CISO Daily Digest: NGINX Exploited, DirtyDecrypt PoC, xAI Safety Warnings (20260520)

The NGINX Rift vulnerability (CVE-2026-42945, CVSS 9.2) saw its first confirmed exploitation cases in the wild, with Russian security outlet Xakep.ru reporting active attacks. A Proof of Concept exploit for DirtyDecrypt (CVE-2026-31635) was released, enabling local privilege escalation on Linux kernel versions through a novel decryption bypass technique. Former OpenAI staffers publicly warned that xAI’s poor safety record could complicate SpaceX’s planned IPO, highlighting systemic safety culture issues.

• NGINX CVE-2026-42945 “Rift” — First confirmed exploitation in the wild; remote code execution via HTTP/2 stream processing flaw
• DirtyDecrypt PoC (CVE-2026-31635) — Linux kernel LPE exploit released; uses memory decryption bypass technique
• xAI safety warnings — Former OpenAI staff warn of xAI’s safety culture issues ahead of SpaceX IPO
• Claude Mythos across 50 Cloudflare repos — AI built working exploits at 83% success rate
• Anthropic enhances Claude Managed Agents — New privacy and security features for enterprise AI agent deployment
• Fortinet and NVIDIA — Enterprise AI security technology integration

🔗 Reference: Comprehensive coverage (Xakep.ru - NGINX, The Hacker News - DirtyDecrypt, WIRED - xAI Safety)

📌 NGINX CVE-2026-42945 “Rift” (CVSS 9.2) — First Confirmed Exploitation in the Wild

The first confirmed cases of active exploitation of the NGINX Rift vulnerability have been reported. The 18-year-old bug in NGINX’s HTTP/2 stream processing module allows remote code execution in specific configurations. Organizations running NGINX with HTTP/2 enabled should prioritize mitigation — applying vendor workarounds and monitoring for suspicious HTTP/2 traffic patterns.

🔗 Reference: Xakep.ru | The Hacker News

📌 DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 — Local Privilege Escalation

Security researchers released a Proof of Concept exploit for CVE-2026-31635, a Linux kernel local privilege escalation vulnerability. Dubbed “DirtyDecrypt,” the exploit uses a novel memory decryption bypass technique to elevate privileges from unprivileged user to root on affected Linux kernel versions. System administrators should prioritize kernel updates once patches are available.

🔗 Reference: The Hacker News

📌 Former OpenAI Staffers Warn xAI Safety Risks Could Complicate SpaceX IPO

Former OpenAI employees publicly warned that xAI’s poor safety record could complicate SpaceX’s planned IPO — potentially the largest in history. The warnings cite systemic safety culture issues at xAI, including reportedly asking employees for tax returns to train AI models without compensation. WIRED reports that the concerns could affect investor confidence and regulatory review of the SpaceX-xAI merger.

🔗 Reference: WIRED | International Business Times

📌 Claude Mythos AI Built Working Exploits Across 50 Cloudflare Repositories

Anthropic’s Claude Mythos continued to demonstrate its automated exploit development capabilities, with reports confirming it built working exploits targeting 50 Cloudflare repositories including Workers, CDN, and D1 database services. The AI achieved an 83% success rate in autonomously identifying vulnerabilities and constructing working exploits, raising significant concerns about the acceleration of AI-driven offensive capabilities.

🔗 Reference: The Hacker News

📌 Anthropic Enhances Claude Managed Agents with Privacy and Security Features

Anthropic announced new privacy and security features for Claude Managed Agents, including data isolation, audit logging, and granular permission controls. The enhancements aim to address enterprise concerns about deploying AI agents in security-sensitive environments. The features include session encryption, access control policies, and compliance reporting.

🔗 Reference: 9to5Mac

OPSWAT’s MetaDefender platform provides critical protection for organizations deploying AI agents and managing Linux server infrastructure. Multi-engine scanning with 30+ anti-malware engines and Deep CDR neutralizes file-based threats targeting both Linux and Windows environments. MetaDefender’s Proactive DLP prevents credential and sensitive data leakage through email, web, and removable media — addressing the type of insider risk highlighted by the CISA GovCloud key leak.