RoguePlanet CVE-2026-50656 patched today after weeks as a live Defender zero-day: update to engine 1.1.26060.3008      GhostLock CVE-2026-43499: 15-year Linux kernel flaw reaches root in 5 seconds and escapes containers, public exploit      Friendly Fire and GhostApproval: AI code auditing agents tricked into running the malicious code they find      RoguePlanet CVE-2026-50656 patched today after weeks as a live Defender zero-day: update to engine 1.1.26060.3008      GhostLock CVE-2026-43499: 15-year Linux kernel flaw reaches root in 5 seconds and escapes containers, public exploit      Friendly Fire and GhostApproval: AI code auditing agents tricked into running the malicious code they find     
CyberSipTM
Intelligence without the noise
Issue No. 82
July 9, 2026
3 items · past 24h
<5 min read
Today's picture

Microsoft shipped Malware Protection Engine 1.1.26060.3008 today, closing RoguePlanet, a local privilege escalation zero-day in Microsoft Defender that has been publicly exploitable since June 16 with no fix available. A second Linux kernel root escalation with a public exploit landed this week: GhostLock has lived in the futex priority-inheritance code since 2011, reaches root in roughly five seconds with 97 percent reliability, and breaks out of Docker and Kubernetes containers. And two independent research teams published findings today showing that AI coding agents built specifically to audit open-source code for security flaws can be turned against the developer running them, executing the malicious code they were built to find.

Today's intelligence
3 items
01 High Patched Today Microsoft Defender
RoguePlanet CVE-2026-50656 patched after 23 days as a live Defender zero-day with public exploit code
The fix is in the Malware Protection Engine update, delivered automatically. Verify engine version 1.1.26060.3008 or later is installed across your fleet. This is the eighth Nightmare Eclipse zero-day Microsoft has patched since March.
CVECVE-2026-50656
CVSS7.8
PatchedJuly 8, 2026
Engine 1.1.26060.3008
Zero-day sinceJune 16, 2026

Microsoft shipped an out-of-band update to the Microsoft Malware Protection Engine on July 8, raising the version to 1.1.26060.3008 and closing CVE-2026-50656. The vulnerability, publicly known as RoguePlanet, was disclosed by the researcher going by Nightmare Eclipse on June 16 alongside a working proof-of-concept exploit. The flaw exploits a race condition and an improper link resolution before file access in the Microsoft Defender Malware Protection Engine, allowing any low-privileged local user to spawn a command shell with SYSTEM-level privileges on fully patched Windows 10 and Windows 11 machines. The proof of concept works regardless of whether Defender's real-time protection is enabled or disabled, making it viable even on machines where security teams attempted to detect or block it by toggling the agent.

Nightmare Eclipse noted that small changes to the proof of concept could bypass signature-based mitigations that vendors attempted to build, and stated that the only effective defensive action was to wait for the patch. Microsoft did not acknowledge Nightmare Eclipse as the discoverer in its advisory, continuing a public dispute over the company's vulnerability disclosure process and bug bounty program that has driven the researcher to release eight zero-days since March 2026. Three earlier Nightmare Eclipse flaws, including BlueHammer, RedSun, and UnDefend, were exploited in the wild before patches shipped. Microsoft has not confirmed exploitation of RoguePlanet specifically, though the 23-day window with public exploit code is among the longest unpatched zero-day windows this researcher's disclosures have produced.

