@blamejs/exceptd-skills 0.15.17 → 0.15.18

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.15.18 — 2026-05-29
+
+Draft-curation pass 16 — non-Windows kernel/driver LPE. Seven CISA KEV-listed local-privilege-escalation CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: Qualcomm Adreno GPU / chipset flaws (CVE-2026-21385 integer overflow, CVE-2025-21479 and CVE-2025-21480 incorrect-authorization GPU flaws used in Android targeted chains, CVE-2025-27038 use-after-free) and Linux kernel flaws (CVE-2018-14634 "Mutagen Astronomy" integer overflow, CVE-2021-22555 netfilter heap out-of-bounds write, CVE-2023-0386 OverlayFS ownership). All map T1068 (Exploitation for Privilege Escalation). The lessons give platform-correct remediation — Android Security Bulletin OTA updates and MDM-enforced SLAs for the chipset entries, distribution kernel updates or live-patching plus kernel hardening for the Linux entries — and frame these as the escalation half of the attack chain.
+
 ## 0.15.17 — 2026-05-29
 
 Draft-curation pass 15 — Chromium browser zero-days. Five CISA KEV-listed Google Chromium client-side CVEs are promoted from auto-imported drafts to fully-curated entries with behavioral IOCs, ATT&CK enrichment, and matching zero-day lessons: V8 JavaScript engine flaws (CVE-2025-13223 and CVE-2025-6554 type confusion, CVE-2025-5419 out-of-bounds read/write), a CSS use-after-free (CVE-2026-2441), and an ANGLE/GPU sandbox escape (CVE-2025-6558). All map T1203 (Exploitation for Client Execution); the sandbox-escape entry also maps T1068. The lessons stress same-day Chrome component-updater rollout — not gating browser updates behind a managed change window — as the load-bearing control, since these are weaponized within days in targeted-spyware and watering-hole chains.

package/data/_indexes/_meta.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.1.0",
-  "generated_at": "2026-05-29T21:56:30.516Z",
+  "generated_at": "2026-05-29T22:14:58.611Z",
   "generator": "scripts/build-indexes.js",
   "source_count": 54,
   "source_hashes": {
-    "manifest.json": "ba250dd43d47c33983c364d62fb14e3e02b7ab9f693bac3fee7999aa532ff0cb",
+    "manifest.json": "175f0a5e81ebf3bbbd46fb769f22bc7fd30488fd7d6711f042277a3506f12b93",
     "data/atlas-ttps.json": "878b4a08bb73c8d20396d85cf433a88f2bc5e7a8cbf7f6ab773ce7ede0a11251",
-    "data/attack-techniques.json": "f3827a7bef7ec2241a50822490c1cfc68228be63e526389219d14416a6be3c0c",
-    "data/cve-catalog.json": "093c774e39e93dc597350df97c556a9204dec1cedce0c22f28fd1bf4506b6fc2",
+    "data/attack-techniques.json": "55986b1d7789325a6c98f80bf7eb376809048a3c4b50614788586560ff8fe26c",
+    "data/cve-catalog.json": "45ecfb7958ef642c8e7b5398463212677ee1ab6791db91320ccf8a27cb384c0c",
     "data/cwe-catalog.json": "0fd275c2a61754958d68cea03a92794a67cf1c1d4d609f81a5728334df013ee3",
     "data/d3fend-catalog.json": "9a54bccb9f24f84b32024216cc3f53819a053721ac8ab43c326859e68fc0ffaf",
     "data/dlp-controls.json": "d2406c482dddd30e49203879999dc4b3a7fd4d0494d6a61d86b91ee76415df19",
@@ -15,7 +15,7 @@
     "data/framework-control-gaps.json": "29e7b6aa841ddf2530ca5971bdb60d7a715684b2f6264141ad49f0de9a039d78",
     "data/global-frameworks.json": "9ba563a85f7f8d6c3c957de64945e20925a89d0ed6ea6fc561cf093811acf558",
     "data/rfc-references.json": "b21d03b948c41bc8a854e2f057948ecf844bd8c105848aeb141d1eadf8192c31",
-    "data/zeroday-lessons.json": "da860282700942b7766778ec499a56011c822206758bc42cd4c20ae12e285d74",
+    "data/zeroday-lessons.json": "55f480045752946919250fef2e090fa556031ee427864e2706725383ec7dc969",
     "skills/kernel-lpe-triage/skill.md": "0f79c641cef6e5f4a942eb94f43c460562bf83dfb67ae112d146c39c6b320fb0",
     "skills/ai-attack-surface/skill.md": "2880499993e0e69e3897a9d02b5e83aa0462c86a4dd2c1988b9968e375704a1f",
     "skills/mcp-agent-trust/skill.md": "0752834acde0303d6d1e36be4b320eac3d34fde715bb8d71f3ad9e801d701482",

