@blamejs/exceptd-skills 0.12.20 → 0.12.22

package/skills/exploit-scoring/skill.md

@@ -19,7 +19,7 @@ attack_refs: []
 framework_gaps:
   - CWE-Top-25-2024-meta
   - CIS-Controls-v8-Control7
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-14"
 ---
 
 # Real-World Exploit Priority (RWEP) Scoring
@@ -88,6 +88,7 @@ How each RWEP factor maps to a real CVE in `data/cve-catalog.json`:
 | CVE-2026-31431 (Copy Fail) | Yes | Yes (732-byte) | Yes | Confirmed | All Linux ≥ 4.14 (30) | Yes | Yes (kpatch/livepatch/kGraft) | 90 | 7.8 |
 | CVE-2026-43284 (Dirty Frag ESP/IPsec) | No | Yes (chain) | No | Suspected | IPsec-using systems (18) | Yes | RHEL-only kpatch | 38 | 7.8 |
 | CVE-2026-43500 (Dirty Frag RxRPC) | No | Yes (chain) | No | Suspected | RxRPC-loaded systems | Yes | Partial | 32 | 7.6 |
+| CVE-2026-46300 (Fragnesia) | No (likely candidate) | Yes (one-liner vs /usr/bin/su) | No | None observed | Linux >= 5.10 with esp4/esp6/rxrpc loaded (25) | Yes | Yes (kpatch / canonical-livepatch / KernelCare) | 20 | 7.8 |
 | CVE-2025-53773 (Copilot YOLO-mode RCE) | No | Yes (demonstrated) | Yes (AI tooling enables) | Suspected | GitHub Copilot users (15) | Yes (SaaS) | Yes (SaaS push) | 30 | 7.8 |
 | CVE-2026-30615 (Windsurf MCP local-vector RCE) | No | Partial | No | Suspected (supply-chain) | 150M+ downloads, local-vector + supply-chain prereq | Yes | Yes (IDE update) | 35 | 8.0 |
 
@@ -190,6 +191,24 @@ RWEP = min(100, max(0,
 
 ---
 
+### CVE-2026-46300 — Fragnesia
+
+| Factor | Value | Points |
+|---|---|---|
+| CISA KEV | No (likely candidate within days of disclosure) | 0 |
+| PoC Public | Yes (one-line root shell vs /usr/bin/su) | +20 |
+| AI-Assisted | No (human-discovered by V12 security team) | 0 |
+| Active Exploitation | None observed | 0 |
+| Blast Radius | Linux >= 5.10 with esp4/esp6/rxrpc loaded | +25 |
+| Patch Available | Yes (testing on AlmaLinux / CloudLinux; upstream on netdev) | -15 |
+| Live Patch Available | Yes (kpatch / canonical-livepatch / KernelCare) | -10 |
+| Reboot Required | No (module-unload mitigation is non-reboot) | 0 |
+| **RWEP** | | **20** |
+
+**Interpretation:** RWEP 20 today places Fragnesia in the standard-30-day patch band. Two factors will move this fast: (a) a CISA KEV listing adds +25 (RWEP 45 → 7-day band), and (b) confirmed active exploitation adds another +20 (RWEP 65 → 72-hour band). Operators tracking RWEP should pre-stage the response now while the score is low so the KEV-listing event triggers an already-rehearsed playbook rather than a from-scratch decision. Critical operational insight: Fragnesia is the sibling bug introduced by the Dirty Frag patch, and the module-unload mitigation set (`blacklist esp4 / esp6 / rxrpc`) is identical to Dirty Frag's — operators already mitigated for CVE-2026-43284 / CVE-2026-43500 are already mitigated for Fragnesia at zero additional operational cost. RWEP 20 vs. RWEP 90 for Copy Fail is the canonical "same CVSS band, different urgency" pair for 2026.
+
+---
+
 ### CVE-2025-53773 — GitHub Copilot YOLO-Mode RCE
 
 | Factor | Value | Points |

package/skills/framework-gap-analysis/skill.md

@@ -20,7 +20,7 @@ data_deps:
 atlas_refs: []
 attack_refs: []
 framework_gaps: []
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-14"
 ---
 
