This posting is here to collect cyber security news in May 2026.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in May 2026.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
91 Comments
Tomi Engdahl says:
Qasim Nauman / New York Times:
Instructure reaches a deal with the hackers who breached its Canvas edtech platform to return stolen data and destroy copies, without saying what it exchanged — Instructure, which provides Canvas software to thousands of schools and universities around the world, did not say what it had given …
https://www.nytimes.com/2026/05/12/us/canvas-instructure-hackers-deal.html
Tomi Engdahl says:
Alexey Shabanov / TestingCatalog AI News:
OpenAI launches Daybreak, a cybersecurity initiative integrating AI models and Codex Security to help organizations patch vulnerabilities — OpenAI launches Daybreak, a cybersecurity initiative integrating AI models and Codex Security to help organizations patch vulnerabilities.
OpenAI announces Daybreak initiative around Codex Security
https://www.testingcatalog.com/openai-announces-daybreak-initiative-around-codex-security/
OpenAI launches Daybreak, a cybersecurity initiative integrating AI models and Codex Security to help organizations patch vulnerabilities.
Tomi Engdahl says:
The FBI may have reset your wireless router remotely; if so, you should replace it
https://9to5mac.com/2026/05/12/the-fbi-may-have-reset-your-wireless-router-remotely-if-so-you-should-replace-it/?fbclid=IwdGRjcARwSAJjbGNrBHBH6GV4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHur4xCXM9akGF56SRSOwMrJgRcI0ekMsKI-L28r7QklO9A5LeVHL8TxVY9ZW_aem_n25dEkJyTLqHlF9kqGgIbw
The FBI and NSA jointly announced that Russia has been systematically compromising the security of home and small office routers since at least 2024.
They obtained a court order to allow them to remotely reset thousands of affected devices in the US, but if yours is one of them, it needs to be urgently replaced …
Tomi Engdahl says:
Adamya Sharma / Android Authority:
Google unveils Android security features, including protection from spoofed banking calls, default theft protection, and biometric protection for Mark as lost — Here’s a look at the sweeping set of Android security and privacy upgrades Google has in store for you this year. — • — TL;DR
12 new security features coming to Android phones in 2026
Here’s a look at the sweeping set of Android security and privacy upgrades Google has in store for you this year.
https://www.androidauthority.com/android-security-features-2026-3665372/
Tomi Engdahl says:
Lily Hay Newman / Wired:
Foxconn says some of its North American factories suffered a cyberattack in recent days; ransomware group Nitrogen claims it stole 8TB of data — Famous for helping build Apple’s iPhones, Foxconn just suffered another cyberattack, highlighting the perils of warehousing some of the world’s most valuable data.
Foxconn Ransomware Attack Shows Nothing Is Safe Forever
Famous for helping build Apple’s iPhones, Foxconn just suffered another cyberattack, highlighting the perils of warehousing some of the world’s most valuable data.
https://www.wired.com/story/foxconn-ransomware-attack-shows-nothing-is-safe-forever/
Tomi Engdahl says:
Shiona McCallum / BBC:
The Lucy Faithfull Foundation’s Project Intercept, a partnership with Google, TikTok, and Meta, sent 70M+ warning messages to users seeking CSAM in two years — More than 70 million warning messages have been sent to people attempting to access child sexual abuse material (CSAM) …
More than 70 million warnings sent to people seeking child abuse material
https://www.bbc.com/news/articles/cze2y02jw1ko
Tomi Engdahl says:
Tim Starks / CyberScoop:
Google launches Intrusion Logging, an Android feature developed in partnership with Amnesty International and others, on Android 16 Pixel devices for now
Google and Amnesty International teamed up to make it harder for spyware vendors to hide
Intrusion Logging marks the first feature from a major device vendor to aid with forensic detection of sophisticated threats, Amnesty International said.
https://cyberscoop.com/google-android-intrusion-logging-amnesty-spyware-detection/
Tomi Engdahl says:
Two new Windows zero-days expose a BitLocker bypass in WinRE and a CTFMON privilege escalation issue.
YellowKey affects Windows 11 and Server 2022/2025; GreenPlasma could enable abuse of SYSTEM-writable paths.
