May Linux Patch Wednesday. A total of 1,638 vulnerabilities (474 in the Linux kernel). For comparison, in April there were 1,035 vulnerabilities (a record!). And this time it turns out to be a record again, more than one and a half times higher! The acceleration is both impressive and alarming. But we will see what happens next. At some point it should stabilize. Although the number of critical vulnerabilities is already so high that reviewing all of them becomes quite problematic. For 7 vulnerabilities there are signs of exploitation in the wild. And for another 264 there are public exploits. Let’s start, as usual, with vulnerabilities being actively exploited according to CISA KEV and VulnCheck KEV data. Here, at the top, as expected, are two high-profile ways to get a root shell:
🔻 EoP - Linux Kernel "Copy Fail" (CVE-2026-31431)
🔻 EoP - Linux Kernel "Dirty Frag" (CVE-2026-43500)
Other vulnerabilities being exploited in the wild:
🔻 RCE - Apache ActiveMQ (CVE-2026-40466). Based on the description, this appears to be a bypass of the fix for CVE-2026-34197, which I already wrote about earlier.
🔻 AuthBypass - Rclone (CVE-2026-41176). Rclone ("rsync for cloud storage") is a command-line utility for synchronizing files and directories between various cloud storage services and local systems. Exploitation of the vulnerability can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods.
🔻 RCE - NGINX (CVE-2026-42945). The bug enables unauthenticated remote code execution against servers using rewrite and set directives.
🔻 DoS - PgBouncer (CVE-2026-6664). PgBouncer is a lightweight, open-source connection pooler for PostgreSQL databases. It reduces connection overhead by managing a pool of connections to one or more PostgreSQL servers, improving performance and resource efficiency for applications with frequent short-lived database connections. An integer overflow in the network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash.
🔻 XSS - Postorius (CVE-2026-44742). The Postorius Django app provides a web user interface to access GNU Mailman. Mailman is free software for managing electronic mail discussion and e-newsletter lists. The vulnerability is being exploited according to VulnCheck KEV; however, no public exploits has been observed yet.
From the remaining vulnerabilities with public exploits, but without any signs of exploitation in the wild so far, the following can be highlighted:
🔸 RCE - Apache HTTP Server (CVE-2026-23918). Double-free error in Apache httpd mod_http2 stream cleanup, leading to pre-auth RCE.
🔸 RCE - Apache Tomcat (CVE-2026-34486). Apache Tomcat Tribes cluster communication module fails to discard messages when EncryptInterceptor decryption fails, allowing unauthenticated attackers to trigger Remote Code Execution via Java deserialization on port 4000.
🔸 RCE - ProFTPD (CVE-2026-42167). The flaw exists in how mod_sql handles certain logging variables (like %U), allowing an unauthenticated attacker to inject SQL commands via the USER command.
🔸 EoP - Linux Kernel "DirtyDecrypt" (CVE-2026-31635). Linux local privilege escalation in the RxRPC/GSSAPI decryption path. A missing skb_cow_data() check in rxgk_decrypt_skb() allows an unprivileged local attacker to corrupt cache pages and overwrite in-memory contents of read-only files.
🔸 EoP - Linux Kernel "Fragnesia" (CVE-2026-46300). I also analyzed this vulnerability earlier. A bug in skb_try_coalesce() allowing page-cache write via fragmented ESP packets.
🔸 EoP - Linux Kernel (CVE-2026-46333). Local root privilege escalation and credential disclosure in the Linux kernel ptrace path, discovered by researchers at Qualys.
🔸 EoP - PackageKit "Pack2TheRoot" (CVE-2026-41651). PackageKit is a free and open-source suite of software applications designed to provide a consistent and high-level abstraction layer for a number of different package management systems. The vulnerability allows an attacker to escalate privileges, potentially gaining root access or compromising the system.
🔸 ComInj - Composer (CVE-2026-40261, CVE-2026-40176). Composer is a dependency manager for PHP. The vulnerability exists in the Perforce::generateP4Command() method. Due to insufficient sanitization of repository configuration parameters (such as url, p4user, or client) when constructing shell commands, an attacker who controls a composer.json file can execute arbitrary commands on the victim's system when composer install or composer update is executed.
