Indirect prompt injection is hard to catch in the prompt and easy to miss in the model output. The reliable detection surface is the outbound fetch the rendered answer triggers — here is how to instrument it and where the false positives come from.
Nation-state operators now rent disposable relay meshes that cycle IPs faster than your threat feed updates. Indicator-based blocking was already brittle; against ORB networks it’s mostly theater. Here’s what actually moves the needle.
CVE-2026-49975 chains the 2016 HPACK Bomb with an HTTP/2 flow-control stall into a remote, unauthenticated memory-exhaustion DoS that takes down default nginx, Apache, IIS, Envoy, and Pingora configs from a single home connection. An OpenAI Codex agent found it by reading the code.
A CVSS 9.8 stack-based buffer overflow in Windows Netlogon gives an unauthenticated attacker code execution on a domain controller. Microsoft called exploitation ‘less likely.’ Belgium’s CCB says it’s happening now.
CVE-2026-42897 is an actively exploited OWA cross-site-scripting flaw in Microsoft Exchange Server 2016, 2019, and Subscription Edition. CVSS 8.1, KEV-listed, federal remediation deadline May 29. A specially crafted email runs JavaScript in the victim’s OWA session — session token theft, mailbox read, send-as, mailbox rules — and the catch buried in Microsoft’s guidance is that a permanent patch is gated behind Period 2 ESU enrollment for everyone still on 2016 or 2019. The EEMS mitigation works, with caveats. Here’s what’s real about it.
A defender-oriented look at where HTTP/2-to-HTTP/1.1 request smuggling sits in 2026 — the parser-differential class that keeps finding new homes, what the detection actually looks like in Splunk, and what most teams miss on the first tuning pass.
Chaotic Eclipse dropped two unpatched Windows zero-days on May 13, 2026. YellowKey turns an NTFS transaction log on a USB stick into a BitLocker bypass through WinRE — physical access, no recovery key, no PIN required on TPM-only boxes. GreenPlasma is the companion privilege escalation through CTFMON. No CVEs, no patches, and a researcher who has promised more for June’s Patch Tuesday.
Hyunwoo Kim’s Dirty Frag chain extends the Dirty Pipe / Copy Fail class to skb paged fragments. The xfrm ESP receive path provides a deterministic 4-byte page-cache store (CVE-2026-43284); the rxrpc receive path provides a namespace-free trigger (CVE-2026-43500). One PoC, no race, root on Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, and openSUSE — including hosts that already blocklisted algif_aead for Copy Fail.
A double-free in Apache httpd 2.4.66’s mod_http2 lets unauthenticated clients crash workers reliably and, on certain builds, opens a path to remote code execution. Here’s the defender-oriented breakdown: mechanism, detection, remediation, and 800-53 mapping.
Model Context Protocol gives agents a clean way to call tools, but it also gives every piece of retrieved content a direct line to those tools. The classic confused deputy problem is back, and most deployments are not handling it.