package/data/attack-techniques.json

@@ -482,19 +482,25 @@
     "version": "v19",
     "cve_refs": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
+      "CVE-2018-14634",
       "CVE-2020-17103-REREGRESSION-2026",
+      "CVE-2021-22555",
       "CVE-2021-30952",
       "CVE-2021-43226",
+      "CVE-2023-0386",
       "CVE-2023-36424",
       "CVE-2023-41974",
       "CVE-2023-43000",
       "CVE-2024-0769",
       "CVE-2024-8068",
       "CVE-2025-10725",
+      "CVE-2025-21479",
+      "CVE-2025-21480",
       "CVE-2025-22224",
       "CVE-2025-22225",
       "CVE-2025-24201",
       "CVE-2025-24990",
+      "CVE-2025-27038",
       "CVE-2025-31277",
       "CVE-2025-32701",
       "CVE-2025-38352",
@@ -509,6 +515,7 @@
       "CVE-2026-0300",
       "CVE-2026-20122",
       "CVE-2026-20805",
+      "CVE-2026-21385",
       "CVE-2026-31431",
       "CVE-2026-31635",
       "CVE-2026-33825",
@@ -928,7 +935,6 @@
       "CVE-2022-36551",
       "CVE-2022-37055",
       "CVE-2022-40799",
-      "CVE-2023-0386",
       "CVE-2023-21529",
       "CVE-2023-2533",
       "CVE-2023-33538",
@@ -1314,9 +1320,7 @@
       "CVE-2011-3402",
       "CVE-2013-3918",
       "CVE-2014-3931",
-      "CVE-2018-14634",
       "CVE-2020-9715",
-      "CVE-2021-22555",
       "CVE-2021-30952",
       "CVE-2022-48503",
       "CVE-2023-41974",
@@ -1324,10 +1328,7 @@
       "CVE-2025-10585",
       "CVE-2025-13223",
       "CVE-2025-14174",
-      "CVE-2025-21479",
-      "CVE-2025-21480",
       "CVE-2025-24201",
-      "CVE-2025-27038",
       "CVE-2025-31277",
       "CVE-2025-32709",
       "CVE-2025-43200",
@@ -1340,7 +1341,6 @@
       "CVE-2025-6554",
       "CVE-2025-6558",
       "CVE-2026-20700",
-      "CVE-2026-21385",
       "CVE-2026-2441",
       "CVE-2026-25592",
       "CVE-2026-34621",

