Daily Threat Intelligence Brief - May 14, 2026

Executive Summary

CVE-2026-31431 ("Copy Fail") Linux kernel local privilege escalation hits its CISA KEV federal remediation deadline today, May 15. A 732-byte Python script reliably elevates an unprivileged user to root on unpatched systems.
Microsoft May 2026 Patch Tuesday addressed 120 to 137 flaws with zero in-the-wild zero-days, the first such month since June 2024. Three vulnerabilities deserve priority attention: CVE-2026-42826 (Azure DevOps, CVSS 10.0), CVE-2026-42898 (Dynamics 365, CVSS 9.9), and CVE-2026-41096 (Windows DNS Client heap overflow, no auth, no interaction).
Canvas/Instructure breach by ShinyHunters reached 3.65 TB and roughly 275 million users across 8,809 institutions. Instructure says it reached a payment agreement and the data was destroyed. Treat that claim as unverifiable.
Prompt injection in agentic AI went from theory to wallet drain: a Morse-encoded post on X tricked an AI-integrated crypto wallet into authorizing a $150,000 token transfer. Google reports a 32% relative increase in malicious prompt injection detections between Nov 2025 and Feb 2026.
MCP server flaws disclosed across nginx-ui (CVE-2026-33032, CVSS 9.8), Apache Doris, Alibaba RDS, and Apache Pinot. Anthropic's recent MCP design flaw and the new "Comment and Control" attack chain on Claude Code, Gemini CLI, and Copilot show that the agent ecosystem still lacks foundational identity and access controls.
Salt Typhoon (PRC-aligned) breached 50+ telecoms across 42 countries and targeted U.S. House Committee staff working on China policy oversight. New implants: TernDoor, PeerTime, BruteEntry.
Fortinet and Ivanti shipped patches for 18 vulnerabilities including three critical: CVE-2026-44277 (FortiAuthenticator, 9.1), CVE-2026-26083 (FortiSandbox, 9.1), CVE-2026-8043 (Ivanti Xtraction, 9.6).
Defensive bottom line: patch the Linux KEV bug today, treat every MCP integration as a privileged data path, and assume prompt injection will be tried against any agent that touches the internet.

Critical Vulnerabilities

CVE-2026-31431: Linux Kernel "Copy Fail" Local Privilege Escalation

CVSS: 7.8
Status: Actively exploited. KEV deadline May 15, 2026 (today).
Affected: Linux kernel, incorrect resource transfer between protection spheres.
Impact: A 732-byte Python script lets any unprivileged local user obtain root. Exploitation is reliable and requires no special tooling.
Action: Apply distro kernel updates immediately. If patching has to wait, restrict local account creation and lock down execution from world-writable paths.
Source: CISA KEV catalog addition, The Hacker News writeup, NVD entry

CVE-2026-39987: Marimo Pre-Auth RCE

Status: Actively exploited. KEV deadline May 13, 2026 (passed).
Affected: All Marimo versions prior to 1.12.1.
Impact: Pre-authentication remote code execution. Marimo notebooks are commonly internet-exposed for collaboration.
Action: Upgrade to 1.12.1 or higher. Pull internet-exposed Marimo instances offline pending verification.
Source: CISA KEV update

CVE-2026-42826: Azure DevOps Information Disclosure

CVSS: 10.0
Affected: Azure DevOps cloud-hosted instances.
Impact: A 10.0 score on an information disclosure issue indicates cross-tenant or auth-bypass impact. Treat the affected pipelines as potentially compromised until reviewed.
Action: Microsoft has rolled the fix server-side. Audit pipeline tokens, service connections, and personal access tokens issued before the patch window. Rotate anything sensitive.
Source: BleepingComputer Patch Tuesday roundup, ZDI May review

CVE-2026-42898: Microsoft Dynamics 365 On-Premises Code Injection

CVSS: 9.9
Affected: Dynamics 365 on-premises deployments.
Impact: Remote code injection. Enterprise CRM data and the surrounding Active Directory trust are in scope.
Action: Apply the May 2026 cumulative update. Restrict the management portal to admin networks only.
Source: SOCRadar Patch Tuesday analysis

CVE-2026-41096: Windows DNS Client Heap Overflow

Affected: All current Windows desktop and server SKUs.
Impact: Heap-based buffer overflow triggered by a malicious DNS response. No authentication, no user interaction. The DNS Client service runs on virtually every Windows machine.
Action: Deploy the May cumulative update with priority on internet-facing recursive resolvers, jump hosts, and VDI golden images.
Source: Malwarebytes Patch Tuesday writeup

CVE-2026-44277: FortiAuthenticator Improper Access Control

CVSS: 9.1
Impact: Remote unauthenticated request can bypass access controls and reach administrative functions.
Action: Apply Fortinet's May 2026 PSIRT advisory updates. FortiAuthenticator commonly fronts SAML and 2FA for the rest of the Fortinet stack, so treat patching as auth-chain protection.
Source: SecurityWeek Fortinet/Ivanti coverage, FortiGuard PSIRT

