| Web | canartuc.com |
Microsoft released Coreutils for Windows at Build 2026 on June 2. It is a Rust build of the uutils project plus findutils and grep, shipped as one binary via winget. The goal: the same commands behave the same on Windows, WSL, macOS, and Linux. The GNU originals carry a copyleft license that was never shipping inside Windows. The permissive Rust rewrite is what made native Unix tooling acceptable to Microsoft's lawyers. A license swap, not a breakthrough.
Asim Manizada disclosed CVE-2026-46243 on the oss-security list May 28, after a private report May 16 and a coordinated embargo. The bug sits in the kernel's CIFS file-sharing client. Any local user can forge a request that starts the privileged cifs.upcall helper as root. In their own mount namespace, that helper loads their code as root. Patches landed around June 2. The root flaw lived in the handshake to a userspace helper wired up years ago.
Aikido found 32 Red Hat npm packages backdoored June 1, 96 bad versions pulling about 117,000 downloads a week. The attacker entered an employee's GitHub account and pushed commits bypassing review. They used GitHub trusted publishing, built to remove stolen tokens, to ship the packages. No token was stolen. Across 14 compliant platforms, a control never removes risk for free. It relocates the risk to the layer the security budget skipped.
Linux 7.0 shipped April 12. A PREEMPT_LAZY scheduling change regresses PostgreSQL on AWS Graviton4, the Arm Neoverse-V2 class powering much of AWS RDS. Day nineteen, 7.1-rc2 still does not close it. Fedora 44 (April 28) and Grml 2026.04 (April 30) shipped 6.19. Mageia 10 stayed on 6.18 LTS. Ubuntu 26.04 LTS shipped 7.0, locking the regression into a five-year window.
CISA added cPanel CVE-2026-41940 to the Known Exploited Vulnerabilities catalog April 30. CRLF injection in cpsrvd login paths, CVSS 9.8. Federal deadline May 3. Help Net Security and CyberScoop confirmed exploitation as a zero-day from February 23. WebPros patched April 28, two months later. Fixed builds: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5. Patch the binary and audit session files in the same change window.
Wireshark shipped 4.6.5 on April 30 with up to 38 security fixes across a dozen protocol parsers. Possible code execution sits in TLS, RDP, the profile importer, and the SBC codec. AI-assisted vulnerability reports drove the work. One day earlier Theori used the same approach to dig out a 9-year-old kernel bug. The OpenSSF AI-Slop survey runs through May 31.
Theori reported CVE-2026-31431, CopyFail, on March 23. A 9-year-old logic bug in algif_aead, the kernel's authenticated-encryption socket layer. Mainline patched April 1. The public proof-of-concept, 732 bytes of Python, hands any local user root. No race, no offsets. It dropped April 29. openSUSE Leap 15.6 reached EOL April 30 and will never get the patch. I have run edge-to-cloud since 2008. EOL is a hard security boundary.