ClickFix initial access has been pasting PowerShell into RunMRU for two years and most detection content still treats it like a primer. Here is what the telemetry actually looks like, what tunes out, and where teams keep getting it wrong.
A defender-oriented analysis of indirect prompt injection in tool-calling agents: where the signal actually lives in the trace pipeline, what the first week of tuning has to fix, and which 800-53 controls the implementation maps to.
CVE-2026-7482 turns Ollama’s /api/create into a heap-read primitive that exfiltrates prompts, system messages, and process environment variables through a crafted GGUF tensor shape. Patch to 0.17.1; everything else is a stopgap.
A defender-oriented analysis of firmware- and bootloader-resident implants on perimeter network appliances, what they look like in practice, how to detect them, and how to map the response to NIST 800-53.
Hyunwoo Kim’s Dirty Frag chain extends the Dirty Pipe / Copy Fail class to skb paged fragments. The xfrm ESP receive path provides a deterministic 4-byte page-cache store (CVE-2026-43284); the rxrpc receive path provides a namespace-free trigger (CVE-2026-43500). One PoC, no race, root on Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, and openSUSE — including hosts that already blocklisted algif_aead for Copy Fail.
Immutable base images plus systemd sysext/confext overlays have quietly become the standard for fleet-managed Linux in 2026. They also created a persistence surface most SOCs are not yet watching.
A double-free in Apache httpd 2.4.66’s mod_http2 lets unauthenticated clients crash workers reliably and, on certain builds, opens a path to remote code execution. Here’s the defender-oriented breakdown: mechanism, detection, remediation, and 800-53 mapping.
Trellix has confirmed unauthorized access to part of its source code repository. The disclosure is thin on detail and heavy on implications for every shop running Trellix EDR or XDR.
Theori’s Copy Fail flaw turns a nine-year-old in-place optimization in the kernel’s AEAD socket layer into a deterministic 4-byte page-cache write. No race, no offset hunting, no per-distro tuning. A 732-byte Python script edits a setuid binary’s cached pages and hands you root on Ubuntu, RHEL, SUSE, and Amazon Linux without modification.
Prompt injection isn’t a content-filtering problem. It’s a control-flow problem, and 2026’s serious agent deployments are starting to treat it that way.