CVE-2026-26083: FortiSandbox Missing Authorization

CVSS: 9.1
Affected: FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS WEB UI.
Impact: Remote unauthenticated HTTP requests reach code or command execution.
Action: Patch immediately. Sandbox systems detonate untrusted samples by design and are high-value pivots.
Source: SecurityWeek Fortinet/Ivanti coverage

CVE-2026-8043: Ivanti Xtraction External Control of File Name

CVSS: 9.6
Impact: Remote read of sensitive files and arbitrary HTML write to a web directory. The HTML write turns into stored XSS or watering-hole material very quickly.
Action: Apply the May 2026 Ivanti advisory updates and audit web roots for unexpected HTML.
Source: Ivanti May 2026 Security Update

Chrome Zero-Day Roll-Up (2026 YTD)

Google has shipped four actively exploited Chrome zero-day patches in 2026 so far. None new in May, but the running total matters for endpoint hygiene:

CVE-2026-2441 (February): font feature memory corruption.
CVE-2026-3909 (March): out-of-bounds write in Skia.
CVE-2026-3910 (March): V8 JavaScript and WebAssembly engine flaw.
CVE-2026-5281 (April): in-the-wild exploit, patched in a 21-CVE update.
Action: Confirm enterprise Chrome and Edge fleet is on the post-April build. Browser auto-update lag remains a top initial-access vector.
Source: Help Net Security CVE-2026-5281 coverage, SocPrime CVE-2026-3910 writeup

AI Security Threats

The agentic AI ecosystem matured into a real attack surface during May 2026. The pattern is consistent: capability is shipping faster than identity, isolation, and provenance controls.

Prompt Injection Goes Operational

Google's web telemetry shows a 32% relative increase in malicious prompt injection detections between November 2025 and February 2026. Real losses followed:

$150,000 crypto wallet drain via Morse code prompt injection. An attacker on X posted a Morse-encoded payload that an AI-integrated wallet ingested as a tool instruction and used to authorize a token transfer. The encoding bypassed the wallet's content filters, which were looking for natural language injection signatures.
"Comment and Control" attack against Claude Code, Gemini CLI, and Copilot. Malicious instructions hidden in pull request titles caused the coding agents to leak API keys during routine review tasks. One vendor's published system card predicted this exact class of failure before the disclosure.
NousResearch Hermes Agent persistent prompt injection. Attackers planted instructions in unscanned DESCRIPTION.md files inside skill directories, surviving across agent sessions until the directory was rebuilt.
Sources: Google Security on web prompt injections, VentureBeat on coding agent leakage, OpenAI on Atlas hardening

When Prompts Become Shells: CVE-2026-25592 (Semantic Kernel)

Microsoft's Security team published research showing how prompt injection in AI agent frameworks reaches remote code execution. Two vulnerabilities in Semantic Kernel allowed attackers to cross from "content the model reads" into "code the host runs":

Affected: Semantic Kernel .NET SDK versions older than 1.71.0.
Impact: Untrusted content reaching a kernel function with code execution primitives results in arbitrary code on the host.
Action: Upgrade to 1.71.0+. Audit every plugin and function imported into Semantic Kernel for whether it can run code, file write, or shell commands.
Source: Microsoft Security Blog

MCP Ecosystem Vulnerabilities

The Model Context Protocol is now where most agent-to-tool integrations live, and it is taking the brunt of the disclosure cycle:

CVE-2026-33032 (nginx-ui MCP endpoint, CVSS 9.8). Unauthenticated full system takeover. More than 2,600 internet-exposed instances at critical risk.
Apache Doris MCP server. Lets attackers execute unintended SQL statements. CVE issued, patch shipped.
Alibaba RDS MCP server. Sensitive metadata exfiltration. Alibaba declined to patch.
Apache Pinot MCP server. Internet-exposed instances at risk of takeover.
Anthropic MCP design vulnerability. A protocol-level flaw enabling RCE was disclosed in April. Microsoft and others described MCP as "designed to maximize capability and interoperability rather than enterprise security." A single compromised MCP server can act as a direct bridge to every system in its scope.
MCP Sampling injection vectors. Palo Alto Unit 42 documented a new class of prompt injection that abuses the sampling primitive itself rather than tool descriptions.
Sources: The Register MCP database flaws, Anthropic MCP RCE on Hacker News, Unit 42 MCP sampling vectors, Adversa MCP roundup

Practical Implications for Defenders

Treat every MCP server as a privileged data path equivalent to a database account. Inventory them. Authenticate them. Log them.
Assume the agent will get prompt-injected. Move privilege checks out of the model and into deterministic gates between the model and the action.
Audit every coding agent integration that reads issue, PR, commit, or comment text. Those fields are now adversary input.
Sources: Adversa Agentic AI resources, Airia on the Lethal Trifecta

