Cybersecurity Radar — 2026-05-10

🔴 Critical Alerts

"Dirty Frag" Linux Kernel Zero-Day (CVE-2026-43284 / CVE-2026-43500) — No Patch Available

A critical Linux kernel local privilege escalation exploit chain dubbed "Dirty Frag" has gone fully public after an embargo was reportedly broken. The vulnerability allows a local attacker to gain root privileges on virtually all major Linux distributions with a single command. A public proof-of-concept (PoC) exploit is now circulating. As of press time, no official kernel patch has been released. Cloudflare confirmed it detected, investigated, and mitigated the threat across its global fleet with zero customer impact, but organizations running exposed Linux systems must apply interim workarounds immediately. Administrators should restrict local user access, monitor for anomalous privilege escalation activity, and apply vendor-specific mitigations as they become available.

Ivanti EPMM Zero-Day (CVE-2026-6973) — Actively Exploited in the Wild

Ivanti has released fixes for high-severity vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, including CVE-2026-6973, a remote code execution flaw that is being actively exploited as a zero-day. Organizations using Ivanti EPMM should apply the available patches immediately, audit for signs of compromise, and review Ivanti's published indicators of compromise. Given Ivanti's repeated appearance in zero-day exploit disclosures this year, defenders should treat all unpatched Ivanti products as high-priority targets.

1 sources

helpnetsecurity.com

helpnetsecurity.com

Threat Landscape

ShinyHunters / Instructure (Canvas) — Eight-Month Dwell Time Revealed

Krebs on Security has published a significant deeper investigation into the ShinyHunters breach of Instructure, the parent company of Canvas LMS, which disrupted colleges across North America during finals week. The new reporting makes clear that what was initially framed as isolated incidents — including an earlier breach affecting the University of Pennsylvania — were in fact part of a coordinated, long-running attack. ShinyHunters had reportedly maintained access to Instructure's environment for at least eight months prior to the May 2026 escalation, during which attackers claimed to have exfiltrated data on 275 million users. The NPR report confirms that many schools were still warning users not to log back in following the initial disruption, underscoring the scale of the incident.

"The incident was treated as a Penn-specific story by most of the national press and quietly handled by Instructure as a customer-specific matter. That framing was wrong then. It is dramatically more wrong in light of the May 2026 events." — Krebs on Security

RansomHouse Claims Trellix Source Code Repository Breach

BleepingComputer reported (May 8, 2026) that the RansomHouse threat group has claimed responsibility for a previously disclosed attack on Trellix's source code repository, leaking a small set of images as proof of the intrusion. Trellix is a major cybersecurity vendor (formed from the merger of McAfee Enterprise and FireEye), making a successful source-code breach particularly sensitive. The full scope of what was exfiltrated remains unclear. Organizations using Trellix products should monitor for vendor advisories about potential supply chain implications.

Nation-State Groups Deploying Ransomware as Disruption, Not Just Profit

Analysis from SecurityMaisters (published within the past week) highlights a maturing tactic: state-affiliated threat actors are deploying ransomware not primarily for financial gain, but to paralyze critical operations, create geopolitical leverage, or mask intelligence collection activities. This mirrors findings from the Waterfall Threat Report 2026 (March 2026), which documented a deeper shift toward nation-state attacks on critical infrastructure behind the apparent "ransomware slowdown." Defense contractors, legal firms, and higher-education institutions remain disproportionately targeted.

1 sources

npr.brightspotcdn.com

npr.brightspotcdn.com

Vulnerabilities & Patches

CVE-2026-43284 / CVE-2026-43500 — "Dirty Frag" Linux Kernel Privilege Escalation (Critical, No Patch)

A two-CVE exploit chain in the Linux kernel allows local privilege escalation to root on all major distributions. A working public PoC is already circulating. No kernel patch is available at time of publication. Workarounds include restricting local user access and monitoring for escalation. Tenable has published a detailed FAQ. Cloudflare mitigated exposure across its fleet and confirmed no exploitation of customer environments.

CVE-2026-6973 — Ivanti EPMM Remote Code Execution (High, Patch Available)

Ivanti has patched a high-severity RCE vulnerability in Endpoint Manager Mobile that is confirmed under active zero-day exploitation. Apply the vendor patch immediately. This is the latest in a continuing series of high-profile Ivanti vulnerabilities being weaponized before public disclosure.

