zero-day

The Patch Wave: Eleven Breaches, One Week, and the Myth of the AI Collapse

A single week saw Linux, Windows, macOS, Next.js, and the global software supply chain battered by critical exploits and mass advisories. Is this the long-feared AI-driven collapse of digital infrastructure, or just the new normal? A technical, evidence-driven investigation.

The Week the Patch Wave Broke

There are weeks in cybersecurity that feel like a slow-motion car crash. Then there are weeks like this one, where the car is on fire, the brakes are gone, and the road is made of banana skins. Eleven major incidents, spanning every operating system, the world’s most popular web frameworks, the backbone of the software supply chain, and the digital classroom. Each would have been a headline in any other month. Here, they are just bullet points in a single, breathless news cycle.

The temptation, as always, is to reach for the grand narrative: is this the long-predicted AI-empowered collapse of digital infrastructure? Are we witnessing the moment when the machines, or at least the machine-augmented criminals, finally outpace the defenders? Or is this simply the inevitable result of decades of technical debt, brittle trust boundaries, and the relentless expansion of attack surface?

This article is not a eulogy for the internet, nor a victory lap for the AI doomers. It is a technical, evidence-driven investigation into what actually happened, how it happened, and what, if anything, links these incidents beyond the accident of timing. The answer is both more mundane and more alarming than the headlines suggest.

Dirty Frag: The Linux Root Machine
Next.js: Thirteen Advisories and a Critical RCE
Apple’s Patch Tsunami
YellowKey and GreenPlasma: Windows Gets Two Holes
APT28’s Windows Shopping Spree
Mini-Shai Hulud: When the Build Pipeline Bites Back
The Google AI Zero-Day
Canvas LMS: A School System’s Data in Criminal Hands
PAN-OS CVE-2026-0300: The Firewall That Became the Door
The AI-Collapse Question: Verdict
What You Should Actually Do

Dirty Frag: The Linux Root Machine

Dirty Frag, also known as "CopyFail 2: Electric Boogalo" (yes, really), is the latest in a lineage of Linux kernel vulnerabilities that turn local access into instant root. This follows our earlier coverage of the initial CopyFail vulnerability. Disclosed on 7 May 2026 by Hyunwoo Kim after an embargo was broken, as Ubuntu documented in their advisory, Dirty Frag is not a single bug but a deterministic exploit chain: CVE-2026-43284 (CVSS 8.8, xfrm-ESP page-cache write) and CVE-2026-43500 (CVSS 7.8, RxRPC page-cache write).

The technical heart of Dirty Frag is the page-cache write primitive. In the xfrm-ESP path, the attacker uses the splice() syscall to plant a reference to a read-only page-cache page (think /usr/bin/su or /etc/passwd) into a socket buffer. The kernel’s IPsec ESP decryption path (esp_input()) then performs in-place AEAD decryption on this page, with the attacker controlling both the offset and the value of a four-byte overwrite via crafted netlink attributes. The kernel returns an authentication failure, but the page cache in RAM is already corrupted. The file on disk remains untouched, so file-integrity monitoring tools see nothing amiss.

If user namespaces are restricted (as they are in some hardened environments), the exploit falls back to the RxRPC path: in-place decryption of the first eight bytes of the RxRPC payload, with the attacker brute-forcing the session key via add_key('rxrpc') until the desired plaintext is written, such as clearing the root password in /etc/passwd. The exploit chain tries the ESP path first, then the RxRPC fallback, achieving universal root on all major distributions tested.

A fully working public proof-of-concept is available on GitHub. Patches are rolling out across all major distributions, but the detection challenge remains: the attack corrupts only the in-memory page cache, not the file on disk. If you are relying on file hashes to detect tampering, you are already lost.

flowchart TD
    Start[Local Unprivileged Access] --> Check{User Namespaces Restricted?}
    Check -->|No| ESP[xfrm-ESP Path: Use splice to plant read-only page-cache reference]
    ESP --> Overwrite[esp_input performs in-place AEAD decrypt with 4-byte attacker-controlled overwrite]
    Overwrite --> Corrupt[Page cache corrupted in RAM: e.g. /etc/passwd or /usr/bin/su]
    Corrupt --> Root[Root privileges obtained]
    
    Check -->|Yes| RxRPC[RxRPC Fallback: add_key brute-force session key]
    RxRPC --> EightByte[In-place 8-byte overwrite of first bytes of RxRPC payload]
    EightByte --> Corrupt

Next.js: Thirteen Advisories and a Critical RCE

Next.js, the most widely deployed React framework, was battered by no less than thirteen advisories in a single disclosure cycle. The headline is CVE-2025-55182 (GHSA-9qr9-h5gf-34mp, CVSS 9.8): a pre-authentication remote code execution via unsafe deserialisation of the React flight protocol at Server Function endpoints, detailed in the GitHub Security Advisories. This flaw, actively exploited and now in CISA’s Known Exploited Vulnerabilities catalogue, allowed attackers to send a crafted HTTP request to a Server Function endpoint, triggering unsafe deserialisation and arbitrary server-side code execution. The fix landed in React 19.0.1+ and Next.js 15.0.5+.

