The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Monday 25 May 2026

A Decade-Old Linux Kernel Flaw Just Got a Very Unwanted Comeback

A decade-old Linux privilege escalation bug resurfaces, Ghost CMS is under active mass exploitation, Amazon's always-on AI wearable raises hard privacy questions, and CBA's AI is doing the 2am on-call shift so engineers don't have to.

Lead story

A Decade-Old Linux Kernel Flaw Just Got a Very Unwanted Comeback

Qualys researchers have disclosed a serious local privilege escalation vulnerability in the Linux kernel — one that's been sitting quietly in the codebase since 2016. That's not a typo. The bug was introduced ten years ago and has been present in essentially every mainstream Linux distribution shipped since then.

The flaw allows a low-privileged local user to escalate their access to root. In practice, that means anyone who has already obtained a foothold on a Linux system — through a phishing attack, a stolen credential, a web shell, anything — can use this bug to own the whole machine. Local privesc bugs are the second act of almost every serious intrusion, and a reliable, unpatched one is exactly what attackers look for after the initial breach.

What Qualys found. The vulnerability is a kernel-level bug that Qualys describes as "serious." The team has a strong track record here — they've previously disclosed high-impact Linux flaws including PwnKit and Looney Tunables, both of which saw rapid exploitation in the wild. The team's credibility on Linux kernel research is about as good as it gets.

Why a local bug still matters. There's a tendency to dismiss local privilege escalation as "not that bad" because an attacker already needs to be on the box. That's the wrong frame. Modern attack chains don't start with root — they start with a low-privileged shell from a phishing email, a misconfigured service, or a container escape. The privesc is the step that turns "attacker has a foothold" into "attacker has the keys." A ten-year-old reliable privesc gadget is a significant find.

The patch situation. Patches are in progress across major distributions, but rollout will be uneven. Organisations running customised or long-term-support kernels — common in enterprise environments, telcos, and government — may lag behind. The 2016 introduction date also means any historical forensic timeline analysis of past breaches may need revisiting.

Australian context is direct here. Linux underpins a significant share of Australian federal and state government infrastructure, critical infrastructure operators under the SOCI Act, and cloud-hosted workloads across the economy. The ACSC's patching guidance generally recommends critical kernel patches be applied within 48 hours for internet-exposed systems — that clock is now running. Organisations with large Linux fleets should be checking vendor advisories from Red Hat, Ubuntu, Debian, and SUSE today.

What to watch. Qualys typically publishes full technical details and proof-of-concept code alongside or shortly after disclosure. Once that lands, exploitation attempts in the wild tend to follow within days. The question isn't really if this gets weaponised — it's how quickly defenders can close the window. Patch. Don't wait for the PoC to drop first.

Also today

Ghost CMS SQL Injection Flaw Fuelling Mass ClickFix Campaign

Attackers are actively exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript into affected sites. Once injected, the script triggers a ClickFix social engineering flow — the kind that tricks users into pasting attacker-controlled commands into their own terminals or run dialogs, typically delivering infostealers or remote access tools. Ghost is widely used by independent publishers and small media organisations. Australian operators running self-hosted Ghost instances should treat this as urgent: check your version, apply the available patch, and audit your site's JavaScript for unexpected injections.

Bleeping Computer

Hackers Are Getting Better at Exploiting AI Chatbot Personalities

The early days of jailbreaking AI chatbots involved crude tricks — tell the model it's a different AI, or that it has no restrictions. Those techniques still work sometimes, but a more sophisticated generation of attacks is emerging. Researchers and adversaries are now mapping the specific "personality" configurations of commercial AI systems and crafting prompts that exploit the tension between helpfulness and safety guardrails. The attack surface is growing as enterprises deploy customised AI agents with bespoke personas and access to sensitive tools — each one a slightly different target with slightly different weak points.

The Verge

Amazon's Bee Wearable: Always Listening, Occasionally Useful

Amazon's new Bee wearable is a small clip-on device that uses an AI model to passively listen to your day — conversations, reminders, context — and build a running memory of your life. A TechCrunch reviewer found it genuinely useful for capturing things you'd otherwise forget, but also consistently unsettled by the implications of an Amazon microphone recording ambient audio around the clock. The privacy calculus is particularly pointed given Amazon's history with Alexa data retention. For Australian users, the device would sit in a legal grey zone under the Privacy Act's consent and collection notice requirements — worth watching as it approaches wider release.