Full story: https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html
Tomi Engdahl says:
Seuraava tekstiviestimuutos on tulossa
Viranomainen jatkaa tekstiviestien turvallisuuden parantamista. Marraskuusta alkaen tekstiviestit, joiden lähettäjää ei ole varmistettu, merkitään roskapostiksi.
https://www.iltalehti.fi/digiuutiset/a/f9b230ba-1f24-4148-83bc-6a28eb094765
Tomi Engdahl says:
Digiuutiset
Hätäkeskuslaitoksen ylijohtaja: 112 Suomi -sovelluksessa oli häiriö
112 Suomi -sovelluksessa oli perjantaina tekninen häiriö, mikä hidasti droonivaroituksen peruuttamista. Vaaratiedotteen lähettämisessä ei Hätäkeskuslaitoksen mukaan ollut ongelmaa.
https://www.iltalehti.fi/digiuutiset/a/80d08402-65b4-4651-81f1-d4b6cb256df9
Tomi Engdahl says:
Email Security
Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises
CVE-2026-40361 is similar to a vulnerability found a decade ago, BadWinmail, which at the time was dubbed an “enterprise killer”.
https://www.securityweek.com/microsoft-patches-critical-zero-click-outlook-vulnerability-threatening-enterprises/
Tomi Engdahl says:
Artificial Intelligence
Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own Code
Microsoft’s MDASH discovered 16 of the Patch Tuesday vulnerabilities, and Palo Alto used Mythos to find dozens of flaws.
https://www.securityweek.com/microsoft-palo-alto-networks-find-many-vulnerabilities-by-using-ai-on-their-own-code/
AI
Microsoft and Palo Alto Networks have separately reported this week that they have seen significant results after turning AI on their own code to find vulnerabilities.
Advanced AI models such as Claude Mythos have sparked debate in the cybersecurity industry about what the vulnerability discovery landscape will look like going forward. While some organizations have confirmed that these AI models are a game-changer, others are skeptical of their actual performance.
Microsoft said on Tuesday that more than a dozen of the 137 vulnerabilities fixed with its latest Patch Tuesday updates were found by a new AI system called MDASH (multi-model agentic scanning harness) built by its Autonomous Code Security team.
Palo Alto Networks revealed on Wednesday that it has used Claude Mythos and other frontier AI models to conduct a deep scan of its product portfolio, which resulted in the discovery of dozens of vulnerabilities.
Tomi Engdahl says:
https://www.securityweek.com/foxconn-confirms-north-american-factories-hit-by-cyberattack/
Tomi Engdahl says:
Security Architecture
Enhancing Data Center Security Without Sacrificing Performance
For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game.
https://www.securityweek.com/enhancing-data-center-security-without-sacrificing-performance/
Every data center cybersecurity team faces the same impossible equation: host-based agents consume CPU cycles that high-performance computing requires. For years, the industry has tried to balance this trade-off. The more security you implement, the more performance suffers; yet, the more you preserve performance, the greater the risk of blind spots.
For an example of such a blind spot, look no further than the gap between a virtual machine (VM) and its physical host. In March 2025, Broadcom patched a series of VMware ESXi zero-day vulnerabilities that could escape the VM sandbox entirely. In 2023, the ESXiArgs campaign affected an estimated 3,800 servers globally.
In both instances, a single compromise disabled or encrypted dozens of VMs simultaneously. Host-based agents were ineffective because the attack occurred in the hypervisor.
The solution is not optimization; it requires reimagining the architecture by removing it from the host entirely. Data processing units (DPUs), installed on each server, provide this capability.
Tomi Engdahl says:
Endpoint Security
New Linux Kernel Vulnerability Fragnesia Allows Root Privilege Escalation
The vulnerability, tracked as CVE-2026-46300, is similar to the recently disclosed exploits named Dirty Frag and Copy Fail.
https://www.securityweek.com/new-linux-kernel-vulnerability-fragnesia-allows-root-privilege-escalation/
Tomi Engdahl says:
Robert McMillan / Wall Street Journal:
Security research firm Calif says it used Mythos to help build a macOS kernel memory corruption exploit circumventing Apple’s Memory Integrity Enforcement tech — During tests in April, researchers found software issues in MacOS, one of the world’s toughest targets for hackers
Apple’s Security Has Been Tough to Crack. Mythos Helped Find a Way In.
During tests in April, researchers found software issues in MacOS, one of the world’s toughest targets for hackers
https://www.wsj.com/tech/ai/anthropic-mythos-apple-macos-bug-339da403?st=BwCjXb&reflink=desktopwebshare_permalink
Tomi Engdahl says:
https://www.facebook.com/share/p/1CfXeNizaD/
Security researchers say the peace hand gesture, index and middle fingers pointed at the camera, can give scammers enough fingerprint detail to reconstruct biometric data. And they’re not speaking theoretically.
