The mechanics behind the headlines
CVE-2026-46333, disclosed by Qualys on May 21, exploits a race condition in the Linux kernel's ptrace access check to steal SSH host private keys, shadow password hashes, and in two variants, execute arbitrary commands as root. The bug has been in the kernel since November 2016.
A researcher publishing as Chaotic Eclipse has released six Windows zero-days since April 2026 — escalation flaws, a BitLocker bypass, and a post-exploitation tool — each one following a failed or incomplete vendor response. The latest, MiniPlasma, escalates to SYSTEM on fully patched Windows 11 using a bug Microsoft believed it fixed in 2020.
A pre-authentication SQL injection in LiteLLM's API key verification path gave attackers read/write access to every credential the proxy manages — and the 401 it returned made each successful query look like a failed login.
A pre-authentication buffer overflow in Windows Netlogon puts every unpatched domain controller one crafted packet away from full domain compromise.
CVE-2026-0300 gives an unauthenticated attacker root-level code execution on PAN-OS firewalls — no credentials, no interaction required. Here's how the Captive Portal became the entry point, what the attackers did next, and why owning the perimeter is a different category of problem.
A logic bug buried in the Linux kernel's cryptographic subsystem since 2017 now lets any unprivileged user become root — reliably, silently, and in 732 bytes of Python. Here is exactly how it works, why containers make it worse, and what to do about it.
A missing verification branch in the vdaemon control-plane service lets any unauthenticated attacker become a trusted SD-WAN peer — and from there, rewrite routing policy across every edge site.