 # Framework Gap Analysis
@@ -75,6 +75,7 @@ This skill maps framework controls to attacker TTPs on demand rather than static
 |---|---|---|
 | NIST 800-53 SI-2 vs. deterministic LPE | T1068 (Exploitation for Privilege Escalation), T1548.001 | Patch SLA permits active exploitation window |
 | NIST 800-53 SC-8/SC-28 vs. Dirty Frag | T1190 (Exploit Public-Facing Application) via IPsec subsystem | Cryptographic control is the attack surface |
+| NIST 800-53 SI-2 vs. Fragnesia (Dirty Frag sequel) | T1068 (Exploitation for Privilege Escalation) via XFRM ESP-in-TCP skb coalesce | Patch SLA assumes patches close bug families; the Dirty Frag patch introduced this sibling bug |
 | NIST 800-53 AC-2 vs. prompt injection | AML.T0051 (LLM Prompt Injection), AML.T0054 | Authorized identity executes attacker intent |
 | NIST 800-53 SI-3 vs. AI-generated malware | AML.T0016 (adversary Develop Capabilities — payload generation), AML.T0018 | Signature-based detection has zero coverage |
 | ISO 27001 A.8.8 vs. CISA KEV class | T1068, T1203 | "Appropriate timescales" undefined for AI-accelerated weaponization |
@@ -93,6 +94,7 @@ This skill consumes the matrix produced upstream by the exploit-scoring skill. T
 |---|---|---|---|---|---|---|---|
 | CVE-2026-31431 (Copy Fail) | High | Critical | Yes | Yes (732 bytes, deterministic) | Yes (AI-discovered) | Yes (kpatch/livepatch) | Confirmed |
 | CVE-2026-43284 (Dirty Frag) | High | High | Pending | Partial | No | Limited (subsystem-dependent) | Suspected |
+| CVE-2026-46300 (Fragnesia) | 7.8 | 20 (today) / 55+ on KEV | No (candidate) | Yes (one-liner vs /usr/bin/su) | No | Yes (kpatch / canonical-livepatch / KernelCare) | None observed |
 | CVE-2025-53773 (Copilot YOLO-mode RCE) | 7.8 | 30 | No | Yes (demonstrated) | Yes (AI tooling enables) | Yes (SaaS push / IDE update) | Suspected |
 | CVE-2026-30615 (Windsurf MCP local-vector RCE) | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Suspected |
 
@@ -126,8 +128,9 @@ The following gaps are documented with evidence. When a control from this list i
 
 **Fails for:**
 - CVE-2026-43284/CVE-2026-43500 (Dirty Frag): The exploit runs through the IPsec implementation. A system using IPsec to satisfy SC-8 compliance cannot claim IPsec as a compensating control for Dirty Frag — the control is the attack surface.
+- CVE-2026-46300 (Fragnesia): Same class as Dirty Frag — page-cache corruption via XFRM ESP-in-TCP skb coalescing. Introduced by the Dirty Frag patch. SC-8 IPsec-based compliance is invalidated identically; operators who removed the Dirty Frag `blacklist esp4 / esp6 / rxrpc` mitigation when that patch landed re-opened the IPsec attack surface for Fragnesia.
 
-**What a real control requires:** Cryptographic controls for SC-8/SC-28 compliance must include integrity assurance for the cryptographic subsystem itself, not just assurance that the subsystem is configured. Kernel subsystem integrity monitoring (eBPF-based, read-only kernel text verification) as a compensating layer.
+**What a real control requires:** Cryptographic controls for SC-8/SC-28 compliance must include integrity assurance for the cryptographic subsystem itself, not just assurance that the subsystem is configured. Kernel subsystem integrity monitoring (eBPF-based, read-only kernel text verification) as a compensating layer. When a CVE patch lands in a cryptographic subsystem, retain the pre-patch compensating controls until the patched code has soaked — the Fragnesia precedent demonstrates the sibling-bug risk.
 
 ---
 
@@ -370,5 +373,6 @@ Specific high-confidence theater signals (each triggers a mandatory Framework La
 | Org claims AC-2 / CC6 as adequate for AI-agent access control | CVE-2025-53773 demonstrates AML.T0051 routing around the identity model entirely |
 | Org claims A.5.19 / SA-12 vendor management as adequate for MCP servers | CVE-2026-30615 demonstrates AML.T0010 supply-chain RCE via attacker-controlled HTML processed by the MCP client (local-vector, not network) |
 | Org claims IPsec-based SC-8 segmentation as adequate without a kernel-patch status check | CVE-2026-43284 makes the IPsec implementation the attack surface |
+| Org removed the esp4 / esp6 / rxrpc module-blacklist mitigation once Dirty Frag was patched | CVE-2026-46300 (Fragnesia) is in the same primitive class, was introduced by the Dirty Frag patch, and is mitigated by the same blacklist |
 
