lets malware exfiltrate gigabytes from air‑gapped PCs via HDMI cable emissions59 MIN

Researchers at Shandong University introduced TrojPix, a covert channel that modulates imperceptible pixel values to turn ordinary video cables into radio antennas, achieving 8.1 Mbps over distances up to 208 m. The method requires only user‑level code, no hardware changes, highlighting a new high‑speed breach vector for isolated systems.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