What you need to know today.

A proof-of-concept exploit has been released for CVE-2026-46316, a critical use-after-free vulnerability in the KVM/arm64 VGIC-ITS translation cache that enables guest-to-host escape on ARM64 systems. As Cyber Security News reported, the flaw allows an attacker with KVM access to corrupt host memory by walking the per-ITS translation cache with xa_for_each() and dropping references on erased entries incorrectly. With a CVSS of 9.3 and a public PoC now circulating, this vulnerability represents an immediate threat to any cloud or virtualized environment running ARM64-based Linux hosts — the kind of cross-VM breakout that keeps infrastructure teams up at night.

A wave of 25 Linux kernel vulnerabilities was disclosed in a single batch on June 8–9, 2026, as Vypr Intelligence detailed. Among them, CVE-2026-46325 (CVSS 9.8) breaks RDMA rxe IOVA-to-VA conversion for MR page sizes that differ from PAGE_SIZE, potentially enabling memory corruption in high-performance computing and storage workloads. CVE-2026-46289 (CVSS 9.8) fixes bugs in the scatterlist extract_kvec_to_sg function that could lead to kernel memory corruption. Additional high-severity issues include CVE-2026-46317 (KVM arm64 nested MMU array reassignment race, CVSS 8.8), CVE-2026-46330 (reverted SMC TCP ULP support introducing fundamental design flaws), CVE-2026-46332 (greybus gb-beagleplay bootloader receive buffer overflow, CVSS 8.0), and CVE-2026-52907 (rockchip rkcif media driver off-by-one, CVSS 7.8). Another 10 kernel flaws were disclosed alongside the Google Android SDK, as Vypr Intelligence noted, including CVE-2026-46307 (ath5k WiFi driver OOB array access, CVSS 8.3), CVE-2026-46303 (isofs Rock Ridge CE continuation extent validation, CVSS 8.2), and CVE-2026-46288 (OF unittest use-after-free, CVSS 8.4).

CVE-2026-54420 is a symlink mishandling vulnerability in the LiteSpeed cPanel plugin (before version 2.4.8) that is already being exploited in the wild on shared hosting servers running CloudLinux/CageFS. An attacker with FTP or web shell access can leverage improper symlink handling to escalate privileges or access other customers' data on the same host. With a CVSS of 8.5 and confirmed active exploitation, shared hosting providers using LiteSpeed should treat this as an emergency patching priority — the attack vector is trivial for a low-privileged user to execute.

CVE-2026-12183 is a critical authentication bypass in the Nefteprodukttekhnika BUK TS-G Gas Station Automation System (versions 2.9.1 through 2.10.2 on Linux). The /php/ajax-login.php endpoint returns userid=1 (admin) without proper authentication, giving any unauthenticated remote attacker full administrative control over gas station infrastructure. With a CVSS of 9.8, this flaw affects operational technology in the fuel distribution sector — a reminder that industrial control system vulnerabilities continue to expose critical infrastructure to remote takeover with no credentials required.

CVE-2026-6428 is an authenticated SQL injection vulnerability in Koha, the open-source integrated library system used by thousands of libraries worldwide. The flaw resides in reports/catalogue_out.pl and affects versions through 22.11.37, plus all 23.x, 24.x before 24.11.16, 25.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00. An authenticated attacker can execute arbitrary SQL queries against the library database, potentially exfiltrating patron records, circulation data, and authentication credentials. With a CVSS of 7.6 and a broad attack surface across many library deployments, this warrants immediate patching.

CVE-2026-54421 in OpenStack Ironic (through 35.0.1) leaks unredacted sensitive information — including iSCSI credentials — when a PATCH request updates volume properties fields the user is authorized for. While the attacker must be authenticated and authorized to modify volume properties, the exposure of storage credentials (CVSS 6.8) could enable lateral movement into backend storage infrastructure. Cloud operators running Ironic should audit their PATCH handling and apply the fix to prevent credential leakage during routine volume management operations.