npm - @blamejs/exceptd-skills - Versions diffs - 0.15.17 → 0.15.18 - Mend

@blamejs/exceptd-skills 0.15.17 → 0.15.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +4 -0
package/data/_indexes/_meta.json +5 -5
package/data/attack-techniques.json +7 -7
package/data/cve-catalog.json +112 -42
package/data/zeroday-lessons.json +253 -92
package/manifest.json +44 -44
package/package.json +1 -1
package/sbom.cdx.json +18 -18

package/data/zeroday-lessons.json CHANGED Viewed

@@ -11942,35 +11942,58 @@
   },
   "CVE-2026-21385": {
     "name": "Qualcomm Multiple Chipsets Memory Corruption Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation. ",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an integer-overflow memory-corruption flaw (CWE-190) in Qualcomm chipset firmware/driver code, exploited by a local foothold to escalate privileges on the device. CISA KEV-listed 2026-03-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2022-20775": {
     "name": "Cisco SD-WAN Path Traversal Vulnerability",
@@ -13316,35 +13339,58 @@
   },
   "CVE-2018-14634": {
     "name": "Linux Kernel Integer Overflow Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an integer-overflow flaw (CWE-190) in the Linux kernel create_elf_tables() path ('Mutagen Astronomy'), exploited by a local user via a crafted SUID binary to gain root. CISA KEV-listed 2026-01-26 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-52691": {
     "name": "SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability",
@@ -15774,35 +15820,58 @@
   },
   "CVE-2021-22555": {
     "name": "Linux Kernel Heap Out-of-Bounds Write Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a heap out-of-bounds write (CWE-787) in the Linux kernel netfilter x_tables, exploited by a local user (with user-namespace access) to gain root. CISA KEV-listed 2025-10-06 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2010-3962": {
     "name": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
@@ -18515,35 +18584,58 @@
   },
   "CVE-2023-0386": {
     "name": "Linux Kernel Improper Ownership Management Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Linux Kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an improper-ownership-management flaw (CWE-282) in the Linux kernel OverlayFS, exploited by a local user to copy a SUID file across mounts and gain root. CISA KEV-listed 2025-06-17 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the distribution kernel update (or live-patch via kpatch/livepatch); enable kernel hardening (lockdown, restricting unprivileged user namespaces where the flaw requires them) to shrink the LPE surface.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "EDR/auditd telemetry for the LPE primitive (kernel crashes, unexpected SUID/namespace activity) and unprivileged-to-root transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the kernel update across the estate; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Linux kernel is ubiquitous; audited organizations gate kernel patches behind change windows or reboot-avoidance, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2023-33538": {
     "name": "TP-Link Multiple Routers Command Injection Vulnerability",
@@ -18817,99 +18909,168 @@
   },
   "CVE-2025-21479": {
     "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver, allowing unauthorized GPU command execution that corrupts memory to escalate privilege (exploited in the wild in Android targeted chains). CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-21480": {
-    "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability",
-    "lesson_date": "2026-05-18",
+    "name": "Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability (variant: CVE-2025-21480)",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Qualcomm chipsets contain an incorrect authorization vulnerability. This vulnerability allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "an incorrect-authorization flaw (CWE-863) in the Qualcomm Adreno GPU driver (a related variant), allowing unauthorized GPU command execution that corrupts memory to escalate privilege (exploited in the wild in Android targeted chains). CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2025-27038": {
     "name": "Qualcomm Multiple Chipsets Use-After-Free Vulnerability",
-    "lesson_date": "2026-05-18",
+    "lesson_date": "2026-05-29",
     "attack_vector": {
-      "description": "Multiple Qualcomm chipsets contain a use-after-free vulnerability. This vulnerability allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.",
