patch management
11 posts
CVSS 5.5 is lying to you
A nine-year-old Linux kernel flaw enables root command execution. CVSS 5.5 understates the outcome. Patch scope and operator action.
Nginx patched. Assume breach.
NGINX issued the nginx-poolslip patch. Operator analysis of what is confirmed, what is not, and what must change at the proxy boundary.
The patch shipped. The install didn't.
Microsoft confirmed Windows 11 security updates are failing to install. Patch state is now a claim, not a measurement. Verify out-of-band.
Mandiant clocked 5 days in 2023
Mean time-to-exploit for critical CVEs has collapsed to days. The mechanism is patch diffing, n-day industrialisation, and telemetry gaps on appliances.
Microsoft's patch cadence is not the problem
The Exchange zero-day is the fifth in the same pattern since 2021. Why patching faster is not the fix, and what actually reduces blast radius.
Fragnesia is already loose
Fragnesia Linux privilege escalation has a public PoC. The kernel trust boundary is conditional on patch state. What must now be true.
The patch is the payload
Three critical Linux kernel LPE findings in two weeks, one introduced by a fix. The defect is the patch pathway, not the bug.
The kernel commit lands. Your fleet is exposed.
Linux kernel CVEs publish without distro pre-notice. The exposure window opens at upstream commit, not at advisory. Measure the right number.
Chrome's fourth 2026 zero-day ships mid-cycle
Google's fourth exploited Chrome zero-day of 2026 patches a V8 type confusion bug. The real risk is the patch-to-deployment window.
CISA flagged a 17-year-old Excel flaw
A 17 year old Excel flaw is being actively exploited and flagged by US cyber defence. Operator analysis of what failed, why, and what must change.
April 16 Cisco patches changed your threat model
Cisco's April 2026 patch wave includes seven Critical CVEs including a CVSS 10.0 RCE in FMC. Triage, detection, and architectural fixes for enterprise CISOs.