 When this check fires, hand off to the compliance-theater skill for the theater-pattern detection test and to policy-exception-gen if the org needs to grant a defensible exception with concrete compensating controls.

package/skills/kernel-lpe-triage/skill.md

@@ -1,14 +1,16 @@
 ---
 name: kernel-lpe-triage
 version: "1.0.0"
-description: Assess Linux kernel LPE exposure — Copy Fail, Dirty Frag, live-patch vs. reboot remediation paths, framework gap declarations
+description: Assess Linux kernel LPE exposure — Copy Fail, Dirty Frag, Fragnesia, live-patch vs. reboot remediation paths, framework gap declarations
 triggers:
   - kernel lpe
   - privilege escalation
   - copy fail
   - dirty frag
+  - fragnesia
   - cve-2026-31431
   - cve-2026-43284
+  - cve-2026-46300
   - linux root
   - kernel patch
   - live kernel patch
@@ -45,7 +47,7 @@ d3fend_refs:
   - D3-PHRA
   - D3-PSEP
   - D3-SCP
-last_threat_review: "2026-05-13"
+last_threat_review: "2026-05-14"
 ---
 
 # Kernel LPE Triage
@@ -95,6 +97,34 @@ The IPsec dimension is critical: organizations with network segmentation control
 
 ---
 
+### Fragnesia — CVE-2026-46300
+
+**Classification:** Local Privilege Escalation | Dirty Frag family sequel | Human-Discovered  
+**CVSS:** 7.8 (High) | **RWEP:** 20/100 (will jump to 55+ on CISA KEV listing)
+
+Disclosed 2026-05-13 by William Bowling (V12 security team). Same primitive class as Dirty Frag — Fragnesia is the sibling bug introduced by the patch for CVE-2026-43284 / CVE-2026-43500. The defect is in `skb_try_coalesce()`: when transferring paged fragments between socket buffers, the kernel fails to propagate the `SKBFL_SHARED_FRAG` marker, losing track of externally-backed fragments (page-cache pages spliced from a file). An unprivileged local user can deterministically overwrite read-only file data in the kernel page cache without modifying the on-disk file. Public PoC targets `/usr/bin/su` for a one-line root shell.
+
+Key characteristics:
+- **Deterministic exploitation** — no race condition, no kernel-version fingerprinting beyond the affected_versions range.
+- **Public PoC** — one-liner against `/usr/bin/su` from the V12 disclosure.
+- **Page-cache corruption without on-disk write** — file-integrity tools that hash on-disk bytes (AIDE, Tripwire, IMA in measure-only mode) cannot detect the corruption.
+- **Module-unload mitigation is identical to Dirty Frag** — blacklist `esp4`, `esp6`, `rxrpc` in `/etc/modprobe.d/`. Any host already mitigated for Dirty Frag by module blacklist is already mitigated for Fragnesia, with no further action required.
+- **Live-patch is non-reboot** — AlmaLinux + CloudLinux kernels in testing as of 2026-05-13; Canonical Livepatch + kpatch follow standard cadence.
+- **Not CISA KEV-listed as of 2026-05-14**, no active exploitation observed in the wild yet. RWEP today is 20; expect 55+ if KEV-listed, 65+ if active exploitation confirmed.
+
+**Lesson for operators:** when a CVE patch lands, retain the pre-patch compensating controls (module blacklists, sysctl restrictions) until the patched code has soaked. Fragnesia is the canonical case — the Dirty Frag patch introduced Fragnesia, and the same `modprobe -r esp4 esp6 rxrpc` mitigation covers both.
+
+**Detection signature (page-cache-aware):**
+```
+# Drop caches, read fresh from disk, compare to page-cache-resident copy
+sha256sum /usr/bin/su
+echo 3 > /proc/sys/vm/drop_caches
+sha256sum /usr/bin/su
+# Mismatch indicates page-cache corruption — primary forensic signature
+```
+
+---
+
 ## Framework Lag Declaration
 
 | Framework | Control | Designed For | Fails Because |
@@ -135,6 +165,7 @@ Note: ATLAS refs are intentionally empty in frontmatter — these are Linux kern
 | CVE-2026-31431 (Copy Fail) | 7.8 | 90 | Yes (2026-05-01, due 2026-05-15) | Yes — 732-byte script | Yes | Confirmed | Yes | Yes (kpatch/livepatch/kGraft) | Yes |
 | CVE-2026-43284 (Dirty Frag ESP) | 7.8 | 38 | No | Yes | No | Suspected | Yes | No (kpatch RHEL-only) | Yes |
 | CVE-2026-43500 (Dirty Frag RxRPC) | 7.6 | 81 | No | Yes (chain component) | No | Suspected | Yes | Partial (kpatch) | Yes if no live patch |
+| CVE-2026-46300 (Fragnesia) | 7.8 | 20 | No (likely candidate) | Yes — one-liner vs /usr/bin/su | No | None observed | Yes (testing on Alma/CloudLinux) | Yes (kpatch / canonical-livepatch / KernelCare) | No (module-unload mitigation is non-reboot) |
 