Other advisories include CVE-2025-29927, an authentication bypass where middleware checks could be sidestepped by crafting requests with the x-middleware-subrequest header, affecting versions 12.x through 15.2.3.

There is also a server-side request forgery (GHSA-c4j6-fc7j-m34r): crafted WebSocket upgrade requests could proxy traffic to internal services or cloud metadata endpoints on self-hosted deployments.

The rest of the cluster includes five denial-of-service variants, two cross-site scripting issues in the App Router, cache poisoning via cache-busting collisions, request smuggling via chunked-encoding DELETE/OPTIONS requests, and source code exposure via crafted HTTP requests. Vercel auto-mitigated all cloud-hosted deployments, but self-hosters are left to patch and audit their own stacks.

sequenceDiagram
    participant Attacker
    participant Server as Next.js Server Function Endpoint
    Attacker->>Server: Crafted HTTP request with malicious React Flight payload
    Server->>Server: Unsafe deserialisation of flight protocol
    Server->>Server: Arbitrary server-side code execution
    Note over Server: Attacker gains full control

Apple’s Patch Tsunami: macOS 26.5 and iOS 26.5

On 11 May 2026, Apple released macOS Tahoe 26.5 (patching nearly seventy CVEs) and iOS 26.5/iPadOS 26.5 (fifty-plus CVEs), per Apple’s official security content. This is one of the largest patch cycles in Apple’s history, and while none of the bugs in this batch are confirmed zero-days, the technical content is sobering.

Among the most alarming: CVE-2026-28819 (an app may execute arbitrary code with kernel privileges via Wi-Fi), CVE-2026-28951 (app gains root), CVE-2026-28972 (out-of-bounds write directly into kernel memory), CVE-2026-28995 (App Intents sandbox escape, CVSS 8.8), and CVE-2026-43668 (mDNSResponder use-after-free, remote attacker can corrupt kernel memory). CVE-2026-28943 (kernel memory layout disclosure via IOHIDFamily) was credited to Google Threat Analysis Group, a sign it was found in the context of real-world threat hunting.

The exploit chain concept is now routine: a WebKit RCE (delivered via a malicious web page, sometimes requiring no user interaction), chained with a kernel privilege escalation and a sandbox escape, yields full device compromise.

None of the individual bugs in this batch are confirmed exploited, but the combination is exactly the recipe used by commercial spyware vendors in recent years.

Apple's cadence is accelerating: six weeks since the previous update (iOS 26.4, thirty-seven fixes). The volume reflects both improved disclosure and the reality that AI-assisted bug hunting is now a fact of life on both sides of the fence.

YellowKey and GreenPlasma: Windows Gets Ripped Two New Holes

YellowKey (CVE-2025-48003 / CVE-2025-48818 / CVE-2025-26637, CVSS 6.8) is a BitLocker bypass that abuses the Windows Recovery Environment (WinRE) and Pre-Boot Recovery (PBR) configuration. The attacker, with physical access, boots into WinRE, modifies or replaces the WINRE.WIM image or its PBR configuration, and causes the OS volume to auto-decrypt on the next boot. BitLocker’s promise collapses for any device that can be touched. The fix, released in July 2025, requires updating both the OS and the WinRE partition image, a step many administrators miss.

GreenPlasma, as yet unassigned a CVE, is a privilege escalation chain exploiting the CTFMON service. A standard user creates a section object in a directory writable only by SYSTEM; privileged services trust those paths and act on the poisoned object. Confirmed on Windows 11, Server 2022, and Server 2026, with proof-of-concept code on GitHub. No patch is available.