Financial expert Li Chang demonstrated the whole thing in April, using a celebrity’s selfie. At close range, under 1.5 meters, there’s a very high probability of fully extracting fingerprint information from a single image. At distances up to 3 meters, about half of a person’s fingerprint data can still be recovered.
Tomi Engdahl says:
LOL!!!!!
https://cybernews.com/security/linux-kernel-patch-opens-door-for-another-vulnerability/?utm_source=cn_reddit&utm_medium=social&utm_campaign=cybernews&utm_content=post&source=cn_reddit&medium=social&campaign=cybernews&content=post
Tomi Engdahl says:
Cybercriminals are turning AI malicious, while nation states like China and North Korea are using artificial intelligence for all kinds of digital attacks, Google warns. https://www.forbes.com/sites/thomasbrewster/2026/05/11/cybercriminals-make-powerful-zero-day-hack-with-ai-google-warns/?utm_campaign=ForbesMainFB&utm_source=ForbesMainFacebook&utm_medium=social
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/
Tomi Engdahl says:
https://www.csoonline.com/article/4167137/ai-finds-20-year-old-bugs-in-postgresql-and-mariadb.html
Tomi Engdahl says:
https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html
Tomi Engdahl says:
https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/
Tomi Engdahl says:
Peace-selfie on tietoturva-ansa: näin hakkerit voivat varastaa sormenjälkesi
Miljoonat ihmiset ottavat peace-selfeitä päivittäin tietämättä, että he saattavat samalla lahjoittaa sormenjälkensä huijareille.
https://www.city.fi/viihde/peace-selfie-on-tietoturva-ansa-nain-hakkerit-voivat-varastaa-sormenjalkesi/?fbclid=IwdGRjcAR2yj1jbGNrBHbKF2V4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHkwg0ZgiKxN8l3aCp2z5FBfnJqKBL0FlK9IfjajAlT_U53fK41w9l5CPsf8t_aem_bGuTFDu2wAls6jCJVL6hJw
Tietoturvatutkijat varoittavat nyt asiasta, jota kukaan ei osannut odottaa: sormet kohti kameraa osoitetussa selfiekuvassa voi piillä vakava tietoturvariski.
Sormenjälki voidaan varastaa kuvasta
Modernit kamerat, kuten myös tavallisten älypuhelimien kamerat, tallentavat kuviin niin paljon yksityiskohtia, että lähietäisyydeltä otetuista kuvista voidaan eristaa sormenpäiden pintakuvio, eli sormenjälki.
Vice-artikkelin mukaan tietoturvatutkijat ovat osoittaneet tämän olevan mahdollista erityisesti hyvin valaistusta ja terävästä lähikuvasta.
Sosiaalisen median kuvat täyttävät nämä vaatimukset useammin kuin voisi kuvitella.
Your Peace Sign Selfie Might Be Giving Scammers Your Fingerprints
Experts say high-res cameras and AI tools can help reconstruct fingerprint data from clear photos of your fingers.
https://www.vice.com/en/article/your-peace-sign-selfie-might-be-giving-scammers-your-fingerprints/?fbclid=IwVERDUAR2ymxleHRuA2FlbQIxMABzcnRjBmFwcF9pZAwzNTA2ODU1MzE3MjgAAR6MJ5DprbuPnMr2HT5LJKI_sYIf7ZDqD8vB-MAGVNCzhbnDhVBPDyaYGUYpBA_aem_PJZA_BVI9Bv6QZudgiubRQ
Tomi Engdahl says:
“Linux kernel boss Linus Torvalds has declared the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports.”
Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’
Multiple researchers using the same tools to find the same bugs are creating ‘unnecessary pain and pointless work’
https://www.theregister.com/security/2026/05/18/linus-torvalds-says-ai-powered-bug-hunters-have-made-linux-security-mailing-list-almost-entirely-unmanageable/5241633?fbclid=IwdGRjcAR3oihjbGNrBHeh5mV4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHkn6c1DQAIq8sFU5GFDtMQBObkHCq6UFVT9Xe6oBQ1fEwefHuMqkEMgSaG7l_aem_2jsQF-QiUuY6GXhjJS2rjA
Linux kernel boss Linus Torvalds has declared the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports.
Torvalds used his weekly state of the kernel post to deliver release candidate four for Linux 7.1 and report “fairly normal” progress towards a full release.
He then pointed kernelistas to the project’s documentation, which he wrote “might be worth highlighting” as “the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.”
“People spend all their time just forwarding things to the right people or saying ‘that was already fixed a week/month ago’ and pointing to the public discussion,” Torvalds complained.
