Here are today’s top cybersecurity stories for Friday, May 8, 2026.
Dirty Frag: Unpatched Linux Kernel Zero-Day Gives Root on All Major Distributions
Researcher Hyunwoo Kim disclosed two chained Linux kernel local privilege escalation flaws — CVE-2026-43284 and CVE-2026-43500 — dubbed Dirty Frag. The bugs affect IPsec ESP (esp4/esp6) and rxrpc modules and allow any unprivileged local user to gain root in a single command. A working public exploit exists. The disclosure embargo was broken before distributions could issue patches, though patched kernels began rolling out on May 8. Until a patched kernel is installed, the mitigation is to blacklist the esp4, esp6, and rxrpc modules. Help Net Security
Quasar Linux (QLNX): New Stealthy RAT Targets Software Developers with Rootkit and Credential Theft
Trend Micro documented a previously undisclosed Linux implant named Quasar Linux (QLNX) targeting developer systems with a two-tier rootkit — a userspace LD_PRELOAD hook for persistence and an eBPF kernel-level rootkit controller. The malware supports 58 commands including shell access, screen capture, keylogging, SSH credential harvesting, and lateral movement. The campaign targets software development and DevOps environments, with no threat actor attributed at this time. BleepingComputer
TCLBANKER: Brazilian Banking Trojan Spreads via Signed Logitech Installer and WhatsApp/Outlook Worms
Elastic Security Labs identified TCLBANKER (tracked as REF3076), a Brazilian banking trojan that abuses a signed Logitech Logi AI Prompt Builder MSI installer via DLL sideloading. Once installed, the malware deploys WPF-based overlay screens targeting 59 banking, fintech, and cryptocurrency platforms, and propagates through hijacked WhatsApp Web sessions and Microsoft Outlook email bots. The campaign appears to still be in early operational stages based on development artifacts observed during analysis. The Hacker News
CISA Orders Feds to Patch Dell RecoverPoint CVE-2026-22769 Within Three Days
CISA added CVE-2026-22769 — a maximum-severity hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines (CVSS 10.0) — to the Known Exploited Vulnerabilities catalog with a three-day federal remediation deadline. Google Mandiant and GTIG attributed active exploitation to UNC6201, a China-nexus threat cluster operating since mid-2024. Attackers upload a SLAYSTYLE web shell via Tomcat Manager, gain root persistence, and deploy the BRICKSTORM or GRIMBOLT backdoors while using temporary Ghost NICs to cover their access paths. BleepingComputer
Palo Alto PAN-OS CVE-2026-0300: Exploit Attempts Traced to April 9
Palo Alto Networks confirmed that threat actors attempted to exploit CVE-2026-0300 — a CVSS 9.3 buffer overflow in the PAN-OS User-ID Authentication Portal — as early as April 9, before the vulnerability was publicly disclosed. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges. Attempts were unsuccessful, but the timeline underscores how rapidly sophisticated actors move against unpatched edge devices. A patch is expected by May 13. SecurityWeek
Ivanti EPMM CVE-2026-6973: Active Exploitation Confirmed in Limited Attacks
Ivanti confirmed limited active exploitation of CVE-2026-6973, a high-severity flaw (CVSS 7.2) in Endpoint Manager Mobile that enables a remotely authenticated administrator to achieve remote code execution. The company stated that exploitation has been limited to a very small number of customers. Organizations running EPMM should apply the available patch immediately as a priority. SecurityWeek
Critical Ollama Vulnerability Could Expose 300,000 Deployments to Data Theft
A critical bug in Ollama, the widely used open-source local AI inference server, puts an estimated 300,000 internet-exposed deployments at risk of information theft. The flaw affects Ollama environments integrated with cloud platforms including AWS, Docker, and Kubernetes. Full technical details are pending coordinated disclosure. Organizations running Ollama in production should restrict network exposure immediately. SecurityWeek
RansomHouse Claims Breach of Cybersecurity Vendor Trellix
The RansomHouse extortion group published screenshots claiming access to internal Trellix services. Trellix — the enterprise security platform formed from the merger of McAfee Enterprise and FireEye — had not issued a public statement at time of reporting. The claim follows a pattern of ransomware actors targeting security vendors to leverage trust relationships and downstream access to enterprise customers. SecurityWeek
Taiwan Student Arrested for Interfering With Railway TETRA Communications
Taiwanese authorities arrested a 23-year-old university student for disrupting the TETRA radio communication system used by Taiwan’s High Speed Railway. TETRA is widely deployed by law enforcement, transit agencies, and critical infrastructure operators across many countries. The incident highlights the public safety risk posed by interference with critical communications infrastructure. BleepingComputer
Stay tuned for today’s in-depth analysis posts.