YellowKey threatens data at rest; GreenPlasma threatens running systems. Together, they cover the full attack surface of a Windows laptop: steal the encrypted drive with YellowKey, escalate to SYSTEM on the running OS with GreenPlasma.

sequenceDiagram
    participant Attacker
    participant WinRE as Windows Recovery Environment
    participant OS as Running OS
    participant CTFMON as Privileged Service (CTFMON)

    %% Phase 1: YellowKey
    Note over Attacker, CTFMON: Phase 1: YellowKey (Data At Rest)
    Attacker->>WinRE: Physical boot into WinRE
    Attacker->>WinRE: Modify or replace WINRE.WIM / PBR config
    WinRE->>OS: Next boot triggers auto-decryption of OS volume
    Note over OS: BitLocker protection bypassed

    %% Phase 2: GreenPlasma
    Note over Attacker, CTFMON: Phase 2: GreenPlasma (Running OS)
    Attacker->>OS: Local access as standard user
    Attacker->>OS: Create section object in SYSTEM-writable directory
    OS->>CTFMON: Trusts path, acts on poisoned object
    Note over CTFMON: Arbitrary code execution as SYSTEM
    CTFMON-->>Attacker: Escalated privileges
    Note over Attacker, CTFMON: Full system compromise achieved

APT28’s Windows Shopping Spree: Three CVEs, One Campaign

CVE-2026-21510 (Windows Shell, CVSS 8.8) is a security feature bypass: a malicious LNK file triggers Windows Shell processing of a UNC path, causing the system to load a remote DLL or CPL file while bypassing SmartScreen. Delivery is classic: phishing or compromised websites.

CVE-2026-21513 (MSHTML, CVSS 8.8) is a security feature bypass in the MSHTML engine. Weaponised LNK files embed an HTML payload; ieframe.dll’s ShellExecuteExW executes arbitrary files outside the browser sandbox, bypassing Mark-of-the-Web and Internet Explorer Enhanced Security Configuration via nested iframes and DOM manipulation.

CVE-2026-32202 (Windows Shell spoofing, CVSS 4.3, misleadingly low) is an incomplete fix for CVE-2026-21510. It leaves a gap between path resolution and trust verification, enabling zero-click NTLM coercion: the victim executes a malicious LNK file, Windows automatically initiates an SMB connection to the attacker’s server, leaking the victim’s Net-NTLMv2 hash, which can then be relayed or cracked.

All three are attributed to APT28 (Fancy Bear / Forest Blizzard / Pawn Storm) by Microsoft, CISA, Akamai, and Recorded Future. The targets: Ukrainian and EU government, defence, energy, and diplomatic entities. All three are in CISA’s KEV. Microsoft initially failed to flag CVE-2026-32202 as exploited-in-the-wild, delaying urgent remediation.

sequenceDiagram
    participant Attacker
    participant Victim as Target User
    participant Windows as Windows Shell / MSHTML
    Attacker->>Victim: Phishing or compromised site delivers malicious LNK
    Victim->>Windows: Executes LNK (zero-click or minimal interaction)
    Windows->>Attacker: Initiates SMB connection, leaks Net-NTLMv2 hash
    Attacker->>ActiveDirectory: Relays or cracks hash for domain compromise

Mini-Shai Hulud: When the Build Pipeline Bites Back

Mini-Shai Hulud, named after the sandworms of Dune, is a self-propagating supply-chain worm attributed to TeamPCP. The attack chain is a masterclass in abusing the machinery of trust:

The attacker forks TanStack/router and submits a pull request triggering a pull_request_target workflow, which runs with the base repository’s permissions even when the code comes from an untrusted fork.
The forked code poisons the pnpm build cache during CI execution.
When a legitimate maintainer later triggers a release workflow, it restores the poisoned cache.
The malicious artifact (router_init.js, a 2.3 MB, single-line, triple-obfuscated JavaScript file) scrapes the runner’s /proc/<pid>/mem to extract the ephemeral OIDC token used for npm’s trusted publishing.
With that token, the worm mints a valid npm publish token and publishes malicious versions, signed with valid SLSA Build Level 3 provenance.
It self-propagates: harvest all credentials, enumerate every package the maintainer can publish, inject, increment version, publish.

The scale is breathtaking: eighty-four malicious versions across forty-two @tanstack/* packages in under six minutes on 11 May 2026, as StepSecurity’s analysis showed. Within forty-eight hours: 373+ package versions, 169+ npm packages, multiple PyPI packages (mistralai, guardrails-ai), and a blast radius of over 518 million downloads.

Persistence and destruction are built-in: the worm installs hooks in .claude/ and .vscode/, and creates a dead-man’s switch npm token named “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner” that triggers rm -rf ~/ if revoked before the daemon is removed.