Windows Zero-Click Flaw — CISA / Microsoft Warning (Previously Flagged, Still Active)

Microsoft and CISA have warned that attackers continue to exploit a zero-click Windows flaw capable of exposing sensitive information on vulnerable systems. The Register reported (April 29, 2026) that an initial Microsoft patch fell short of full remediation. Organizations should verify that the latest cumulative Windows updates are fully applied and monitor CISA's Known Exploited Vulnerabilities catalog for further guidance.

Breaches & Incidents

Instructure / Canvas — 275 Million Records, Colleges Disrupted During Finals

The ShinyHunters breach of Instructure (Canvas LMS parent) remains the week's most consequential incident. Half of North American higher-education institutions use Canvas. The group claimed 275 million records exfiltrated. Schools were advising users not to log back in, exams were disrupted, and Krebs on Security's investigation revealed the attackers had been present for at least eight months — pointing to a premeditated, long-term operation rather than an opportunistic strike.

Trellix — Source Code Repository Breach Claimed by RansomHouse

RansomHouse claimed and partially evidenced access to Trellix's source code repository. As of May 8, 2026, Trellix had not issued a public statement detailing the full scope. Given Trellix's role as a security platform vendor, downstream customers face potential exposure from any weaponized knowledge of internal tooling or detection logic.

Industry & Policy

CISA Continues to Track Actively Exploited Vulnerabilities

CISA's cybersecurity advisory page continues to be updated in real time. The Ivanti EPMM zero-day (CVE-2026-6973) and the ongoing Windows zero-click exploitation have both been flagged through official channels. Organizations should ensure they have CISA's Known Exploited Vulnerabilities (KEV) catalog integrated into their patch prioritization workflows — federal agencies face binding remediation deadlines.

Cloudflare's Public Response to Dirty Frag Sets Transparency Standard

Cloudflare published a detailed post-incident report on its response to the "Copy Fail" (Dirty Frag) Linux vulnerability, confirming zero customer impact and laying out the full detection-to-mitigation timeline across its global infrastructure. The disclosure serves as a model for how large platform operators can communicate kernel-level vulnerability response — and underscores the importance of having pre-built detection playbooks for zero-day kernel exploits.

Nation-State / Criminal Convergence Accelerating

Analysis from Kiteworks VP Dario Perfettibile, surfaced in SecurityWeek's Cyber Insights 2026 report, puts a policy lens on the week's events: "The distinction between nation-state attacks and criminal activity collapses in practice. Ransomware gangs operating with state approval can simultaneously pursue profit and geopolitical objectives." This framing is relevant to legislative and regulatory discussions ongoing in the US, EU, and UK around attribution standards and liability frameworks for cyber incidents affecting critical infrastructure.

What to Watch

• Dirty Frag patch timeline: The Linux kernel security team is under pressure to release an official patch for CVE-2026-43284/CVE-2026-43500. Watch for emergency kernel releases and distribution-specific backports from Red Hat, Debian, Ubuntu, and others — exploit complexity is low and public PoC availability means the window before mass exploitation is extremely narrow.
• Instructure/Canvas breach scope expansion: As Krebs on Security and others continue investigating, expect additional affected institutions and third-party vendors connected to Instructure's infrastructure to surface. The eight-month dwell time suggests lateral movement may have reached partners beyond Canvas itself.
• Ivanti exploitation cascade: CVE-2026-6973 follows a well-established pattern of Ivanti EPMM and Connect Secure vulnerabilities being chained by sophisticated actors. Monitor for CISA emergency directives and watch for reports linking exploitation to specific threat clusters — particularly nation-state-aligned groups that previously targeted Ivanti appliances.

Reader Action Items

1. Patch or mitigate Dirty Frag immediately: If you run Linux systems with local user access (virtually any server or workstation), apply all available vendor-specific mitigations now. Restrict local shell access for non-administrative users, audit sudoers configurations, and enable kernel exploit detection in your EDR tooling. Subscribe to your distro's security mailing list for the official kernel patch.

2. Apply Ivanti EPMM patches and audit for compromise: If your organization uses Ivanti Endpoint Manager Mobile, apply CVE-2026-6973 patches without delay, then perform a thorough IOC sweep using Ivanti's published indicators. Given the history of Ivanti zero-days being used for initial access by APT groups, treat any unpatched Ivanti device as potentially already compromised.

3. Review Canvas/Instructure exposure and notify affected users: If your institution or organization uses Canvas LMS, audit what user data is stored within Instructure's environment, review your data processing agreements for breach notification obligations, and proactively communicate with affected students and staff — particularly around credential reuse, given the scale of the alleged exfiltration.