Tomi Engdahl says:
He says he pushed the button “accidentally.” https://trib.al/YatCzt3
Breaker, Breaker
College Kid Shuts Down High Speed Trains With a Laptop and a Radio
He says he pushed the button “accidentally.”
https://futurism.com/advanced-transport/high-speed-trains-laptop-radio?fbclid=IwdGRjcAR3ss1jbGNrBHeymmV4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHksjKXgdK17jkbwxj8SXVzI3qSDp7cMNuEWBFg59PcRX9Q6zHelHlvrGES4i_aem_a4EjED8Kh6sxNfdAR_0Bcg
Tomi Engdahl says:
Mythos and GPT-5.5 add to cybersecurity worries that OpenAI and Anthropic had already sparked with AI coding’s popularity.
#Claude #ChatGPT #OpenAi #Anthropic
OpenAI and Anthropic kicked off a new arms race for cyber defense : https://mrf.lu/7_fG
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/leaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign/?fbclid=IwdGRjcAR4LbNleHRuA2FlbQIxMQBzcnRjBmFwcF9pZAwzNTA2ODU1MzE3MjgAAR5R37FowqYmpEARsO48JjCip7KWT16un2B8XKlt-ESE1WKqPP_XuZizFEiN5g_aem_fRXCIHFh5QF2dKnjQ9-9kA
Tomi Engdahl says:
NGINX bug (CVE-2026-42945) now under active exploitation.
Critical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).
Patch now if using NGINX ≤1.30.0. Check rewrite/if/set rules.
Full details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html
A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.
The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008.
Successful exploitation of the flaw can permit an unauthenticated attacker to crash worker processes or execute remote code with crafted HTTP requests. However, it bears noting that code execution is possible only on devices where Address Space Layout Randomization (ASLR), a safeguard against memory-based attacks, is turned off.
“It relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it,” security researcher Kevin Beaumont said. “To reach RCE [remote code execution], also ASLR needs to have been disabled on the box.”
In a similar assessment, AlmaLinux maintainers said: “Turning the heap overflow into reliable code execution is not trivial in the default configuration, and on systems with ASLR enabled (which is the default on every supported AlmaLinux release), we do not expect a generic, reliable exploit to be easy to produce.”
“That said, ‘not easy’ is not ‘impossible,’ and the worker-crash DoS is exploitable enough on its own that we recommend treating this as urgent,” the maintainers added.
Tomi Engdahl says:
USB-tikku murtaa Windowsin oletussalauksen
https://etn.fi/index.php/13-news/18927-usb-tikku-murtaa-windowsin-oletussalauksen
Windows 11:n oletuksena käyttämä BitLocker-salaus on joutunut vakavan nollapäivähyökkäyksen kohteeksi. YellowKey-niminen exploit ei murra itse salausta, vaan ohittaa koko palautusmekanismin ja avaa hyökkääjälle täyden pääsyn levyn sisältöön sekunneissa. Microsoft kertoo tutkivansa asiaa, mutta korjausta ei toistaiseksi ole julkaistu.
Hyökkäys toimii koneissa, joissa BitLocker käyttää Microsoftin oletusasetusta eli niin sanottua TPM-only-konfiguraatiota. Siinä salausavain haetaan automaattisesti TPM-turvapiiriltä ilman käyttäjän PIN-koodia tai muuta lisätunnistusta.
Teknisesti kiinnostavin yksityiskohta liittyy Windowsin vanhaan Transactional NTFS- eli TxF/FsTx-mekanismiin. Hyökkäyksessä USB-tikulle kopioidaan erityinen FsTx-kansio, jonka jälkeen kone käynnistetään Windows Recovery -tilaan.
Normaalisti palautusympäristö pyytää BitLocker-palautusavainta ennen levyn avaamista. YellowKey-hyökkäyksessä palautusprosessi kuitenkin ohjautuu komentokehotteeseen, jolla hyökkääjä saa täydet oikeudet koko levyn sisältöön.
Tomi Engdahl says:
Käytännössä tämä tarkoittaa, että varastettu tai hetkeksikin valvomatta jäänyt kannettava voidaan avata ilman BitLocker-palautusavainta, jos käytössä on Microsoftin oletusasetukset.