The Malware Protection Engine update is delivered automatically through Windows Update and the Microsoft Update service and does not require a full Windows patch cycle. Confirm the updated engine version is installed across your fleet before treating this as closed. Any endpoint that was not patching regularly during the June 16 to July 8 window was exposed to a local privilege escalation that works on fully patched Windows. An attacker who needed SYSTEM on an endpoint had a working public exploit for 23 days. The more important planning question is not this specific flaw but the Nightmare Eclipse pattern: seven more zero-days remain in various disclosure stages from this researcher.
The Nightmare Eclipse disclosures are being driven by a documented dispute with Microsoft's MSRC over account access revocation, rejected vulnerability reports, and unpaid bounties. Microsoft has referenced potential legal action against people engaging in what it described as malicious activity causing real harm to customers. The security community is reading that as a threat directed at Nightmare Eclipse. The practical consequence for defenders is that this researcher has announced intent to continue disclosing and has a track record of following through. BlueHammer, RedSun, MiniPlasma, YellowKey, GreenPlasma, UnDefend, and now RoguePlanet. Whatever the next one is, the window between public disclosure and Microsoft patch has averaged roughly three weeks.
  • Confirm Microsoft Malware Protection Engine version 1.1.26060.3008 or later is installed on all Windows endpoints. The engine updates automatically but verify deployment through your endpoint management platform, as devices that have not checked in recently may not yet have received the update.
  • For endpoints where Defender is running in passive mode alongside a third-party AV product, confirm that engine updates are still applied. Passive mode does not block Malware Protection Engine updates, but some configurations suppress them.
  • Monitor for the next Nightmare Eclipse disclosure. The researcher has used a self-hosted Git repository since Microsoft removed their GitHub and GitLab repos. Tracking that repository directly provides earlier warning than waiting for vendor advisory publication.
A working public exploit for a privilege escalation in the endpoint protection agent that runs on every Windows machine. For 23 days. The patch is out now. Verify it is deployed, not just released.
02 Critical Linux Kernel Container Escape
GhostLock: a 15-year Linux kernel flaw reaches root in five seconds, escapes Docker and Kubernetes containers
Any logged-in user on any unpatched Linux system since 2011. No special permissions, no capabilities, no network access required. The public exploit is 97 percent reliable and the IonStack chain removes even the local foothold requirement on Android.
CVECVE-2026-43499
CVSS7.8
IntroducedLinux 2.6.39 (2011)
FixedLinux 7.1
Distros: in progress

Nebula Security's VEGA team disclosed GhostLock on July 7, 2026, a use-after-free vulnerability in the Linux kernel's real-time mutex (rtmutex) code that has shipped in every mainstream Linux distribution since kernel 2.6.39 in May 2011. The bug lives in the remove_waiter() function in the futex priority inheritance code. The function assumes the thread cleaning up a lock is the same thread that was waiting on it. The Requeue-PI feature added years later broke that assumption without updating the cleanup logic, leaving a dangling pointer to freed stack memory that an attacker can reclaim and use to hijack kernel control flow. The exploit is 97 percent reliable, takes approximately five seconds, requires no special permissions, no capabilities, and no user namespaces, and also escapes Docker, Podman, LXC, and Kubernetes container isolation. Google awarded Nebula $92,337 through the kernelCTF program.

GhostLock is one half of a chain Nebula calls IonStack. The first half is CVE-2026-10702, a flaw in Firefox's IonMonkey JIT compiler patched in Firefox 151.0.3 on June 2. Chained together, IonStack eliminates the local-foothold requirement: a single tap on a malicious link in Firefox on Android was sufficient to reach full device root in Nebula's demonstration. Nebula has published working exploit code. Distribution patches are in progress but uneven. Ubuntu has patched some releases and cloud kernels, with 24.04, 22.04, and 20.04 LTS still listed as vulnerable or in progress as of early July. Check your distribution's advisory and confirm the fixed package version rather than assuming the update is waiting.