-      "privileges_required": "network attacker (no authentication required)",
-      "complexity": "moderate (bulk-import default)",
-      "ai_factor": "Bulk-imported — AI-discovery provenance not surfaced in KEV. Detection method that surfaces this class: ADVISORIES_SOURCE (12 primary-source feeds) + CISA-KEV poller. Refine when researcher writeup publishes."
+      "description": "a use-after-free (CWE-416) in the Qualcomm Adreno GPU driver, exploited by a local foothold to escalate privilege on the device. CISA KEV-listed 2025-06-03 with confirmed in-the-wild exploitation; LPEs of this class are routinely paired with an initial-access primitive.",
+      "privileges_required": "low (any local foothold — an unprivileged app or process on the device/host)",
+      "complexity": "low — KEV-listed, actively exploited; treat as weaponized",
+      "ai_factor": "No AI involvement documented in discovery or weaponization."
+    },
+    "defense_chain": {
+      "prevention": {
+        "what_would_have_worked": "Apply the Qualcomm chipset fix via the device's Android Security Bulletin OTA update; on managed mobile fleets enforce update SLAs via MDM. SELinux/seccomp confinement limits but does not remove the GPU-driver LPE.",
+        "was_this_required": true,
+        "framework_requiring_it": "CISA BOD 22-01 (KEV remediation)",
+        "adequacy": "Patch is definitive; the gap is the chain (initial access → unpatched LPE → root) which a patched device shuts down. Hardening/confinement backstops unpatched estates."
+      },
+      "detection": {
+        "what_would_have_worked": "Mobile-threat-defense telemetry for the LPE primitive (GPU-driver crashes, anomalous GPU command submission) and unprivileged-to-elevated transitions without a legitimate trigger.",
+        "was_this_required": false,
+        "framework_requiring_it": null,
+        "adequacy": "Backstops unpatched devices; LPE is typically silent without endpoint coverage."
+      },
+      "response": {
+        "what_would_have_worked": "Force the OTA update across the mobile fleet; for confirmed exploitation treat the device/host as compromised, isolate, preserve forensic state, and review for credential theft and follow-on payloads.",
+        "was_this_required": true,
+        "framework_requiring_it": "NIST 800-53 IR-4",
+        "adequacy": "Mandatory; root/kernel-level exploitation makes the host an unreliable platform and warrants rebuild."
+      }
     },
     "framework_coverage": {
       "NIST-800-53-SI-2": {
         "covered": true,
         "adequate": false,
-        "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
+        "gap": "The 30-day flaw-remediation SLA is far longer than the observed exploitation window for a KEV-listed kernel/driver LPE; these are paired with an initial-access primitive and elevate to root within hours of a foothold."
       },
       "ISO-27001-2022-A.8.8": {
         "covered": true,
         "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
+        "gap": "'Appropriate timescales' is undefined; the standard reading is unsafe for an actively-exploited kernel/driver LPE, and the long tail of unpatched mobile/server estates keeps these exploitable for years."
+      },
+      "AU-ISM-1546": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Essential 8 patch-applications (operating systems, 48h at ML3) is the right tier, but the load-bearing controls are kernel/driver hardening and a timely vendor patch cadence — Android Security Bulletin OTA updates for the mobile-chipset entries, distribution kernel updates or live-patching for the Linux entries — none of which the framework names explicitly."
       }
     },
     "compliance_exposure_score": {
-      "percent_audit_passing_orgs_still_exposed": 55,
-      "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
+      "percent_audit_passing_orgs_still_exposed": 66,
+      "basis": "Qualcomm chipsets is ubiquitous; audited organizations gate mobile OTA updates behind carrier/OEM cadence and MDM windows, leaving the LPE chain open well past the in-the-wild exploitation window.",
       "theater_pattern": "patch_management"
     },
     "ai_discovered_zeroday": false,
-    "ai_discovery_source": "unknown",
-    "ai_assist_factor": "none",
-    "_auto_imported": true,
-    "_intake_method": "v0.13.17-bulk-cisa-kev-import"
+    "ai_discovery_source": "vendor_research",
+    "ai_assist_factor": "none"
   },
   "CVE-2021-32030": {
     "name": "ASUS Routers Improper Authentication Vulnerability",