 ---
 
@@ -142,7 +173,7 @@ Note: ATLAS refs are intentionally empty in frontmatter — these are Linux kern
 
 Run this check for any org claiming patch-management compliance for kernel LPE class CVEs:
 
-> "Your patch-management control (NIST SI-2 / ISO 27001:2022 A.8.8 / PCI-DSS v4 6.3.3 / NIS2 Art. 21(2)(g) / UK-CAF B4 / AU-ISM-1493) documents a 30-day remediation window for Critical/High CVEs. CVE-2026-31431 (Copy Fail) is CISA KEV listed with a public deterministic exploit requiring no privileges and KEV listing dated 2026-03-15. What is the actual time, on this fleet, between KEV listing and confirmed patch-or-mitigate for the affected kernel versions? If that interval exceeds 72 hours without live-patching as a deployed capability for the affected hosts, the patch-management control is theater for the KEV-class kernel-LPE threat surface."
+> "Your patch-management control (NIST SI-2 / ISO 27001:2022 A.8.8 / PCI-DSS v4 6.3.3 / NIS2 Art. 21(2)(g) / UK-CAF B4 / AU-ISM-1493) documents a 30-day remediation window for Critical/High CVEs. CVE-2026-31431 (Copy Fail) is CISA KEV listed with a public deterministic exploit requiring no privileges and KEV listing dated 2026-05-01. What is the actual time, on this fleet, between KEV listing and confirmed patch-or-mitigate for the affected kernel versions? If that interval exceeds 72 hours without live-patching as a deployed capability for the affected hosts, the patch-management control is theater for the KEV-class kernel-LPE threat surface."
 
 **Theater fingerprints (any of these reduces the control to paper compliance):**
 
@@ -192,6 +223,20 @@ Check: lsmod | grep -E 'esp|xfrm|rxrpc'
 Additional exposure: any IPsec-based network control becomes unreliable
 ```
 
+**Fragnesia (CVE-2026-46300):**
+```
+Exposed if: kernel >= 5.10 AND kernel < [Fragnesia-patched version for distribution]
+            AND any of esp4 / esp6 / rxrpc loaded
+Check: uname -r; lsmod | grep -E '^(esp4|esp6|rxrpc)\b'
+Mitigation (no reboot): blacklist the unused modules in /etc/modprobe.d/fragnesia.conf
+  install esp4  /bin/false
+  install esp6  /bin/false
+  install rxrpc /bin/false
+  (or just: modprobe -r esp4 esp6 rxrpc; only ESP / RxRPC users need to retain them)
+Identical mitigation set to Dirty Frag — hosts already blacklisted from the
+CVE-2026-43284/43500 response are already mitigated for Fragnesia.
+```
+
 ### Step 3: Score exposure level
 
 | Condition | Exposure Level |
@@ -267,6 +312,7 @@ Produce this structure:
 | CVE-2026-31431 (Copy Fail) | [Exposed / Live-patched / Patched] | [Critical/High/Medium/Low] |
 | CVE-2026-43284 (Dirty Frag ESP) | [Exposed / Patched] | [Critical/High/Medium/Low] |
 | CVE-2026-43500 (Dirty Frag RxRPC) | [Exposed / Patched] | [Critical/High/Medium/Low] |
+| CVE-2026-46300 (Fragnesia) | [Exposed / Module-unloaded / Live-patched / Patched] | [Critical/High/Medium/Low] |
 
 ### IPsec Control Impact
 [If applicable: which network controls are affected by Dirty Frag]
@@ -287,6 +333,7 @@ Produce this structure:
 CVE-2026-31431: CVSS 7.8 / RWEP 90 — immediate action required (4h)
 CVE-2026-43284: CVSS 7.8 / RWEP 38 — remediate within 7 days; disable RxRPC/IPsec chain if not required
 CVE-2026-43500: CVSS 7.6 / RWEP 32 — remediate within 7 days; consider disabling RxRPC module
+CVE-2026-46300: CVSS 7.8 / RWEP 20 — patch within standard cycle; module unload (esp4/esp6/rxrpc) is the immediate non-reboot mitigation. Same mitigation set as Dirty Frag — already-blacklisted hosts are already covered. Reassess if CISA KEV-listed (expected RWEP 55+).
 ```
 
