CISO Daily Briefing
Cloud Security Alliance — AI Safety Initiative Intelligence Report
Executive Summary
The 48-hour window ending May 10, 2026 produced an unusually dense cluster of high-severity disclosures concentrated in AI and cloud infrastructure. Most urgent: Bleeding Llama (CVE-2026-7482, CVSS 9.1) allows any remote unauthenticated attacker to dump the full process memory of 300,000+ exposed Ollama servers, potentially exposing model weights, API keys, and conversation history. Concurrently, Quasar Linux RAT and PCPJack campaigns are harvesting the exact credentials that protect AI developer pipelines — npm tokens, PyPI secrets, and cloud keys. The Dirty Frag Linux kernel privilege escalation (CVE-2026-43284/43500) carries a near-100% success rate with a public proof-of-concept and no patch available. NIST’s April 2026 NVD triage overhaul will systematically blind organizations to AI framework vulnerabilities; Wiz’s 2026 State of AI in the Cloud confirms AI has become a primary offensive weapon.
Overnight Research Output
“Bleeding Llama” — Unauthenticated Memory Leak in Ollama (CVE-2026-7482)
CRITICAL
Summary: CVE-2026-7482 is a heap out-of-bounds read (CVSS 9.1) in Ollama’s GGUF model loader that allows any remote unauthenticated attacker to dump the server’s entire process memory. Because Ollama runs LLMs locally without authentication by default, exposed data can include model weights, API credentials, conversation history, and any secrets passed to the inference process. With an estimated 300,000+ publicly accessible servers globally, the blast radius is substantial. The flaw exploits GGUF tensor offset logic — an AI-infrastructure-specific vulnerability class, not a generic web flaw.
Action Required: Immediately audit Ollama deployments for public internet exposure. Apply authentication controls and network-level restrictions to any server accessible beyond localhost. Monitor for the vendor patch and apply immediately upon release. Review process memory isolation policies for all self-hosted LLM runtimes.
self-hosted LLM runtimes (Ollama, LM Studio, vLLM). This research note fills that
gap with threat modeling specific to local model deployment: authentication, network
exposure, model file validation, and memory isolation.
AI Developer Supply Chain Under Siege — Quasar Linux RAT & PCPJack
HIGH URGENCY
Summary: Two distinct threat campaigns disclosed this week converge on a single objective: compromise the credentials that authorize software to reach production. Quasar Linux RAT (QLNX) is a full-featured Linux implant that harvests npm tokens, PyPI credentials, GitHub CLI tokens, AWS/GCP keys, Kubernetes configs, and Docker secrets — the exact set needed to push poisoned packages to AI-adjacent registries. PCPJack exploits five CVEs to spread worm-like through cloud infrastructure including Docker, Kubernetes, Redis, MongoDB, and RayML (distributed AI training), evicting a prior threat actor and re-establishing attacker control. The AI-toolchain targeting is explicit: LiteLLM was compromised 36 hours post-disclosure; LMDeploy within 12 hours.
Action Required: Audit developer workstations and CI/CD environments for QLNX indicators. Rotate all npm, PyPI, and cloud credentials stored in developer home directories. Harden RayML, Docker, and Redis deployments against PCPJack’s five exploit CVEs. Implement secrets scanning on all AI project repositories.
• The Hacker News — Quasar Linux RAT Steals Developer Credentials (May 8, 2026)
• Trend Micro — Quasar Linux (QLNX): A Silent Foothold in the Software Supply Chain
• The Hacker News — PCPJack Credential Stealer Exploits 5 CVEs (May 7, 2026)
• SentinelOne — PCPJack: Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
general software supply chain risk but lacks analysis of AI-specific surfaces: model
registries (Hugging Face), ML Python packages (PyTorch, Transformers, vLLM), GGUF/ONNX
model format integrity, and the credential blast radius when a developer’s
.npmrc or .pypirc is compromised.
“Dirty Frag” — Linux Kernel LPE, No Patch Available (CVE-2026-43284, CVE-2026-43500)
HIGH URGENCY
Summary: Dirty Frag is an unpatched privilege escalation chain in the Linux kernel (xfrm-ESP and RxRPC page-cache write primitives) that requires no race condition and has near-100% success rates on affected systems. A public proof-of-concept already exists. Any unprivileged local user — including scenarios involving container breakout, shared-tenant AI inference environments, or compromised service accounts — can escalate to root. According to Wiz’s analysis, urgency is compounded by CISA adding the direct predecessor, Copy Fail (CVE-2026-31431), to its Known Exploited Vulnerabilities catalog this week, signaling active weaponization. All major Linux distributions running affected kernel versions are vulnerable.
Action Required: With no patch available, focus on compensating controls: restrict local user access on AI inference hosts, enforce container security profiles (seccomp, AppArmor/SELinux), audit privileged container configurations, and deploy kernel exploit detection via Sysdig’s detection guidance. Monitor for vendor kernel patches and prioritize emergency deployment.
• Wiz — Dirty Frag: Linux Kernel Local Privilege Escalation via ESP and RxRPC (May 8, 2026)
• Sysdig — Detecting Unpatched LPE via Linux Kernel ESP and RxRPC (May 8, 2026)
• The Hacker News — Linux Kernel Dirty Frag LPE Exploit Enables Root Access (May 8, 2026)
• The Hacker News — CISA Adds CVE-2026-31431 to Known Exploited Vulnerabilities (May 2026)
kernel privilege escalation for AI/cloud environments. The specific risk to multi-tenant
AI inference clusters — where root access exposes co-located model weights,
training data, and credentials — is not addressed in existing publications.