The key lesson: the packages carried valid SLSA Build Level 3 provenance. Provenance is not tamper-evidence for a compromised pipeline; it is tamper-evidence for a pipeline that was trusted at the moment it ran.

flowchart TD
    Fork[Fork TanStack/router + malicious PR] --> Trigger[Triggers pull_request_target workflow]
    Trigger --> Poison[Poison pnpm build cache in CI]
    Poison --> Release[Maintainer triggers release workflow]
    Release --> Restore[Restores poisoned cache]
    Restore --> Artifact[Malicious router_init.js scrapes OIDC token from /proc/mem]
    Artifact --> Publish[Mints npm publish token, publishes malicious signed packages]
    Publish --> Propagate[Self-propagates: harvest creds, infect all maintainer packages]

The Google AI Zero-Day: First Confirmed Machine-Built Exploit

On 11 May 2026, Google’s Threat Intelligence Group confirmed the first real-world case of a zero-day exploit developed with AI assistance, targeting a popular but unnamed open-source, web-based system administration tool. The flaw was a logic vulnerability, not a memory corruption bug: the software made a hard-coded trust assumption in its authentication flow, allowing an attacker who already had valid credentials to skip the two-factor authentication step entirely.

Why this class of flaw? Large language models are particularly good at reasoning about code semantics and trust boundaries. Traditional fuzzers find crashes; LLMs find trust assumptions that violate the programmer’s intent. This is a qualitative shift.

The evidence of AI involvement: the exploit code was an unusually well-documented Python script, with educational docstrings, a hallucinated CVSS score, and textbook Pythonic structure, all traits common in LLM-generated code and rare in hand-crafted criminal tooling. Google concluded with “high confidence” that an AI model was used both to discover and weaponise the flaw.

The attack plan: the group intended a mass campaign exploiting every instance of the tool, after first obtaining credentials via phishing or credential stuffing. Google’s intervention, coordinating with the vendor for an emergency patch, stopped the campaign before it scaled.

The imperfection of the tool is telling: the hallucinated CVSS score and absence of human refinement suggest the AI was used as a capability accelerator by an actor who would otherwise lack the skill to find this class of bug, not as a fully autonomous hacking agent.

flowchart TD
    Creds[Attacker obtains valid credentials via phishing/stuffing] --> Analysis[AI-assisted code analysis of target tool]
    Analysis --> Flaw[Logic flaw identified: hardcoded trust assumption in 2FA flow]
    Flaw --> Exploit[AI generates exploit script: 2FA bypass]
    Exploit --> Access[Attacker gains admin access without completing 2FA]
    Access --> Campaign[Planned mass exploitation of all instances]

Canvas LMS: A School System’s Data in Criminal Hands

On 1 May 2026, ShinyHunters claimed a full compromise of Instructure’s Canvas LMS, used by roughly nine thousand educational institutions. The group claimed up to 275 million user records (attacker-supplied, unverified). Confirmed exposure: names, email addresses, student IDs, and user-to-user messages. The University of Pennsylvania (306,000 users) and Baylor University are among the confirmed affected institutions.

The attack vector remains officially undisclosed: no CVE assigned, no public IOCs, no formal root cause. Evidence points to credential or API token compromise, possibly via Salesforce misconfiguration, consistent with ShinyHunters’ previous techniques. There is no evidence of remote code execution, SQL injection, or direct code exploit against Canvas itself.

The troubling implication: when a platform aggregates sensitive data from nine thousand educational institutions, the attack surface is not just the application code but every integration, every API key, every OAuth token that touches it. An attacker who can authenticate as a privileged API client is indistinguishable from a legitimate one.

Instructure’s response was robust: public disclosure within twenty-four hours, revocation and rotation of privileged tokens, forced re-authorisation of integrations, engagement with forensic investigators and law enforcement, and a negotiated data return and digital confirmation of destruction. No ransom was paid to customers.

FERPA notification postures were activated at many institutions; students and staff should assume names, emails, and messages are in criminal hands and be alert to targeted phishing.

PAN-OS CVE-2026-0300: The Firewall That Became the Door

CVE-2026-0300 (CVSS 9.3, Critical) is a buffer overflow (CWE-787, out-of-bounds write) in PAN-OS’s User-ID Authentication Portal, also known as the Captive Portal service, as detailed in Palo Alto Networks’ advisory. It affects PA-Series, VM-Series, and CN-Series devices running PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x with the portal enabled.

The exploit is brutally simple: a single, specially crafted HTTP(S) packet to the portal interface triggers the overflow, giving an unauthenticated remote attacker root-level code execution. Attack vector: network. Attack complexity: low. Privileges required: none. User interaction: none.