 ---

package/skills/threat-model-currency/skill.md

@@ -22,7 +22,7 @@ forward_watch:
   - New CISA KEV entries in kernel/AI/supply chain categories
   - New MCP or agent protocol security disclosures
   - Emerging malware families using AI for evasion
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-14"
 ---
 
 # Threat Model Currency Assessment
@@ -70,13 +70,14 @@ This skill produces a currency score and a specific update roadmap. Currency is
 
 ### Class 3: IPsec Subsystem Exploitation (Network Control Bypass)
 
-**2026 reality:** Dirty Frag (CVE-2026-43284/43500) exploits the IPsec implementation itself. Network segmentation controls that rely on IPsec cannot be claimed as compensating controls for unpatched systems.
+**2026 reality:** Dirty Frag (CVE-2026-43284/43500) exploits the IPsec implementation itself. Fragnesia (CVE-2026-46300, disclosed 2026-05-13) is the sibling page-cache-corruption bug introduced by the Dirty Frag patch — same primitive class, same XFRM ESP-in-TCP code path, same `blacklist esp4 / esp6 / rxrpc` mitigation. Network segmentation controls that rely on IPsec cannot be claimed as compensating controls for unpatched systems. Threat intel decays in days, not quarters: Dirty Frag and Fragnesia landed two weeks apart in the same primitive class.
 
 **Currency check questions:**
 - Does the threat model include exploitation of cryptographic subsystems as a bypass for network isolation controls?
 - Are IPsec-dependent network controls flagged for review when kernel CVEs affecting IPsec are published?
+- Does the threat model treat a CVE patch as opening a soak window during which the pre-patch compensating controls remain active? (Fragnesia precedent — Dirty Frag patch introduced a sibling bug in the same primitive class.)
 
-**If unchecked:** Network segmentation controls may be claimed as compensating controls when they are actually part of the attack surface.
+**If unchecked:** Network segmentation controls may be claimed as compensating controls when they are actually part of the attack surface. "Patch landed therefore safe" misses sibling-bug introductions.
 
 ---
 
@@ -267,7 +268,7 @@ The 14-class checklist above *is* the TTP map. Each class is a coverage requirem
 |---|---|---|---|
 | 1 — AI-discovered kernel LPE | T1068 (Exploitation for Privilege Escalation) | cve-catalog.json: CVE-2026-31431 | Threat model assumes human-speed exploit discovery |
 | 2 — Deterministic LPE | T1068 | cve-catalog.json: CVE-2026-31431 | IR plan treats LPE as probabilistic |
-| 3 — IPsec subsystem LPE | T1068 | cve-catalog.json: CVE-2026-43284 / CVE-2026-43500 | Network-segmentation claimed as compensating control for the attack surface itself |
+| 3 — IPsec subsystem LPE | T1068 | cve-catalog.json: CVE-2026-43284 / CVE-2026-43500 / CVE-2026-46300 | Network-segmentation claimed as compensating control for the attack surface itself; patch-landed-therefore-safe assumes patches close bug families (Fragnesia disproved this in days) |
 | 4 — Prompt injection RCE | AML.T0051 (LLM Prompt Injection), AML.T0054 (LLM Jailbreak) | atlas-ttps.json + CVE-2025-53773 | Prompt injection treated as T&S, not security |
 | 5 — MCP supply chain RCE | AML.T0010 (ML Supply Chain Compromise), T1190 (Exploit Public-Facing Application) | atlas-ttps.json + CVE-2026-30615 | AI plugin ecosystem out of supply-chain scope |
 | 6 — AI-assisted weaponization | AML.T0016 (Obtain Capabilities: Develop Capabilities) | atlas-ttps.json | Patch SLAs sized for 2019 attacker speed |
@@ -286,7 +287,7 @@ The truth set: every `AML.T*` key in `data/atlas-ttps.json` (excluding `_meta`)
 
