may 8, 2026
7 links from the engineering internet.
dirty frag linux zero-day exploits two kernel flaws for root on all major distros
security researcher hyunwoo kim disclosed dirty frag (cve-2026-43284, cve-2026-43500), chaining ipsec esp and rxrpc page-cache flaws to get instant root on every major linux distro. a patch exists for the esp half; the rxrpc flaw has no upstream fix as of disclosure.
cloudflare cuts 1,100 jobs as ai use grows 600%, ceo calls it a restructuring
cloudflare is cutting roughly 20% of its workforce after internal ai usage grew 600% in three months, arguing that agent-driven automation has rendered many support and ops roles unnecessary. severance includes full base pay through the end of 2026.
linux 7.0.5, 6.18.28, 6.12.87, and 6.6.138 release partial dirty frag fixes
greg kroah-hartman released four stable kernels patching the ipsec esp component of dirty frag (cve-2026-43284) and a related copy fail 2 flaw. the rxrpc half of dirty frag (cve-2026-43500) has no upstream patch; these releases cover only part of the current attack surface.
shinyhunters defaces canvas login pages at thousands of schools, demands ransom
shinyhunters replaced canvas lms login pages at thousands of schools with a ransom demand, claiming a second breach of 275 million student and staff records. harvard, penn, and others lost access during finals; a may 12 data-leak deadline is now active.
ivanti epmm zero-day cve-2026-6973 exploited, cisa gives feds 4 days to patch
ivanti disclosed cve-2026-6973, a high-severity authenticated rce in endpoint manager mobile being actively exploited in targeted attacks. cisa added it to the known exploited vulnerabilities catalog and mandated federal agencies patch or isolate affected systems by may 10.
claudebleed: chrome extension flaw lets any plugin hijack claude agent
layerx security found claude's chrome extension accepts commands from any installed extension without verifying the caller, allowing exfiltration of gmail and google drive data. anthropic's may 6 partial fix was bypassed by researchers within hours of release.
study: every tested android mental health app contains undisclosed trackers
researchers tested 25 popular android mental health apps and found every single one contained undisclosed trackers not mentioned in its privacy policy, with 68% failing to disclose over half of its trackers. collectively these apps have millions of installs.