Here are today’s top cybersecurity stories for Friday, May 15, 2026.
New Linux Kernel Flaw Fragnesia (CVE-2026-46300) Grants Root via Page Cache Corruption
Researcher William Bowling of the V12 security team disclosed a new Linux kernel local privilege escalation flaw tracked as CVE-2026-46300, dubbed Fragnesia, which was inadvertently introduced by the Dirty Frag patch. The vulnerability resides in the XFRM ESP-in-TCP subsystem and allows an unprivileged attacker to write arbitrary bytes into the page cache of read-only files and gain root. A public proof-of-concept targeting /usr/bin/su has been published. Patched kernels are rolling out across major distributions.
SecurityWeek | The Hacker News
Microsoft Exchange Server CVE-2026-42897 Zero-Day Actively Exploited in the Wild
Microsoft warned of active exploitation of CVE-2026-42897, a cross-site scripting flaw in Outlook Web Access on on-premises Exchange Server 2016, 2019, and Subscription Edition. An attacker sends a crafted email; if the target opens it in OWA, arbitrary JavaScript executes in the browser context. Exchange Online is not affected. A mitigation is available but disables OWA calendar printing and inline image rendering.
The Hacker News | BleepingComputer
TanStack npm Supply Chain Attack Compromises OpenAI Employee Devices — macOS Certificate Rotation Required
The Mini Shai-Hulud worm, attributed to TeamPCP, published 84 malicious versions across 42 TanStack npm packages in a six-minute window on May 11, expanding within 48 hours to 172 packages and 403 malicious versions across npm and PyPI. OpenAI confirmed two employee devices were compromised, leading to internal credential theft and forced rotation of macOS desktop application signing certificates. No user data or production systems were accessed. All OpenAI macOS app users must update immediately.
The Hacker News | BleepingComputer | CyberScoop
Intel and AMD Address 70 Vulnerabilities on Chipmaker Patch Tuesday
Intel published 13 advisories covering 24 flaws, including a critical CVSS 9.3 buffer overflow in the Data Center Graphics Driver for VMware ESXi (CVE-2026-20794) enabling privilege escalation. AMD published 15 advisories covering 45 vulnerabilities, including a critical CVSS 9.2 flaw in the AMD Device Metrics Exporter (CVE-2026-0481) that exposes an unauthenticated gRPC server on all network interfaces by default. Both vendors also patched high-severity microcode and firmware issues.
SecurityWeek
Apple Releases Tahoe 26.5 and iOS 26.5 With 70+ Security Fixes
Apple released macOS Tahoe 26.5, iOS 26.5, watchOS, and tvOS updates addressing more than 70 security vulnerabilities. Fixes cover WebKit flaws, kernel privilege escalation, Gatekeeper bypass, sandbox escape, and arbitrary code execution. Apple has not flagged any of the patched vulnerabilities as exploited in the wild. Users on older devices should apply iOS 18.7.9 and iPadOS 18.7.9.
SecurityWeek
Google Patches Critical Android Zero-Click RCE CVE-2026-0073 in ADB Daemon
Google’s May 2026 Android Security Bulletin addresses CVE-2026-0073, a critical zero-click remote code execution flaw in the Android Debug Bridge daemon affecting Android versions 10 through 14. An attacker on the same local network gains remote shell access with no user interaction required. The fix is included in the May 1, 2026 security patch level. Users should verify their device patch level in system settings.
SecurityWeek
Belarus-Aligned FrostyNeighbor APT Targets Government Organizations in Poland and Ukraine
ESET Research documented renewed activity from FrostyNeighbor (UAC-0057 / Ghostwriter), a Belarus-aligned threat group, targeting government, military, and industrial organizations in Ukraine and Poland since March 2026. The campaign uses geofenced spear-phishing PDFs impersonating Ukrainian telecommunications providers to deliver a JavaScript PicassoLoader variant that deploys Cobalt Strike. Victims outside Ukraine receive a benign decoy PDF to evade analysis.
Dark Reading
Turla Evolves Kazuar Backdoor into Modular Peer-to-Peer Botnet for Nation-State Espionage
Microsoft Threat Intelligence revealed that Secret Blizzard (Turla), a Russian FSB-linked APT, transformed its Kazuar backdoor into a modular peer-to-peer botnet where a single leader node handles external C2 communication via HTTP, WebSockets, or Exchange Web Services, while infected hosts relay commands internally. This architecture reduces network noise and complicates detection. Targets include government, diplomatic, and defence organizations across Europe, Central Asia, and Ukraine.
GBHackers
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV — May 17 Federal Deadline
CISA added CVE-2026-20182, the CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller under active exploitation by UAT-8616, to the Known Exploited Vulnerabilities catalog one day after its public disclosure. Federal Civilian Executive Branch agencies must remediate by May 17, 2026. Organizations running Cisco SD-WAN infrastructure that have not yet patched should treat this as an emergency.
The Hacker News
Cloudflare Cuts 1,100 Jobs as AI Drives Workforce Restructuring
Cloudflare announced the elimination of approximately 1,100 positions — around 20% of its global workforce — citing a 600% surge in internal AI tool usage over three months. The company posted record Q1 2026 revenue of $639.8 million, a 34% year-over-year increase, but expects $140–150 million in restructuring charges. The move adds to a growing pattern of AI-driven workforce reductions across the technology and security sectors.
SecurityWeek
Stay tuned for today’s in-depth analysis posts.