 ## Exploit Availability Matrix
 
-A threat model is "current" only if it accounts for every `data/cve-catalog.json` entry with RWEP >= 50 — with either a deployed mitigation or a documented, accepted residual risk. As of `last_threat_review: 2026-05-01`:
+A threat model is "current" only if it accounts for every `data/cve-catalog.json` entry with RWEP >= 50 — with either a deployed mitigation or a documented, accepted residual risk. As of `last_threat_review: 2026-05-14`:
 
 | CVE | Name | CVSS | RWEP | KEV | PoC | AI factor | Live-patchable | Required threat-model treatment |
 |---|---|---|---|---|---|---|---|---|
@@ -295,6 +296,7 @@ A threat model is "current" only if it accounts for every `data/cve-catalog.json
 | CVE-2026-30615 | Windsurf MCP local-vector RCE | 8.0 | 35 | No | Partial | No | Yes (IDE update) | Must include MCP supply chain if any developer uses any MCP-capable assistant. |
 | CVE-2026-43284 | Dirty Frag (ESP/IPsec) | 7.8 | 38 | No | Yes — chain component | No | No | Required if IPsec-based controls are claimed as compensating. |
 | CVE-2026-43500 | Dirty Frag (RxRPC) | 7.6 | 32 | No | Yes — chain component | No | No | Required when chained with CVE-2026-43284 in IR scenario planning. |
+| CVE-2026-46300 | Fragnesia | 7.8 | 20 (today) / 55+ on KEV | No (candidate) | Yes — one-liner vs /usr/bin/su | No (human-discovered by V12 security team) | Yes (kpatch / canonical-livepatch / KernelCare) | Required when the threat model claims patches close bug families — Fragnesia is the sibling bug introduced by the Dirty Frag patch; the same `blacklist esp4 / esp6 / rxrpc` mitigation covers both. Treat as the canonical "today" example of threat-intel decay measured in days, not quarters. |
 
 The hard rule for currency scoring: every CVE in the catalog with RWEP >= 50 (currently CVE-2026-31431) must appear in the threat model under its named threat or its CVE ID. RWEP 40–49 entries should appear if the org uses the affected technology. Sub-40 entries appear by exception.
 

package/skills/webapp-security/skill.md

@@ -77,7 +77,7 @@ last_threat_review: "2026-05-11"
 
 Webapps still ship CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), and CWE-22 (Path Traversal) at rates the industry was supposed to have engineered out of existence by 2018. The reason is not mystery — it is AI codegen drift. Coding assistants (GitHub Copilot, Cursor, Windsurf, Claude Code, Codex, Gemini Code Assist) reintroduce OWASP-Top-10-class weaknesses into new code at roughly the rate human review removed them during the 2010s. Industry analysis published in early 2026 across several large-codebase studies converges on the same order of magnitude: approximately **30% of AI-suggested webapp code contains at least one Top-10-class weakness**, and approximately **60% of those weaknesses reach production unmodified** because the human developer treats the assistant's output as reviewed-by-default.
 
-**CVE-2025-53773 (GitHub Copilot prompt-injection RCE, CVSS 9.6)** is the canonical mid-2026 case: the weakness propagated *through* the coding assistant rather than from a human developer. The attack vector is a hidden adversarial instruction in a PR description; when a developer asks Copilot to summarise the PR, the injected instruction runs in the developer's session context. This collapses the boundary between code review and code execution — the AI is both the reviewer and the executor, and the prompt is the payload. OWASP Top 10 2025 added **LLM01 (Prompt Injection)** as a top-tier risk for any AI-fronted webapp; ASVS v5 does not yet operationalise prompt injection as a verification surface.
+**CVE-2025-53773 (GitHub Copilot prompt-injection RCE, CVSS 7.8 / AV:L)** is the canonical mid-2026 case: the weakness propagated *through* the coding assistant rather than from a human developer. The attack vector is a hidden adversarial instruction in a PR description; when a developer asks Copilot to summarise the PR, the injected instruction runs in the developer's session context. This collapses the boundary between code review and code execution — the AI is both the reviewer and the executor, and the prompt is the payload. OWASP Top 10 2025 added **LLM01 (Prompt Injection)** as a top-tier risk for any AI-fronted webapp; ASVS v5 does not yet operationalise prompt injection as a verification surface.
 
