npm - @blamejs/exceptd-skills - Versions diffs - 0.15.16 → 0.15.18 - Mend

@blamejs/exceptd-skills 0.15.16 → 0.15.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +8 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +12 -10
package/data/cve-catalog.json +193 -71
package/data/zeroday-lessons.json +434 -158
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -11942,35 +11942,58 @@
   },
   "CVE-2026-21385": {
     "name": "Qualcomm Multiple Chipsets Memory Corruption Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. ",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an integer-overflow memory-corruption flaw (CWE-190) in Qualcomm chipset firmware/driver code, exploited by a local foothold to escalate privileges on the device. CISA KEV-listed 2026-03-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2022-20775": {
     "name": "Cisco SD-WAN Path Traversal Vulnerability",
@@ -12462,35 +12485,58 @@
   },
   "CVE-2026-2441": {
     "name": "Google Chromium CSS Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Google Chromium CSS contains a use-after-free vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in Chromium's CSS handling, exploitable by an attacker-controlled web page for code execution in the renderer. CISA KEV-listed 2026-02-17 with confirmed in-the-wild exploitation; browser zero-days of this class are typically used in targeted-spyware or watering-hole chains.",
+      "privileges_required": "none (the victim's browser renders attacker-controlled web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Allow Chrome's component updater to apply the patched build immediately; enforce forced auto-update via enterprise browser policy and do not gate browser updates behind a managed change window.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Auto-update is definitive and fast; the gap is managed fleets that defer browser updates and high-risk users who should also run hardened/locked-down browsing."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/browser telemetry for renderer/GPU crashes on content render, sandbox-escape behavior, and unexpected child processes spawned by the browser.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet updated; browser exploit chains are stealthy and often zero-click via a malicious page."
+      },
+      "response": {
+        "what_would_have_worked": "Force the browser update across the fleet, isolate exploited endpoints, hunt for follow-on payloads (browser RCE chains drop loaders), and review for credential theft from the browser profile.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser RCE typically leads to profile/credential theft and further-stage payloads that a bare update does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited browser zero-day delivered by a web page; these are weaponized within days and often used in targeted-spyware or watering-hole chains."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited browser RCE, where the safe SLA is same-day Chrome component-updater rollout."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a browser RCE, but the load-bearing controls are forced auto-update via enterprise browser policy and not gating Chrome updates behind a managed change window — neither of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Chrome/Chromium is near-universal on endpoints; audited organizations that disable or defer the component updater behind a managed change window remain exposed for this KEV-listed, actively-exploited flaw despite the fix being available same-day.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2026-1731": {
     "name": "BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability",
@@ -13293,35 +13339,58 @@
   },
   "CVE-2018-14634": {
     "name": "Linux Kernel Integer Overflow Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an integer-overflow flaw (CWE-190) in the Linux kernel create_elf_tables() path ('Mutagen Astronomy'), exploited by a local user via a crafted SUID binary to gain root. CISA KEV-listed 2026-01-26 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-52691": {
     "name": "SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -14595,35 +14664,58 @@
   },
   "CVE-2025-13223": {
     "name": "Google Chromium V8 Type Confusion Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a type confusion (CWE-843) in the V8 JavaScript engine, exploitable by an attacker-controlled web page for code execution in the renderer. CISA KEV-listed 2025-11-19 with confirmed in-the-wild exploitation; browser zero-days of this class are typically used in targeted-spyware or watering-hole chains.",
+      "privileges_required": "none (the victim's browser renders attacker-controlled web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Allow Chrome's component updater to apply the patched build immediately; enforce forced auto-update via enterprise browser policy and do not gate browser updates behind a managed change window.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Auto-update is definitive and fast; the gap is managed fleets that defer browser updates and high-risk users who should also run hardened/locked-down browsing."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/browser telemetry for renderer/GPU crashes on content render, sandbox-escape behavior, and unexpected child processes spawned by the browser.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet updated; browser exploit chains are stealthy and often zero-click via a malicious page."
