Tailwind's analysis of high-impact CVEs and disclosure events we're tracking for our customers.
The May 13 PAN-OS hotfix builds also fix CVE-2026-0300, the actively-exploited May 5 RCE. One install per device closes four CVEs. Why CAS bypass is the one to escalate first, and how to retire the May 5 mitigations in the same change.
Bill Church 
F5's May 2026 QSN ships nineteen High-severity CVEs across BIG-IP, BIG-IQ, BIG-IP Next, and the NGINX portfolio — where the Mythos cadence fits.
Bill Church 
Operational guidance on Dirty Frag — CVE-2026-43284 (IPsec ESP) and CVE-2026-43500 (RxRPC), the second LPE chain in nine days in the same bug class as Copy Fail. Why your Copy Fail mitigation does not cover it, and the three-module modprobe deny to deploy now.
Bill Church 
Operational guidance on CVE-2026-0300, the unauthenticated PAN-OS Authentication Portal RCE under active exploitation. What to check today, what the hotfix calendar actually looks like, and the legacy-naming gotcha keeping ops teams from realizing they're exposed.
Bill Church 
732 bytes of Python is enough to root every major Linux distro shipped since 2017. That is the short version of CVE-2026-31431 ("Copy Fail"), disclosed this week by Theori. Ubuntu, RHEL, Amazon Linux, SUSE, kernels 6.12 through 6.18.
Bill Church 