Useat tietoturva-asiantuntijat ovat jo pitkään pitäneet TPM-only-suojausta riittämättömänä juuri tällaisia hyökkäyksiä vastaan. Suositeltu ratkaisu on ottaa käyttöön pre-boot PIN, jolloin TPM ei luovuta salausavainta ilman käyttäjän syöttämää tunnistetta.
https://etn.fi/index.php/13-news/18927-usb-tikku-murtaa-windowsin-oletussalauksen
Tomi Engdahl says:
Vulnerabilities
Exploitation of Critical NGINX Vulnerability Begins
https://www.securityweek.com/exploitation-of-critical-nginx-vulnerability-begins/
The flaw leads to denial-of-service on default configurations and to remote code execution if ASLR is disabled.
Nginx vulnerability
The first in-the-wild attacks exploiting a critical-severity NGINX vulnerability patched last week have occurred over the weekend, VulnCheck warns.
Tracked as CVE-2026-42945 (CVSS score of 9.2) and dubbed Nginx Rift, the flaw is described as a heap buffer overflow in the ngx_http_rewrite_module component. It lurked in the NGINX code for 16 years.
Shortly after F5 released patches for the bug, Depthfirst published technical details and proof-of-concept (PoC) code targeting it. Now, VulnCheck says threat actors are already exploiting the issue in attacks.
“We’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published,” VulnCheck researcher Patrick Garrity warned.
Tomi Engdahl says:
https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/
Tomi Engdahl says:
https://github.com/mvt-project/mvt?fbclid=IwdGRjcAR6F1BjbGNrBHoXS2V4dG4DYWVtAjExAHNydGMGYXBwX2lkDDM1MDY4NTUzMTcyOAABHvm1zYl4rMbh0F8RMnaPEdu8MGM3zlsgzEqL2nKD0NV7nam18tvPBEejtYUt_aem_JOuTircYg-xqlBc_5fSEAw
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
GitHub confirms breach of ~3,800 internal repositories after one of its employees installed a malicious VS Code extension; TeamPCP claimed responsibility
https://www.bleepingcomputer.com/news/security/github-confirms-breach-of-3-800-repos-via-malicious-vscode-extension/
Tomi Engdahl says:
https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html?m=1
Tomi Engdahl says:
Microsoft ditches SMS codes for sign-in, says there’s a more secure way to reach your accounts
https://cybernews.com/tech/microsoft-ditch-sms-codes-sign-in/?utm_source=cn_facebook&utm_medium=social&utm_campaign=cybernews&utm_content=post&source=cn_facebook&medium=social&campaign=cybernews&content=post&fbclid=IwVERDUAR7CJZleHRuA2FlbQIxMABzcnRjBmFwcF9pZAwzNTA2ODU1MzE3MjgAAR6BU6hqsX7bZNfjEA6AW7kyrilfvfVi4E7LG58hncpGfa5NO6K8p9Hc2ZfBTw_aem_QEpY3phT0qxDrfszn-qDtQ
Tomi Engdahl says:
https://cybernews.com/security/steam-vetting-free-game-drain-users-data/?utm_source=cn_facebook&utm_medium=social&utm_campaign=cybernews&utm_content=post&source=cn_facebook&medium=social&campaign=cybernews&content=post&fbclid=IwVERDUAR7ZuJleHRuA2FlbQIxMABzcnRjBmFwcF9pZAwzNTA2ODU1MzE3MjgAAR4FQY65s6KNca8fVbDxO7vyYtWP6eURyuURWnjkn5inAVvpuaa0_G1_GeTN6g_aem_nm2LXUOjZDWQu7rutw0QPw
Tomi Engdahl says:
If accuracy isn’t the goal, what is? Vibes? Emotion? Goosebumps?
Full story: https://www.headphonesty.com/2025/07/speaker-designer-hi-fi-accuracy-myth/?utm_source=fb&utm_campaign=comment
Tomi Engdahl says:
They are pitching it as an open, pocket-sized Linux computer. More: https://cnews.link/flipper-zero-linux-ai-network-analysis-security/
Tomi Engdahl says:
Jos jompikumpi näistä on pin-koodisi, vaihda se välittömästi – Tätä et ole tullut ajatelleeksi
https://www.iltalehti.fi/digiuutiset/a/a584db4a-607b-4b4d-bc01-cb3ed7e4190c
Puhelimen pääsykoodi ei suojaa sim-korttia lainkaan. Jos varas irrottaa sim-kortin ja siirtää sen toiseen puhelimeen, voi käydä köpelösti.
Kun puhelinliittymä vaihtuu, toimittaa operaattori asiakkaalleen sim-kortin, jonka pin-koodi on oletuksena tyypillisesti 1234 tai 0000. Koodi on tarkoitettu väliaikaiseksi, mutta valitettavan moni jättää sen vaihtamatta.