+      },
+      "response": {
+        "what_would_have_worked": "Force the browser update across the fleet, isolate exploited endpoints, hunt for follow-on payloads (browser RCE chains drop loaders), and review for credential theft from the browser profile.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser RCE typically leads to profile/credential theft and further-stage payloads that a bare update does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited browser zero-day delivered by a web page; these are weaponized within days and often used in targeted-spyware or watering-hole chains."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited browser RCE, where the safe SLA is same-day Chrome component-updater rollout."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a browser RCE, but the load-bearing controls are forced auto-update via enterprise browser policy and not gating Chrome updates behind a managed change window — neither of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Chrome/Chromium is near-universal on endpoints; audited organizations that disable or defer the component updater behind a managed change window remain exposed for this KEV-listed, actively-exploited flaw despite the fix being available same-day.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-58034": {
     "name": "Fortinet FortiWeb OS Command Injection Vulnerability",
@@ -15728,35 +15820,58 @@
   },
   "CVE-2021-22555": {
     "name": "Linux Kernel Heap Out-of-Bounds Write Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a heap out-of-bounds write (CWE-787) in the Linux kernel netfilter x_tables, exploited by a local user (with user-namespace access) to gain root. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2010-3962": {
     "name": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
@@ -17591,35 +17706,58 @@
   },
   "CVE-2025-6558": {
     "name": "Google Chromium ANGLE and GPU Improper Input Validation Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-input-validation flaw (CWE-20) in ANGLE and the GPU process, exploitable by an attacker-controlled web page to escape the browser sandbox. CISA KEV-listed 2025-07-22 with confirmed in-the-wild exploitation; browser zero-days of this class are typically used in targeted-spyware or watering-hole chains.",
+      "privileges_required": "none for initial code execution; the GPU/ANGLE flaw then escapes the renderer sandbox as a privilege step",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Allow Chrome's component updater to apply the patched build immediately; enforce forced auto-update via enterprise browser policy and do not gate browser updates behind a managed change window.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Auto-update is definitive and fast; the gap is managed fleets that defer browser updates and high-risk users who should also run hardened/locked-down browsing."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/browser telemetry for renderer/GPU crashes on content render, sandbox-escape behavior, and unexpected child processes spawned by the browser.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet updated; browser exploit chains are stealthy and often zero-click via a malicious page."
+      },
+      "response": {
+        "what_would_have_worked": "Force the browser update across the fleet, isolate exploited endpoints, hunt for follow-on payloads (browser RCE chains drop loaders), and review for credential theft from the browser profile.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser RCE typically leads to profile/credential theft and further-stage payloads that a bare update does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited browser zero-day delivered by a web page; these are weaponized within days and often used in targeted-spyware or watering-hole chains."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited browser RCE, where the safe SLA is same-day Chrome component-updater rollout."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a browser RCE, but the load-bearing controls are forced auto-update via enterprise browser policy and not gating Chrome updates behind a managed change window — neither of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Chrome/Chromium is near-universal on endpoints; audited organizations that disable or defer the component updater behind a managed change window remain exposed for this KEV-listed, actively-exploited flaw despite the fix being available same-day.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-54309": {
     "name": " CrushFTP Unprotected Alternate Channel Vulnerability",
@@ -18142,36 +18280,59 @@
     "_intake_method": "v0.13.17-bulk-cisa-kev-import"
   },
   "CVE-2025-6554": {
-    "name": "Google Chromium V8 Type Confusion Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "Google Chromium V8 Type Confusion Vulnerability (variant: CVE-2025-6554)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary read/write via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a type confusion (CWE-843) in the V8 JavaScript engine (a variant of the recurring V8 type-confusion class), exploitable by an attacker-controlled web page for code execution in the renderer. CISA KEV-listed 2025-07-02 with confirmed in-the-wild exploitation; browser zero-days of this class are typically used in targeted-spyware or watering-hole chains.",
+      "privileges_required": "none (the victim's browser renders attacker-controlled web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Allow Chrome's component updater to apply the patched build immediately; enforce forced auto-update via enterprise browser policy and do not gate browser updates behind a managed change window.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Auto-update is definitive and fast; the gap is managed fleets that defer browser updates and high-risk users who should also run hardened/locked-down browsing."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/browser telemetry for renderer/GPU crashes on content render, sandbox-escape behavior, and unexpected child processes spawned by the browser.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet updated; browser exploit chains are stealthy and often zero-click via a malicious page."
