CVE-2026-23111 is a Linux nf_tables privilege escalation, CVSS 7.8. A full working exploit dropped June 8. Patches available since February — if you haven't applied them yet, now is the deadline.
CVE-2026-46243 (CIFSwitch) is a Linux kernel LPE in the CIFS client, CVSS 7.8. Public PoC available since 27 May 2026. Patches are out — patch and reboot.
Kubernetes 1.33 når end-of-life 28 juni 2026. Inga fler säkerhetspatchar. Kör du on-prem eller K3s utan extended support är det en hård deadline — tre uppgraderingshopp väntar.
Traefik v3.7.4 (5 June 2026) fixes six bugs: axios security bump, Redis write-timeout, BackendTLSPolicy for Kubernetes Gateway API, and a TLS SNI keepalive bug.
CVE-2026-28318: unauthenticated POST crashes SolarWinds Serv-U. CVSS 7.5, CISA KEV listed June 5, deadline June 19. Apply Serv-U 15.5.4 Hotfix 1.
Vault 2.0.2 removes cap_ipc_lock from the binary at build time, reversing a change made in 2.0.1. Without action, vault mlock container workloads can no longer pin secrets in memory -- check your securityContext and Helm values before upgrading.
CVE-2026-45247 Mirasvit Magento RCE via PHP deserialization in the Cache Warmer extension. CVSS 9.8. Active exploitation confirmed. Patch to 1.11.12.
CVE-2026-20230 affects Cisco Unified CM WebDialer. SSRF leads to arbitrary file write and root privilege escalation. Advisory published June 3, PoC confirmed.
CVE-2022-0492 is a logic bug in Linux cgroups v1 that lets a local attacker escape a container and get root on the host. CISA added it to KEV on June 2, 2026. Active exploitation is confirmed.
Docker Engine 29.5.3 patches CVE-2026-46680 via containerd 2.2.4 -- a flaw where containers with oversized USER IDs silently run as root despite runAsNonRoot: true.
CVE-2026-9256 (Poolslip) is a heap buffer overflow in NGINX's rewrite module affecting versions 0.1.17 through 1.31.0. Patching for Rift in May left you exposed. You need 1.30.2 or 1.31.1.
Google's June 2026 Android Security Bulletin includes CVE-2025-48595, an integer overflow in Framework that enables local privilege escalation. Google confirms active targeted exploitation. CISA added it to KEV on June 2 with a federal remediation deadline of June 5.
Seven kernel branches shipped June 1. Three security fixes land in 7.0.11 — TCP ISN leak, tap stack leak, and a keyring race. Dirty Frag is now half-patched: CVE-2026-43500 fixed, CVE-2026-43284 still open upstream.
OpenTofu 1.12.1 patches multiple SSH vulnerabilities in the underlying golang.org/x/crypto library, including hangs, panics, and a cert revocation bypass. All v1.12.0 users should upgrade.
Prometheus 3.12.0 (released May 28) patches two security issues: STACKIT service discovery exposed credentials in plaintext via the config endpoint, and remote write receivers had no limit on snappy decompression size.
Wazuh 5.0 is not a standard upgrade. The manager cannot be upgraded in-place from any 4.x version -- you are doing a clean install. This checklist covers the full migration: agent inventory, manager rebuild, config migration, and post-migration verification.
The 23 May batch release patched a UDP/IPsec corruption bug, a ptrace vulnerability, and the Copy Fail LPE across all active LTS branches.
Proxmox VE 9.2 ships a cluster-wide load balancer, native WireGuard SDN, and BGP/EVPN route maps on Debian 13.5 and kernel 7.0.
OpenSSH 10.3 patches five CVEs including a privilege escalation via legacy scp. Juniper confirmed Junos OS and Junos Evolved are affected.
Connect your homelab router to a free live BGP full-table feed and learn RPKI, path selection, communities, and filtering with BIRD2 or FRRouting — using the actual Default-Free Zone table that real ISP routers carry.
SQLite is enough for durable workflows when you run a single node and stay under ~5,000 state transitions per second. This deep dive compares SQLite, Postgres-backed DBOS, and Temporal so you can pick the right tool for your self-hosted setup.
Azure Linux 4.0 is Microsoft's first Fedora-based general-purpose server distro, released into public preview on Azure VMs. Here's what it means for teams running Linux in production — and why Microsoft now wants to own the OS layer, not just host it.
