Januscape (CVE-2026-53359), a 16-year-old use-after-free vulnerability in KVM's shadow MMU, enables guest-to-host escape on systems with nested virtualization enabled. Discovered by researcher Hyunwoo Kim via Google's kvmCTF bug bounty program, the flaw allows root access on the host machine. The vulnerability affects both Intel and AMD processors and has been present since kernel 2.6.36 (August 2010). Patches are available; organizations should update immediately or disable nested virtualization if patching is delayed.
Google Cloud
Google Cloud Platform — IAM, GKE, BigQuery, Cloud Storage.
Recent threats
CVE-2026-2031 is a critical remote code execution vulnerability in Google Cloud Application Integration that combines multiple flaws: exposed internal APIs returning protobuf descriptors, IDOR weaknesses, and an unauthenticated workflow execution endpoint. An attacker could exploit these to execute arbitrary Stubby RPC calls in Google Cloud production with the privileged service identity of the integration platform. Google has patched the vulnerability; the researcher earned $148,337 through Google's Vulnerability Reward Program.
A critical vulnerability in Google Cloud Vertex AI's Python SDK (google-cloud-aiplatform) dubbed 'Pickle in the Middle' enables attackers to hijack machine learning model uploads and achieve cross-tenant remote code execution. The flaw combines predictable bucket naming, bucket squatting, and unsafe deserialization to allow attackers to poison ML artifacts before deployment. Exploitation leads to service account token theft and access to sensitive cloud resources. Google patched the issue in SDK versions 1.144.0 and 1.148.0; users should upgrade immediately and specify explicit staging buckets.
Threat actors are increasingly exploiting Google Cloud Logging and AWS CloudTrail to evade detection and maintain unauthorized visibility into victim environments. Attack techniques include disabling logging, deleting logs, modifying encryption keys to render logs unreadable, log poisoning through S3/Cloud Storage permissions, and redirecting logs to attacker-controlled destinations. While organizations often assume logs are protected, these logging services lack uniform protection enforcement, enabling attackers to blind security monitoring and enable long-term reconnaissance. Defenders are advised to enforce strict access controls on logging APIs, enable log integrity validation and bucket locking, and implement continuous monitoring of logging configuration changes.
Google Chrome versions prior to 149.0.7827.53 on Windows contain CVE-2026-11005, an out-of-bounds read vulnerability in the ANGLE graphics library. The flaw requires prior renderer process compromise but allows attackers to leak sensitive data such as cryptographic keys, authentication tokens, and credentials from adjacent memory regions. Exploitation occurs via crafted HTML pages and affects all vulnerable Windows Chrome installations.
Google released emergency patches on June 9, 2026 for CVE-2026-11645, an out-of-bounds memory access vulnerability in Chrome's V8 JavaScript engine that is actively being exploited in the wild. The flaw enables remote attackers to execute arbitrary code via crafted HTML pages, exposing sensitive data or triggering crashes. This is the fifth exploited Chrome zero-day of 2026.
- Google patches new Chrome zero-day flaw exploited in the wild(opens in a new tab)
- Google fixes fifth actively exploited Chrome zero-day of 2026(opens in a new tab)
- Check Point VPN and Google Chrome Vulnerabilities Under Active E(opens in a new tab)
- Google Patches 5th Chrome Zero-Day Exploited in 2026 - SecurityW(opens in a new tab)
- Google patches Chrome zero-day exploited in the wild (CVE-2026-1(opens in a new tab)
- Google Chrome 0-Day Vulnerability Exploited in Active Attacks(opens in a new tab)
CISA added CVE-2025-48595, an actively exploited Android Framework integer overflow vulnerability, to its Known Exploited Vulnerabilities catalog on June 4, 2026. The flaw enables local privilege escalation through memory corruption, allowing attackers to execute arbitrary code with elevated system access. Federal agencies are required to remediate by June 5, 2026.
- CISA Warns of Android Framework Integer Overflow Vulnerability E(opens in a new tab)
- CISA adds Android and Linux kernel flaws to exploited vulnerabil(opens in a new tab)
- CISA Alerts Users to Actively Exploited Android Framework Securi(opens in a new tab)
- CISA Warns of Active Attacks Exploiting Android and Linux Kernel(opens in a new tab)
- Google Android, Integer Overflow Privilege Escalation, CVE-2025-(opens in a new tab)
Google released June 2026 Android security patches addressing 124 vulnerabilities, including one zero-day flaw actively exploited in targeted attacks.
- Google fixes one actively exploited Android zero-day, 124 flaws(opens in a new tab)
- Android Zero-Day Vulnerability Actively Exploited in Device Take(opens in a new tab)
- CVE-2025-48595 Fixed In Android June 2026 Security Update(opens in a new tab)
- Android Under Siege: Google’s 124-Vulnerability Patch Exposes a (opens in a new tab)
- Google Patches Actively Exploited Android Flaw Affecting Million(opens in a new tab)
- CVE-2025-48595: June 2026 Android Security Update Fixes Framewor(opens in a new tab)
Google Cloud Threat Intelligence (GTIG) published a report describing how attackers are using AI to accelerate vulnerability exploitation and gain initial access to cloud environments, including Google Cloud. GTIG identified the first known zero-day exploit believed to be AI-developed, targeting an open-source web administration tool and intended for a mass exploitation event before being disrupted. The report also documents abuse of exposed Google Cloud API keys to reach Gemini AI endpoints, and tracks a threat cluster designated TeamPCP (UNC6780) targeting AI software dependencies as an initial-access vector with follow-on ransomware activity. Google notes attackers are exploiting newly disclosed vulnerabilities within hours of publication and increasingly focus on APIs, SaaS, developer platforms, and AI services rather than credential theft. Recommended actions include tightening API key hygiene, monitoring AI service account usage, and shortening patch windows.
- Google warns artificial intelligence is accelerating cyberattack(opens in a new tab)
- Google Warns Hackers Are Using AI to Create Working Zero-Day Exp(opens in a new tab)
- Google Detects First AI-Developed Zero-Day Exploit Used by Threa(opens in a new tab)
- What Security Leaders Say About the First AI-Developed Zero-Day (opens in a new tab)
- Google Cloud Uncovers First AI-Made Zero-Day Exploit, Putting CX(opens in a new tab)
- Google confirms hackers used AI to create zero-day exploit bypas(opens in a new tab)