package/data/cve-catalog.json

@@ -22837,7 +22837,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -22858,7 +22858,7 @@
     "cwe_refs": [
       "CWE-190"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://source.android.com/docs/security/bulletin/2026/2026-03-01",
@@ -22887,11 +22887,21 @@
         "published_date": "2026-03-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-03-03; due date 2026-03-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://source.android.com/docs/security/bulletin/2026/2026-03-01 ; https://nvd.nist.go",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. "
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. ",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with integer-overflow memory-corruption flaw (CWE-190) in Qualcomm chipset firmware/driver code, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2026-21385, CISA KEV (added 2026-03-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2022-20775": {
     "name": "Cisco SD-WAN Path Traversal Vulnerability",
@@ -25983,7 +25993,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -26004,7 +26014,7 @@
     "cwe_refs": [
       "CWE-190"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/about/",
@@ -26036,11 +26046,21 @@
         "published_date": "2026-01-26"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2026-01-26; due date 2026-02-16. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For mor",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with integer-overflow flaw (CWE-190) in the Linux kernel create_elf_tables() path ('Mutagen Astronomy'), often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2018-14634, CISA KEV (added 2026-01-26), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-52691": {
     "name": "SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -32139,7 +32159,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -32160,7 +32180,7 @@
     "cwe_refs": [
       "CWE-787"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21",
@@ -32192,11 +32212,21 @@
         "published_date": "2025-10-06"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-10-06; due date 2025-10-27. Notes reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21 ; https://git.kernel.org/pub/scm/linux/kernel/git/torvald",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with heap out-of-bounds write (CWE-787) in the Linux kernel netfilter x_tables, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2021-22555, CISA KEV (added 2025-10-06), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2010-3962": {
     "name": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
@@ -38586,7 +38616,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1190"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -38607,7 +38637,7 @@
     "cwe_refs": [
       "CWE-282"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f11ada10d0a",
@@ -38638,11 +38668,21 @@
         "published_date": "2025-06-17"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-17; due date 2025-07-08. Notes reference: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://git.kernel.org/pub/scm/linux/kernel/",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
+    "iocs": {
+      "behavioral": [
+        "Linux kernel at a patch level below the fixed version named in the distribution kernel advisory on a device with any local foothold.",
+        "Kernel crashes or memory-corruption signatures consistent with improper-ownership-management flaw (CWE-282) in the Linux kernel OverlayFS, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining root privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2023-0386, CISA KEV (added 2025-06-17), and the kernel/distribution advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2023-33538": {
     "name": "TP-Link Multiple Routers Command Injection Vulnerability",
@@ -39383,7 +39423,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39404,7 +39444,7 @@
     "cwe_refs": [
       "CWE-863"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39433,11 +39473,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21479, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-21480": {
     "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability (variant: CVE-2025-21480)",
@@ -39478,7 +39528,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39499,7 +39549,7 @@
     "cwe_refs": [
       "CWE-863"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39528,11 +39578,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver (a related variant), often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-21480, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2025-27038": {
     "name": "Qualcomm Multiple Chipsets Use-After-Free Vulnerability",
@@ -39573,7 +39633,7 @@
     },
     "atlas_refs": [],
     "attack_refs": [
-      "T1203"
+      "T1068"
     ],
     "rwep_score": 77,
     "rwep_factors": {
@@ -39594,7 +39654,7 @@
     "cwe_refs": [
       "CWE-416"
     ],
-    "source_verified": "2026-05-18",
+    "source_verified": "2026-05-29",
     "verification_sources": [
       "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
       "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html",
@@ -39623,11 +39683,21 @@
         "published_date": "2025-06-03"
       }
     ],
-    "last_updated": "2026-05-18",
+    "last_updated": "2026-05-29",
     "discovery_attribution_note": "Bulk-imported from CISA KEV catalog version 2026.05.15. KEV listing date 2025-06-03; due date 2025-06-24. Notes reference: Please check with specific vendors (OEMs,) for information on patching status. For more information, please see: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.h",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import",
-    "_kev_short_description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome."
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.",
+    "iocs": {
+      "behavioral": [
+        "Qualcomm chipsets at a patch level below the fixed version named in the Qualcomm / Android Security Bulletin advisory on a device with any local foothold.",
+        "GPU-driver crashes or memory-corruption signatures consistent with use-after-free (CWE-416) in the Qualcomm Adreno GPU driver, often shortly after an unprivileged process starts.",
+        "An unprivileged process gaining elevated on-device privilege via the affected component with no corresponding legitimate escalation (KEV-confirmed in-the-wild exploitation; the Adreno GPU flaws were used in Android targeted-spyware chains)."
+      ],
+      "_ioc_source_note": "Anchored to NVD CVE-2025-27038, CISA KEV (added 2025-06-03), and the Qualcomm security bulletin advisory recorded in vendor_advisories."
+    },
+    "_draft": false,
+    "curation_note": "Promoted from KEV-import draft on 2026-05-29: ATT&CK enrichment (T1068 privilege escalation) + IOCs derived from the CWE/product, and a matching zero-day lesson added. CVSS/KEV/vendor_advisories retained from the verified import."
   },
   "CVE-2021-32030": {
     "name": "ASUS Routers Improper Authentication Vulnerability",