Threat Actor Activity

Salt Typhoon (PRC-aligned)

Breached 50+ telecoms across 42 countries in early 2026.
Targeted U.S. House Committee staff working on China policy and U.S. foreign affairs.
Expanded into South American telecoms with new implants: TernDoor, PeerTime, BruteEntry.
Action: Treat any telecom carrier upstream as a potential signal-collection vector. Use end-to-end encryption for sensitive communications regardless of carrier assurances.
Source: CybelAngel Chinese APT analysis

APT36 (Transparent Tribe, Pakistan-aligned)

First documented nation-state actor running an AI "malware assembly line" producing polymorphic variants at scale.
Implication: signature-based AV is functionally obsolete against this class. Behavioral detection and EDR baselining are the floor, not the ceiling.
Source: NJCCIC AI APT campaigns brief

Cross-Cutting Trend: Generative AI Across State Actors

China, Russia, Iran, and North Korea are using generative AI for reconnaissance, malware development, and social engineering at production scale.
Nation-state proxies are mixing with financially motivated APTs. Attribution is now a diplomatic tool more than a forensic one.
Source: Trellix on Iranian cyber capability 2026, SecurityWeek Cyber Insights 2026

Ransomware and Data Breaches

Canvas / Instructure (ShinyHunters)

Field	Value
Disclosed	May 1, 2026
Second incident	May 7, 2026 (login page replaced with ransom message)
Volume	3.65 TB
Users affected	~275 million
Institutions	8,809 universities and education ministries
Data	Names, emails, student IDs, private student-teacher DMs
Resolution	Instructure says ransom paid, data destroyed (May 11)

Largest education-sector breach on record by scale. The "data destroyed" claim is unverifiable and should be treated as marketing language.

Sources: Wikipedia 2026 Canvas incident, The Hacker News on the ransom agreement, Krebs on Security, Malwarebytes coverage

Cushman & Wakefield (ShinyHunters)

Field	Value
Attack vector	Salesforce-environment compromise
Records	500,000+ Salesforce records
Data	PII, internal corporate data
Threat actor	ShinyHunters

The ShinyHunters Salesforce campaign continues. Any organization with broad-permission Salesforce service accounts should review external app authorizations and rotate connected-app secrets.

Source: SharkStriker May 2026 breach roundup

Ransomware Landscape Pattern

Securelist's 2026 review confirms what the Canvas and Cushman cases illustrate: ransomware groups are consolidating on data-extortion-first models that lean on legitimate SaaS access (Salesforce, M365, Snowflake) rather than on-prem encryption. The leak-or-pay timeline is now days, not weeks.

Source: Securelist 2026 ransomware state

Recommended Actions

Immediate (within 24 hours)

Confirm Linux fleet patched for CVE-2026-31431 ahead of the May 15 KEV deadline. Verify against package versions, not advisory dates.
Confirm Marimo deployments are on 1.12.1+. Take public Marimo instances offline if patch status is unknown.
Push May 2026 Microsoft cumulative updates to all Windows endpoints and servers. DNS Client (CVE-2026-41096) and Dynamics 365 (CVE-2026-42898) are the highest-impact items.
Audit Azure DevOps pipeline tokens, service connections, and PATs. Rotate sensitive ones (CVE-2026-42826 context).
Pull internet-exposed nginx-ui MCP instances or front them with auth (CVE-2026-33032).

Short-Term (this week)

Apply Fortinet (CVE-2026-44277, CVE-2026-26083) and Ivanti (CVE-2026-8043) patches across the security stack.
Inventory every MCP server connected to internal LLM agents. Document who owns it, what it can reach, and what auth it requires.
For coding agents (Claude Code, Gemini CLI, Copilot, Cursor, similar): treat PR titles, issue bodies, and code comments as untrusted input. Add gating between agent decisions and write actions to repos, secrets stores, and cloud APIs.
Force-rotate any Salesforce connected-app secrets and review external integrations following the ShinyHunters pattern.
Verify Chrome and Edge fleet is current. Browser auto-update lag is consistently the top initial-access vector this year.

Strategic (next 30 days)

Threat-model agentic AI deployments end-to-end. The "Lethal Trifecta" framework (untrusted input + tool access + exfiltration path) is a useful starting point.
Add prompt injection scenarios to red-team scope. Test PR-based, file-based (DESCRIPTION.md, README, manifest), and encoding-based (Morse, base64, homoglyph) variants.
Treat MCP server adoption like vendor onboarding. Require ownership, vulnerability disclosure, auth, and logging before integration.
Reassess education and SaaS vendor risk. The Canvas breach shows that single-vendor concentration in a sector lets one breach hit the whole sector at once.
Build muscle on identity rotation. Both the Canvas and Cushman & Wakefield incidents would have been contained earlier with credential and session-token hygiene.