TechCrunch

CBA's AI Agent Is Doing the 2am On-Call Shift

Commonwealth Bank of Australia has deployed a DevOps AI agent that helps on-call engineers diagnose production incidents in the middle of the night. Rather than an engineer waking up groggy and manually trawling through logs, the agent surfaces likely root causes, correlates signals across systems, and presents a structured starting point before the human even picks up their laptop. CBA says the tool is already reducing mean time to resolution on overnight incidents. It's a practical, unglamorous AI deployment — exactly the kind that tends to quietly spread across enterprise IT once it proves its value at one large organisation.

iTnews

London's Facial Recognition Rollout Is Forcing a Hard Legal Reckoning

The UK government is expanding live facial recognition on London streets while simultaneously scrambling to build a legal framework that justifies it. Police forces are deploying the technology faster than legislation can catch up, raising questions about oversight, accuracy, and the rights of people incorrectly flagged. Civil liberties groups argue the cart is firmly ahead of the horse. The dynamic mirrors debates in Australia, where there's no standalone facial recognition law — the Privacy Act's biometric provisions are the primary constraint, and the OAIC has flagged the gap. Australia's Attorney-General's Department is watching the UK process closely as it considers its own framework.

iTnews

Nuro Thinks Being a Robotaxi Follower Is Actually a Feature

Nuro — the delivery robot company spun out of Google's self-driving car project — has pivoted to robotaxis and is making a counterintuitive pitch: being second is better. The argument is that Waymo has absorbed the regulatory friction, public scepticism, and early technical failures, clearing a path for followers to move faster with less resistance. Nuro is partnering with Uber and Lucid to build its fleet and says it can apply lessons from Waymo's playbook without repeating its expensive mistakes. Whether that logic holds up when Waymo already has brand recognition and thousands of vehicles on the road is another matter.

The Verge

Xreal and Google Are Betting Smart Glasses Have Finally Turned the Corner

Xreal, the Chinese smart glasses maker that is partnering with Google on its next-generation eyewear platform, says the industry has reached an inflection point. CEO Chi Xu argues that hardware has finally caught up with the ambition — lighter frames, better displays, and AI models capable of doing useful things in real time. Google's re-entry into the space after the Glass debacle is the most significant endorsement the sector has had in years. The timing is notable: Meta's Ray-Ban glasses have quietly sold millions of units, giving the category something it lacked before — a mainstream proof of concept.

TechCrunch

Dayforce Delays the Inevitable on Its Preceda Migration

Dayforce — formerly Ceridian — has pushed back the switch-off of its legacy Preceda payroll platform in Australia as a tail of customers drags its feet on migrating to the newer system. The company says "most" customers have moved, but the delay suggests the straggler cohort is large enough to make an abrupt cut-off commercially untenable. Legacy payroll migrations are notoriously fraught in Australia — Preceda has deep roots in mid-market and enterprise HR departments, and any disruption to payroll processing carries immediate legal exposure under Fair Work Act obligations. Affected organisations should treat the extended runway as borrowed time, not a stay of execution.

iTnews

Employers Mutual Limited Bets on XDR to Harden Its Cyber Posture

Australian insurer Employers Mutual Limited (EML) has shifted its security operations to an extended detection and response (XDR) architecture, consolidating endpoint, network, and cloud telemetry into a single detection platform augmented by AI. The move is notable given EML's role administering workers' compensation schemes across multiple Australian states — it holds sensitive personal and medical data on a significant portion of the workforce. XDR adoption is accelerating among Australian financial services firms following APRA's CPS 234 enforcement activity, which has pushed boards to demand more visibility across their threat landscape rather than siloed point solutions.

iTnews

Robotaxi Reality Check: The Gap Between Hype and Helmets

TechCrunch's mobility team has published a sober assessment of where the robotaxi industry actually stands versus where it said it would be. Waymo is operational and expanding, but remains a loss-making unit inside Alphabet. Tesla's Cybercab launch has been delayed again. Motional, once a credible contender backed by Hyundai and Aptiv, is in wind-down mode after burning through capital. The broader pattern: the engineering problems proved harder than forecast, the regulatory approval timelines longer, and the unit economics only work at a scale nobody has reached yet. The technology works in controlled conditions; scaling it is an entirely different problem.

TechCrunch

Record Club Wants to Be Letterboxd — But for Your Record Collection

A new app called Record Club is making a serious attempt to fill the gap that music lovers have complained about for years: there's no clean, social equivalent of Letterboxd or Goodreads for albums. The app lets users log what they've listened to, rate albums, write reviews, and follow friends' listening habits — with an interface that is deliberately simpler and more visual than the long-established Rate Your Music. It's a product category with clear demand but a history of failing to reach critical mass. The difference this time may be timing — streaming platforms have stripped social features away, leaving a gap that a standalone app can occupy.

The Verge

Sources consulted