container security

3 posts

Dirty Frag races the refcount

Dirty Frag (CVE-2026-XXXX) is a Linux kernel page migration race yielding root LPE on all major distros. Mechanism, telemetry, and patch boundary.

May 13, 2026

Article

axios CVE-2025-3891: What the Advisories Don't Say About Immutable Images

CVE-2025-3891 in axios allows prototype pollution leading to RCE. This post reveals why deployed container images remain at risk even after patching, due to missing artifact provenance and immutable verification.

Apr 13, 2026

Article

The Advisory Told You to Update. It Didn't Tell You What's Already Running.

Patching the advisory isn't enough. If your CI pipeline ran during the compromise window, the compromised code is baked into your container images and still running. Here's how to find it.

Apr 2, 2026