Post-exploitation, the attacker can disable logging, rewrite NAT and routing rules, harvest VPN credentials, capture authentication requests, and pivot directly into the internal network, including Active Directory.

The scale of exposure is sobering: Shodan identified approximately 225,000 internet-facing PAN-OS instances; surveys suggest 22 percent of businesses had the portal reachable from a public IP. This is the third critical, actively exploited PAN-OS perimeter vulnerability in fourteen months.

The timeline is tight: disclosed 5 May 2026; CISA added to the KEV catalogue 6 May 2026 with a federal remediation deadline of 9 May 2026; first patches available 13 May 2026. Limited but confirmed active exploitation is targeting portals exposed to untrusted IPs or the public internet.

The AI-Collapse Question: An Attempt at a Verdict

The big question for today: do these incidents, taken together, constitute an AI-empowered collapse of digital infrastructure? The evidence is clear, but the answer is not what the panic merchants would have you believe.

What the evidence supports

AI is now a demonstrable capability accelerator for attackers. Google’s confirmed AI zero-day proves the barrier to discovering logic-class vulnerabilities has dropped. ENISA’s 2025 Threat Landscape documents AI’s role in automated reconnaissance, LLM-assisted exploit generation, malware obfuscation, and supply-chain attack automation. The NCSC’s 2025 AI cyber threat assessment warns of a forthcoming “patch wave” as AI surfaces decades of technical debt faster than defenders can process it. Academic benchmarks show LLM-based agents outperforming many human testers on web application and logic-flaw classes.

What the evidence does not support

There is no credible evidence of a coordinated, AI-orchestrated campaign designed to collapse infrastructure at scale. Most incidents in this roundup are opportunistic, targeting the low-hanging fruit of misconfigured trust boundaries (Mini-Shai Hulud’s pull_request_target abuse), legacy components (MSHTML, WinRE), and unpatched perimeter devices (PAN-OS). The incidents are broadly coincident in time but not operationally linked. APT28’s three CVEs show state-actor tradecraft that has not materially changed (LNK-based phishing, NTLM coercion), with AI used for decoy code generation rather than novel exploit discovery.

A more accurate framing

This is not a collapse. It is, in fact, an acceleration.

AI is compressing the time between vulnerability discovery and weaponisation, shrinking the window defenders have to patch, and lowering the skill floor for sophisticated attacks. The digital infrastructure is being stress-tested at a rate it was never designed to sustain.

The structural vulnerability

The common thread across these incidents is not AI, but the assumption that trusted automation (CI/CD pipelines, recovery environments, build caches, authentication portals) is also safe automation. YellowKey abuses WinRE. Mini-Shai Hulud abuses the CI cache. PAN-OS abuses the management portal. The attack surface is the machinery of trust itself.

What You Should Actually Do: A Practical Bridge

If you run Linux servers: Patch the kernel or blacklist esp4, esp6, and rxrpc modules immediately if you cannot patch. Do not rely on file-integrity monitoring for Dirty Frag; it only corrupts the in-memory page cache.
If you use Next.js in production (self-hosted): Update to the latest patch releases; audit x-middleware-subrequest header handling; restrict OIDC publishing permissions to specific, protected workflows and branches.
If you manage Apple devices in a corporate environment: Deploy iOS 26.5 and macOS 26.5 via MDM; prioritise devices used by executives, legal, and finance, as these are the highest-value spyware targets.
If you manage Windows: Apply the July 2025 WinRE update correctly (this requires the extra WinRE partition update script, not just the standard cumulative update); monitor for GreenPlasma PoC adoption and treat unpatched object-namespace exploitation as a live risk; patch the APT28 LNK CVEs immediately and enable NTLM audit logging.
If you run JavaScript or Python packages as a maintainer: Audit your CI/CD workflows for pull_request_target misuse; restrict OIDC token scopes; purge and rebuild all caches; do not revoke the ransom npm token before imaging and cleaning an infected system.
If you operate Palo Alto PAN-OS: Restrict or disable the User-ID Authentication Portal immediately if you cannot patch to a fixed version; enable Threat ID 510019; treat any exposed portal as potentially already compromised.
For everyone: The NCSC’s patch-wave warning is not hypothetical. AI is surfacing bugs faster than the industry can process them. If your organisation’s patch cadence is measured in months, it is now measured in weeks. That cadence needs to change before the tools that find the bugs are in every attacker’s hands.

Google's threat team thinks AI is accelerating the timeline. I think it’s just highlighting how brittle our trust boundaries always were. Who is right, and what are you breaking this weekend to fix it?