NIST NVD Triage Overhaul Creates Structural Blind Spot for AI Tooling
GOVERNANCE
Summary: Effective April 15, 2026, NIST restructured its National Vulnerability Database to enrich only CVEs on the CISA KEV list, present in federal government software, or covered by EO 14028 critical software definitions. CVEs outside these categories are listed but receive no CVSS vector refinement, no CWE mapping, and no CPE data. The consequence for AI security programs is severe: most AI framework vulnerabilities (Ollama, LiteLLM, LMDeploy, vLLM, Ray) are not federal software and rarely appear on KEV until after significant exploitation. As Wiz’s analysis of the change notes, security teams relying on NVD-enriched data will systematically underweight AI tooling risk — precisely where adversaries are moving fastest.
Action Required: Supplement NVD-based vulnerability management with AI-specific threat intelligence feeds (OSV.dev, vendor security advisories for AI frameworks, GitHub Security Advisories, and researcher disclosure channels). Establish direct monitoring of Ollama, vLLM, Ray, LiteLLM, and Hugging Face security channels. Update internal CVSS scoring policies to not rely solely on NVD enrichment for AI toolchain CVEs.
• NIST — NIST Updates NVD Operations to Address Record CVE Growth (April 2026)
• Wiz — NIST NVD Update: What It Means For Vulnerability Management (April 27, 2026)
policy’s implications for AI security programs, nor provides alternative
vulnerability intelligence sources and prioritization frameworks suited to AI toolchain
risk.
The 2026 Autonomous Threat Threshold — AI as Offensive Weapon and Systemic Risk
STRATEGIC
Summary: Wiz’s 2026 State of AI in the Cloud report documents a qualitative shift: AI is no longer just a target — it is a primary offensive weapon. Malware now uses LLMs to dynamically generate commands and adapt execution logic at runtime, defeating static signature detection. AI-assisted research contributed to the discovery of 13 zero-days in widely-deployed cloud software in a single effort. Meanwhile, 1-in-5 organizations using AI-assisted “vibe coding” platforms have systemic vulnerabilities rooted in shared AI generation patterns — a monoculture risk that scales with adoption. At least 57% of organizations have deployed self-hosted AI agents, and Model Context Protocol (MCP) servers appear in 80% of cloud environments, largely without governance frameworks. As Schneier has argued, autonomous AI hacking represents a structural shift in the attacker/defender balance.
Action Required: Engage board-level conversations on AI as an offensive multiplier using this evidence base. Audit AI-generated code repositories for shared vulnerability patterns. Inventory all MCP server deployments and apply least-privilege access controls. Establish governance frameworks for self-hosted AI agent deployments before the 57% deployment figure climbs further.
• Wiz Research — State of AI in the Cloud 2026 Report (April 29, 2026)
• Schneier on Security — Autonomous AI Hacking and the Future of Cybersecurity (October 2025)
autonomous AI as an offensive multiplier and tracing systemic implications: supply
chain monoculture, agentic over-privilege, AI-generated code propagation, and the
collapse of reactive patch-cycle defenses. CISOs need this frame for board-level
risk conversations.
Notable News & Signals
AI-Powered Phishing Achieves 54% Click-Through Rate
Research this cycle confirms AI-generated phishing campaigns are achieving substantially higher engagement than traditional lures. While well-covered in CSA’s existing corpus, the 54% click-through figure reinforces that social engineering risk remains the highest-volume AI threat vector for most organizations.
PAN-OS CVE-2026-0300 RCE Under Active Exploitation
Critical Palo Alto buffer overflow vulnerability in PAN-OS is under active exploitation. Palo Alto vendor advisory and Wiz provide detailed coverage. Organizations running PAN-OS should apply the vendor patch immediately; this is not AI-specific but affects many AI workload perimeters.
Ivanti EPMM CVE-2026-6973 Remote Code Execution
Critical RCE in Ivanti’s mobile device management platform is actively targeted. Organizations using EPMM for AI device fleet management should prioritize patching. This is general enterprise MDM risk; no AI-specific angle identified this cycle.
PamDOORa Linux PAM Backdoor Disclosed
A Linux PAM backdoor with interesting technical characteristics was disclosed this cycle. While outside AI infrastructure focus, PAM-level backdoors represent a systemic persistence risk on Linux hosts running AI workloads. Security teams should include PAM configuration audits in their Linux hardening checklists.
Topics Screened Out — No New Action Required
- AI-Powered Phishing (54% CTR): Well-covered in CSA corpus under AI-enabled social engineering. No new angle; existing guidance applies.
- PAN-OS CVE-2026-0300 RCE: Critical Palo Alto buffer overflow under active exploitation. Comprehensively covered by vendor advisory and Wiz. Not AI-specific; no new CSA coverage warranted.
- Ivanti EPMM CVE-2026-6973 RCE: MDM platform exploitation. General enterprise security; outside AI Safety Initiative scope.
- TCLBANKER Brazilian Banking Trojan: Financial sector malware campaign. Outside AI Safety Initiative scope.
- PamDOORa Linux PAM Backdoor: Technically interesting but outside AI infrastructure focus this cycle.
- cPanel/WHM Vulnerabilities: Web hosting infrastructure; outside scope of AI Safety Initiative.