+      },
+      "response": {
+        "what_would_have_worked": "Force the browser update across the fleet, isolate exploited endpoints, hunt for follow-on payloads (browser RCE chains drop loaders), and review for credential theft from the browser profile.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser RCE typically leads to profile/credential theft and further-stage payloads that a bare update does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited browser zero-day delivered by a web page; these are weaponized within days and often used in targeted-spyware or watering-hole chains."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited browser RCE, where the safe SLA is same-day Chrome component-updater rollout."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a browser RCE, but the load-bearing controls are forced auto-update via enterprise browser policy and not gating Chrome updates behind a managed change window — neither of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Chrome/Chromium is near-universal on endpoints; audited organizations that disable or defer the component updater behind a managed change window remain exposed for this KEV-listed, actively-exploited flaw despite the fix being available same-day.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-48928": {
     "name": "TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability",
@@ -18423,35 +18584,58 @@
   },
   "CVE-2023-0386": {
     "name": "Linux Kernel Improper Ownership Management Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-ownership-management flaw (CWE-282) in the Linux kernel OverlayFS, exploited by a local user to copy a SUID file across mounts and gain root. CISA KEV-listed 2025-06-17 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-33538": {
     "name": "TP-Link Multiple Routers Command Injection Vulnerability",
@@ -18670,131 +18854,223 @@
   },
   "CVE-2025-5419": {
     "name": "Google Chromium V8 Out-of-Bounds Read and Write Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Google Chromium V8 contains an out-of-bounds read and write vulnerability that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an out-of-bounds read and write (CWE-125/CWE-787) in the V8 JavaScript engine, exploitable by an attacker-controlled web page for code execution in the renderer. CISA KEV-listed 2025-06-05 with confirmed in-the-wild exploitation; browser zero-days of this class are typically used in targeted-spyware or watering-hole chains.",
+      "privileges_required": "none (the victim's browser renders attacker-controlled web content)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Allow Chrome's component updater to apply the patched build immediately; enforce forced auto-update via enterprise browser policy and do not gate browser updates behind a managed change window.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Auto-update is definitive and fast; the gap is managed fleets that defer browser updates and high-risk users who should also run hardened/locked-down browsing."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/browser telemetry for renderer/GPU crashes on content render, sandbox-escape behavior, and unexpected child processes spawned by the browser.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops endpoints not yet updated; browser exploit chains are stealthy and often zero-click via a malicious page."
+      },
+      "response": {
+        "what_would_have_worked": "Force the browser update across the fleet, isolate exploited endpoints, hunt for follow-on payloads (browser RCE chains drop loaders), and review for credential theft from the browser profile.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; browser RCE typically leads to profile/credential theft and further-stage payloads that a bare update does not remediate."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed, actively-exploited browser zero-day delivered by a web page; these are weaponized within days and often used in targeted-spyware or watering-hole chains."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited browser RCE, where the safe SLA is same-day Chrome component-updater rollout."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (48h at ML3) is the right tier for a browser RCE, but the load-bearing controls are forced auto-update via enterprise browser policy and not gating Chrome updates behind a managed change window — neither of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 60,
+      "basis": "Chrome/Chromium is near-universal on endpoints; audited organizations that disable or defer the component updater behind a managed change window remain exposed for this KEV-listed, actively-exploited flaw despite the fix being available same-day.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-21479": {
     "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver, allowing unauthorized GPU command execution that corrupts memory to escalate privilege (exploited in the wild in Android targeted chains). CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-21480": {
-    "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability (variant: CVE-2025-21480)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver (a related variant), allowing unauthorized GPU command execution that corrupts memory to escalate privilege (exploited in the wild in Android targeted chains). CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-27038": {
     "name": "Qualcomm Multiple Chipsets Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in the Qualcomm Adreno GPU driver, exploited by a local foothold to escalate privilege on the device. CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-32030": {
     "name": "ASUS Routers Improper Authentication Vulnerability",