The container escape component elevates GhostLock above most local privilege escalation flaws. Cloud-native environments that rely on container isolation for tenant separation are in scope. A compromised container workload, from a supply chain attack or from code running inside a CI/CD pipeline, can use GhostLock to break out to the host kernel and reach adjacent containers and the host filesystem. This is not a theoretical risk: Nebula published a working exploit, the reliability is near-certain, and the bug is present in every unpatched kernel shipped since 2011. Prioritize container hosts, Kubernetes nodes, CI/CD runners, and any multi-tenant Linux environment before general-purpose servers.
GhostLock joins Bad Epoll from Issue 79 and Januscape from Issue 81 in a run of three Linux kernel privilege escalation vulnerabilities with public working exploits disclosed within the past two weeks, all found through the kernelCTF program. The pattern across all three is the same: old code in rarely-audited kernel subsystems, present for over a decade, found by researchers who specifically targeted the reward program's focus areas. KernelCTF is working as intended, surfacing real exploitable bugs. The implication for defenders is that this cadence is not coincidence and is unlikely to slow. Organizations that have not yet applied kernel patches for Bad Epoll should treat the accumulation of three simultaneous public exploits as compounding urgency, not three separate moderate-priority items.
  • Apply kernel security updates from your Linux distribution immediately. Check the distribution advisory and verify the patched package version is installed and booted. A kernel patch requires a reboot to take effect. Use live patching where available for critical production systems.
  • Prioritize container hosts, Kubernetes nodes, CI/CD runners, and any multi-tenant environment where a container escape reaches adjacent workloads. GhostLock's container escape component makes these the highest-risk targets.
  • Ensure Firefox on Android and Linux is updated to version 151.0.3 or later to close the IonStack chain's browser entry point. Without the Firefox fix, the GhostLock container escape can be triggered remotely via a malicious link, removing the local-foothold precondition.
Three public Linux kernel exploits in two weeks, all from the same bug bounty program, all in code that has been shipped for over a decade. This is not a slow news cycle. Patch the kernel the same way you would patch a remotely exploitable service.
03 High AI Agents Supply Chain
AI coding agents built to find malicious code can be tricked into running it instead
Two independent research teams published findings today showing that autonomous AI code auditing agents, including Claude Code and OpenAI Codex, can be weaponized by the code they are scanning. The attack works against agents running in the autonomous modes most developers actually use.
ResearchFriendly Fire
AI Now Institute
Research 2GhostApproval
Wiz Research
DisclosedJuly 8, 2026
AffectedClaude Code,
Codex, 6 others

The AI Now Institute published Friendly Fire on July 8, a proof-of-concept demonstrating that autonomous AI coding agents tasked with scanning open-source repositories for security vulnerabilities can be manipulated into executing the malicious code they identify rather than reporting it. The attack embeds natural-language instructions inside malicious code comments or README content that instruct the agent to run specific commands as part of its analysis workflow. Against Claude Code and OpenAI Codex in autonomous modes that allow self-approval of tool calls, the agents ran the embedded commands and confirmed execution. AI Now describes the root vulnerability as a trust boundary failure: agents that are authorized to read code and run analysis tools treat attacker-controlled content as equivalent to user instructions.

Separately, Wiz Research published GhostApproval on July 8, documenting a symlink-based attack against six popular AI coding assistants that allows a malicious repository to take control of a developer's machine. A booby-trapped repository includes a symlink pointing outside the project directory. When an AI agent follows the symlink while auditing or processing the repository, it executes code outside the sandboxed project context, reaching the developer's file system and environment variables. Wiz confirmed the attack works against six tools in their testing. Both Friendly Fire and GhostApproval target developers in the specific workflow mode, autonomous or semi-autonomous code review, where AI agents provide the most productivity value and receive the most trust.