CVE-2026-31431 lets any local user escalate to root on Linux 4.14+ via a logic flaw in the AF_ALG crypto socket interface. A 732-byte Python script works every time, on every major distro. Here is how to check your exposure and apply the fix.
GitHub banned Nightmare-Eclipse for publishing six unpatched Windows zero-days without coordination. The security community is angry. I think GitHub made the right call — and the debate we should be having is different from the one we are having.
ingress-nginx was archived on March 24, 2026. About half of cloud-native environments still run it. Here is what a real migration looks like: the options, the trade-offs, and the parts nobody tells you about upfront.
IBM and Red Hat launched Project Lightwell backed by $5B and Anthropic's Mythos AI model, which flagged 23,000 potential vulnerabilities across 1,000+ open source projects. Here's what the numbers actually mean and what to do before the disclosures land.
13 million NXDomains in a year. How to run Technitium DNS in a homelab for ad blocking, split DNS, and LDAP service discovery — with real numbers.
OpenBSD 7.9 adds P/E-core-aware scheduling and unlocked socket splicing for multi-core throughput. The 60th release of the most security-focused BSD.
Rmux is a Rust-built terminal multiplexer with a typed SDK for scripting and automating CLI and TUI apps — like tmux, but with a Playwright-style async API.
Mixed Version Proxy is now beta and on by default in Kubernetes 1.36. It prevents silent 404s that can trigger GC during rolling control plane upgrades.
etcd 3.7 beta brings RangeStream for large key-range queries and permanently removes the v2 API. etcd 3.4 is EOL. What to test before the stable release.
Three Linux kernel LPEs in 14 days. This is a triage guide for sysadmins deciding which reboot to schedule first — and what to do until you can.
Day 2 of Pwn2Own Berlin 2026 yielded 15 zero-days and $385,750 in prizes. Exchange fell to a three-bug RCE chain. Cursor AI and OpenAI Codex were exploited too.
Google Project Zero built a zero-click root exploit for Pixel 10 in under a day. Arbitrary kernel read/write in 5 lines. 71 days to patch.
Researchers at Calif published the first public kernel exploit for macOS on M5 hardware that survives Apple's Memory Integrity Enforcement — a data-only LPE chain completed in five days.
CVE-2026-42945 is a critical heap buffer overflow in NGINX's rewrite module, present since 2008. Unauthenticated remote attackers can crash worker processes or achieve RCE. Patch now.
CVE-2026-45585 (YellowKey) gives an attacker shell access to a BitLocker volume using physical access and a USB drive. PoC is public, no patch exists. Enable TPM+PIN to block it.
CloakBrowser patches 49–57 Chromium fingerprinting vectors at the C++ level, not via JS. Bot detectors that assume JS-layer stealth are looking in the wrong place.
12 CVEs in vm2 disclosed May 7, 2026 — CVSS 9.1-10.0, all sandbox escapes. Patched in 3.11.2. If you run untrusted code under vm2, update today.
CVE-2026-41940 is a critical cPanel/WHM auth bypass via CRLF injection. CVSS 9.8. Shadowserver counted 44,000 compromised IPs by April 30. Patch now.
Microsoft's 2011 Secure Boot certificates expire in June 2026. May 12 Patch Tuesday ships the 2023 replacements. Deferring to June leaves no margin.
ingress-nginx went EOL in March 2026. No security patches, no CVE fixes. 50% of Kubernetes clusters still run it. Time to move to Gateway API.
OpenClaw connects your AI model to 50+ messaging channels. The core gateway works. The plugin ecosystem has a 20% malicious skill rate and two active CVEs.
Linux 7.0 is out. SHA-1 module signing removed, NFSv4.0 becomes kconfig-optional, lazy preemption replaces the old default. Audit your config before upgrading.
CVE-2026-31431 (Copy Fail) is a Linux kernel LPE, CVSS 7.8. Working PoC is public. CISA KEV. Patches out for Ubuntu, Debian, AlmaLinux, and RHEL.
Trivy 0.70.0 is the first release after the March supply chain incident. New features landed, but the rotated GPG key for deb/rpm will silently break CI.
AI editors are useful. They are not a replacement for knowing what you are doing at the prompt. The terminal is where things work when something breaks.