 **Architectural reaction: server-rendered apps regained share.** Through 2023–2025 the SPA-everything trend pushed business logic, auth state, and access decisions into the client. With AI codegen now producing client-side TypeScript at industrial volume, the per-route client attack surface compounded — every route became a potential CWE-200 (Information Exposure) and CWE-862 (Missing Authorization) carrier because client-side checks are advisory, not authoritative. Mid-2026 architectures favour **server-rendered-by-default with interactive islands**: React Server Components, Next.js App Router, Remix, Phoenix LiveView, HTMX, Rails Hotwire. Auth lives on the server. State changes traverse server actions. SPAs survive where a true client-side data model exists (collaborative editing, offline-first), and they pay for it with explicit zero-trust auth on every endpoint.
 

package/skills/zeroday-gap-learn/skill.md

@@ -23,7 +23,7 @@ forward_watch:
   - New ATLAS TTP additions in each ATLAS release
   - Framework updates that close previously open gaps
   - Vendor advisories for MCP/AI tool supply chain CVEs
-last_threat_review: "2026-05-01"
+last_threat_review: "2026-05-14"
 ---
 
 # Zero-Day Learning Loop
@@ -99,6 +99,7 @@ Status of the learning-loop entry for each CVE currently in `data/cve-catalog.js
 | CVE-2026-30615 (Windsurf MCP local-vector RCE) | No | Partial | No (supply-chain) | 35 | Complete — pre-run lesson encoded; new control requirements MCP-SERVER-SIGNING, MCP-TOOL-ALLOWLIST, MCP-SUPPLY-CHAIN-AUDIT generated |
 | CVE-2026-45321 (Mini Shai-Hulud TanStack npm worm) | Pending | Yes (worm in-wild) | No (engineering-grade chain) | n/a | Pre-run exemplar lesson encoded below (chained CI/CD primitives — Pwn Request + pnpm-store poisoning + OIDC theft); new control requirements PR-WORKFLOW-PRIVILEGE-CAP, ACTIONS-CACHE-INTEGRITY, OIDC-PUBLISH-AUDIT generated |
 | MAL-2026-3083 (Elementary-Data PyPI worm — forged release via GitHub Actions script-injection) | No (OSSF Malicious Packages dataset; CISA KEV catalogues vendor CVEs only) | Yes (orphan commit + exfil domain confirmed in-wild during 8h window) | No (manual chain) | n/a | Pre-run exemplar lesson encoded below; control requirements GHACTIONS-EVENT-INTERPOLATION-BAN, INSTALL-HOOK-AUDIT, OSSF-MALPACKAGES-INGEST generated |
+| CVE-2026-46300 (Fragnesia — Dirty Frag sequel) | No (candidate within days) | Yes (one-liner vs /usr/bin/su) | No (human-discovered by V12 security team) | 20 | Complete — pre-run lesson encoded below; control requirements PAGE-CACHE-INTEGRITY-VERIFICATION, BUG-FAMILY-MITIGATION-PERSISTENCE, SCANNER-PAPER-COMPLIANCE-TEST generated. Pattern: a patch for one bug class introduced a sibling bug in the same primitive class. |
 
 Per AGENTS.md DR-8: every new entry added to `data/cve-catalog.json` must produce a corresponding entry here and in `data/zeroday-lessons.json` before the catalog change ships. Any CVE in the catalog without a complete lesson entry is a pre-ship-checklist failure.
 