Developers are increasingly deploying AI agents in autonomous mode to review dependencies, audit open-source packages, and scan repositories for vulnerabilities. Both attack classes target that workflow directly. The consequence is that the act of using an AI agent to verify whether a piece of code is safe can be the mechanism through which the unsafe code executes. This brief has tracked the AI agent attack surface since Issue 63 across MCP poisoning, sandbox escape, and autonomous credential theft. Friendly Fire and GhostApproval add code review as a confirmed attack vector in the same ecosystem.
This is the eighth distinct AI agent or AI infrastructure attack class documented in this brief since Issue 63. The pattern that connects them is consistent: agents that are authorized to take action are treated as equivalent to users who have consented to those actions, when in practice the agent is operating on attacker-controlled content. Cursor DuneSlide from Issue 77 exploited sandbox trust boundaries. JadePuffer from Issue 80 exploited LLM agent autonomy to run ransomware. Friendly Fire exploits agent trust in content being audited. The attack surface keeps expanding because the definition of what the agent is allowed to do keeps expanding, without commensurate expansion of what the agent is required to treat as untrusted.
  • Do not run AI coding agents in fully autonomous self-approval mode against unfamiliar or untrusted repositories. Require human approval for any tool calls that execute code or read files outside the project directory, particularly during dependency auditing or open-source code review tasks.
  • For teams using AI agents in CI/CD pipelines to scan incoming pull requests or dependency updates, treat the scan environment as potentially compromised. Run scans in isolated, ephemeral containers with no access to production credentials, cloud provider tokens, or the developer's local file system.
  • Update AI coding tools to the latest versions. Cursor addressed sandbox trust boundary issues in version 3.0 (Issue 77). Check whether other AI IDE tools in your environment have released updates specifically addressing prompt injection or symlink traversal in code review contexts.
You asked the AI agent to check whether the code was safe. The code told the agent what to do instead. The autonomy that makes these tools useful is the same autonomy that makes them exploitable. Require human approval at the boundary between reading untrusted content and taking action on it.
Cross-source standouts
01
Three public Linux kernel exploits in two weeks is a curriculum, not a coincidence
Bad Epoll (Issue 79), Januscape (Issue 81), and GhostLock today. All found through kernelCTF. All in code that shipped for over a decade. All with working public exploits. The practical reality for defenders is that these are not three separate moderate-priority items that can be queued behind scheduled maintenance. Each one is a reliable public exploit available to anyone who searches for it. The accumulation of three simultaneous exploits across the Linux kernel privilege escalation class means any organization that has not applied kernel patches for the first two is now staring at three overlapping exposure windows at once. The kernelCTF program rewards exactly this class of research, and the disclosure cadence suggests there are more findings in the pipeline. Organizations that have treated kernel patching as a low-urgency scheduled task should revisit that posture while three working exploits are in circulation simultaneously.
02
The AI agent attack surface has now expanded to include the act of using an AI agent for security
Friendly Fire and GhostApproval are the eighth distinct AI agent attack class documented in this brief since Issue 63. The through-line across all eight is the same: an agent that is authorized to take action treats attacker-controlled content as equivalent to authorized instructions. What makes Friendly Fire specifically notable is the target workflow. Using an AI agent to check whether code is malicious is now itself a potential attack vector. That puts security teams in an uncomfortable position: the tool being used to reduce supply chain risk can become the mechanism through which supply chain risk is delivered. The mitigation is not to stop using AI agents for code review, but to enforce a hard boundary between the agent reading untrusted content and the agent executing anything in response to what it reads. Human approval at that boundary is the only currently reliable control. Autonomous mode against untrusted code is, as of today, a confirmed attack surface.
Still watching
Days 2–6
Januscape CVE-2026-53359 (Issue 81 · KVM/x86) — guest-to-host escape on Intel and AMD. Public DoS PoC, private full escape. Patch kernels, disable nested virtualization on untrusted-guest hosts if patching is delayed.
Day 2
Adobe ColdFusion CVE-2026-48282 (Issue 81 · CVSS 10.0) — CISA KEV, July 10 federal deadline. Patch to ColdFusion 2025 Update 10 or 2023 Update 21. Disable RDS if not in active use. Hunt for unauthorized files in web root.
Day 2
Bad Epoll CVE-2026-46242 (Issue 79 · Linux ≥6.4) — 99% reliable local root. Patch kernels. Prioritize cloud VMs, Kubernetes nodes, and container hosts. Three simultaneous Linux kernel exploits now in circulation.
Day 4
JadePuffer / Langflow CVE-2025-3248 (Issue 80) — autonomous AI agent ransomware. Patch Langflow, remove secrets from environment variables, restrict Nacos from public internet access.
Day 3
SharePoint CVE-2026-45659 (Issue 78 · CVSS 8.8) — CISA KEV, actively exploited. Apply Microsoft May 2026 updates. Audit Site Member accounts and server-side logs for unexpected process launches.
Day 6
Found this useful? Share it or forward it.
Copied