@@ -198,6 +199,48 @@ Output: Lesson entry for data/zeroday-lessons.json
 
 ---
 
+### Lesson: CVE-2026-46300 (Fragnesia — Dirty Frag Sequel)
+
+**Attack vector:** Page-cache corruption via XFRM ESP-in-TCP skb coalescing. `skb_try_coalesce()` drops the `SKBFL_SHARED_FRAG` marker when coalescing paged fragments between socket buffers, so the kernel loses track of externally-backed fragments (page-cache pages spliced from a file). An unprivileged local user deterministically overwrites read-only file data in the kernel page cache without modifying the on-disk file. Public PoC targets `/usr/bin/su` for a one-line root shell. Disclosed 2026-05-13 by William Bowling (V12 security team). Same primitive class as Dirty Frag (CVE-2026-43284 / CVE-2026-43500) — Fragnesia is the sibling bug introduced by the patch for the original Dirty Frag.
+
+**What control should have prevented this:**
+- Module-unload mitigation: blacklist `esp4` / `esp6` / `rxrpc` in `/etc/modprobe.d/`. Identical to the Dirty Frag mitigation set — operators who retained that blacklist after patching Dirty Frag are already mitigated for Fragnesia at zero additional operational cost.
+- Bug-family-aware patch policy: when a CVE patch lands, retain the pre-patch compensating controls until the patched code has soaked. Operators who removed the Dirty Frag blacklist on patch landing re-exposed the host to the sibling bug.
+
+**What control should have detected this:**
+- Page-cache integrity verification: read the binary through the page cache (`vmtouch -v <path>; sha256sum <path>`), drop caches, re-read from disk, compare hashes. Mismatch is the primary forensic signature. File-integrity tools that hash on-disk bytes (AIDE, Tripwire, IMA in measure-only mode) miss this entirely because the on-disk file is unchanged.
+- No major framework requires page-cache-aware integrity verification.
+
+**Framework coverage assessment:**
+
+| Framework | Control | Assessment |
+|---|---|---|
+| NIST 800-53 SI-2 | Flaw Remediation | Present but insufficient: 30-day SLA is exploitation window for deterministic public PoC; module-unload is non-reboot and immediate but not required as a compensating control |
+| ISO 27001 A.8.8 | Technical vulnerability management | Present but insufficient: same "appropriate timescales" gap |
+| NIS2 Art. 21(2)(c) | Patch-management measures | Present but insufficient: undefined for fast-cycle kernel LPEs with public PoC; module-blacklist not in scope |
+| DORA Art. 9 | ICT incident management | Present but insufficient: presumes vendor-patch cadence; module-unload as immediate mitigation has no place in the typical DORA evidence pack |
+| UK CAF B4 | System security | Silent on subsystem module disable as a compensating control |
+| AU ISM-1546 / Essential 8 | Patch applications | ML3 48h anchors on advisory date, not PoC availability; still long for a deterministic public exploit |
+| ISO 27001 A.5.7 | Threat intelligence | Collects feeds; does not require operational pivot when intel shows a same-family sequel to a previously-patched bug |
+| Any framework | Page-cache integrity verification | Missing entirely — on-disk file-integrity tools cannot detect this class |
+
+**New control requirements generated:**
+
+1. **PAGE-CACHE-INTEGRITY-VERIFICATION**: For setuid binaries on production hosts, periodically (or on alert) read the binary through the page cache, drop caches, re-read from disk, and compare hashes. Mismatch indicates page-cache-resident corruption that on-disk-only file-integrity tools cannot detect.
+
+2. **BUG-FAMILY-MITIGATION-PERSISTENCE**: When a CVE patch lands, retain the pre-patch compensating controls (module blacklists, sysctl restrictions) until the patched code has soaked for a stated review period. Patches for one bug in a primitive class can introduce sibling bugs in the same class — the Dirty Frag → Fragnesia chain is the canonical example.
+
+3. **SCANNER-PAPER-COMPLIANCE-TEST**: A vulnerability scanner that reports "patched" based on kernel package version alone is paper compliance. The operational test: does the scan account for the module-unload mitigation surface, AND does it verify the kernel is on a build that includes the specific Fragnesia patch (not just any version newer than the Dirty Frag patch that introduced Fragnesia)?
+
+**Exposure scoring:**
+- RWEP: 20 today. Will jump to 55+ on CISA KEV listing (+25) and to 65+ on confirmed active exploitation (+20 more).
+- Audit-passing orgs still exposed: ~75%. Operators who retained the Dirty Frag module blacklist are already mitigated. Operators who relied on kernel-package-version alone with vanilla SI-2 / A.8.8 SLAs are exposed during the patch window.
+- Coverage failure: on-disk file-integrity tools (AIDE, Tripwire) report clean while the page-cache copy of /usr/bin/su is corrupted.
+
+**Class-level lesson:** "patch landed therefore safe" assumes patches close bug families. The Dirty Frag → Fragnesia pattern shows a patch can introduce a sibling bug in the same primitive class. Treat every patch in a primitive class as opening a new soak window during which the pre-patch compensating controls remain active.
+
+---
+
 ### Lesson: CVE-2025-53773 (GitHub Copilot YOLO-Mode RCE)
 
 **Attack vector:** Hidden prompt injection in any agent-readable content (source comments, README, PR descriptions, retrieved docs, MCP tool responses) coerces Copilot agent mode to write `"chat.tools.autoApprove": true` to `.vscode/settings.json`. Every subsequent shell tool call then auto-approves; the demo runs `calc.exe` / `Calculator.app` via the auto-approved `run_in_terminal` tool. CVSS 7.8 / AV:L (local-vector — developer-side IDE interaction; the NVD-authoritative score was corrected from initial 9.6 / AV:N). Affected: Visual Studio 2022 17.14.0–17.14.11 (fixed 17.14.12); GitHub Copilot Chat extension predating the 2025-08 Patch Tuesday fix.