Posted: June 3, 2026
Category: Security Advisory
Severity: High for public HTTP/2 endpoints

Reliable Penguin is aware of public reports regarding CVE-2026-49975, also referred to as the HTTP/2 Bomb vulnerability.

This issue may allow a remote attacker to exhaust server memory on affected HTTP/2-enabled web servers, potentially causing service disruption or denial of service. Public reporting indicates that the issue relates to HTTP/2 header compression behavior and may affect multiple web server and proxy implementations, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

Current status

Reliable Penguin is reviewing managed server environments and applying appropriate mitigations.

At this point, no customer action is necessary.

We will provide updates as they become available.

What customers should do

No action is required from Reliable Penguin managed hosting customers at this time.

Customers with questions may open a support request through the Reliable Penguin help desk.

References

• The Hacker News: “New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare” , published June 3, 2026.
• Calif: “Codex Discovered a Hidden HTTP/2 Bomb” , published June 2, 2026.
• mod_http2 release notes: Version 2.0.41 release notes , noting a fix for cookie header accounting against LimitRequestFields.

Reliable Penguin has reviewed managed WordPress servers for a recently disclosed vulnerability in the Advanced Custom Fields: Extended WordPress plugin, also commonly referred to as ACF Extended or ACFE.

Summary

Wordfence published an advisory for a critical unauthenticated privilege escalation vulnerability in the Advanced Custom Fields: Extended WordPress plugin. The issue affects Advanced Custom Fields: Extended versions up to and including 0.9.2.5 and is patched in version 0.9.2.6. Wordfence assigned the vulnerability a CVSS score of 9.8, which is considered critical.

According to Wordfence, the vulnerability may allow an unauthenticated attacker to escalate privileges by abusing validation handling related to the _acf_post_id parameter. The advisory notes that exploitation depends on site configuration, specifically whether the site exposes a public ACFE frontend form configured with a Create User action that maps a role field.

Reliable Penguin Response

Reliable Penguin used our internal RP Anvil system to review managed servers for WordPress installations using vulnerable Advanced Custom Fields: Extended plugin versions.

As part of this review, RP Anvil scanned managed systems for Advanced Custom Fields: Extended plugin installations and checked installed versions against the vulnerable range identified in the advisory.

At this time:

• Managed servers have been reviewed.
• Clients with potentially vulnerable WordPress installations have been notified directly.
• No client action is required at this point for Reliable Penguin managed systems unless we have contacted you directly.

What Clients Should Do

For Reliable Penguin managed systems, no action is required unless you have received a direct notification from us.

For WordPress sites not managed by Reliable Penguin, site owners should review their installations and update Advanced Custom Fields: Extended to version 0.9.2.6 or newer. Wordfence recommends updating as soon as possible due to the critical nature of this vulnerability.

Site owners should also review any public ACFE frontend forms, especially forms configured to create users or assign user roles.

Additional Resources

• Wordfence Intelligence: Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation
• Advanced Custom Fields: Extended plugin page on WordPress.org

Questions

If you have questions about this vulnerability or your managed WordPress environment, please contact Reliable Penguin support.

Reliable Penguin has reviewed managed WordPress servers for a recently disclosed vulnerability in the Kirki WordPress plugin.

Summary

Wordfence published an advisory for a critical unauthenticated privilege escalation vulnerability in the Kirki WordPress plugin. The issue affects Kirki versions 6.0.0 through 6.0.6 and is patched in version 6.0.7. Wordfence assigned the vulnerability a CVSS score of 9.8, which is considered critical.

According to Wordfence, the vulnerability can allow an unauthenticated attacker to take over user accounts, including administrator accounts, by abusing the plugin’s password reset functionality.

Reliable Penguin Response

Reliable Penguin used our internal RP Anvil system to review managed servers for WordPress installations using vulnerable Kirki plugin versions.

As part of this review, RP Anvil scanned managed systems for Kirki plugin installations and checked installed versions against the vulnerable range identified in the advisory.

At this time:

• Managed servers have been reviewed.
• Clients with vulnerable WordPress installations have been notified directly.
• No client action is required at this point for Reliable Penguin managed systems unless we have contacted you directly.

What Clients Should Do

For Reliable Penguin managed systems, no action is required unless you have received a direct notification from us.

For WordPress sites not managed by Reliable Penguin, site owners should review their installations and update Kirki to version 6.0.7 or newer. Wordfence recommends updating as soon as possible due to the critical nature of this vulnerability.

Additional Resources

• Wordfence: Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin
• Wordfence Intelligence vulnerability summary for Kirki
• Kirki plugin page on WordPress.org

Questions

If you have questions about this vulnerability or your managed WordPress environment, please contact Reliable Penguin support.

Reliable Penguin is introducing RP Periscope, a new security update monitoring system designed to help our team track important software, platform, and vendor security advisories more consistently.

RP Periscope gives Reliable Penguin a centralized way to monitor security information from trusted sources and evaluate whether those updates may affect the systems, websites, and infrastructure we manage for our clients.

Security advisories are often spread across many different vendor sites, mailing lists, release notes, RSS feeds, and technical bulletins. RP Periscope helps bring that information together so our team can review it more efficiently and respond when action may be needed.

What RP Periscope monitors

RP Periscope monitors security-related updates from sources connected to technologies commonly used across Reliable Penguin managed environments, including:

• Linux distributions such as AlmaLinux and Ubuntu
• Hosting control panels such as Plesk and cPanel
• CMS platforms such as WordPress and Drupal
• WordPress plugins, themes, and related ecosystem advisories
• Infrastructure software and vendor security bulletins
• Other relevant security feeds and update sources

How RP Periscope helps

RP Periscope supports Reliable Penguin’s security operations by helping us identify and organize security updates that may require review, follow-up, or client communication.

The system helps our team:

• Monitor security advisories from multiple trusted sources
• Identify potentially urgent vulnerabilities
• Classify alerts by relevance and urgency
• Improve visibility across managed client environments
• Support faster internal review and response
• Communicate more clearly when client action may be required

What this means for Reliable Penguin clients

For clients, there is no action required as part of this announcement. RP Periscope is an internal Reliable Penguin system that strengthens our ability to monitor security developments and respond appropriately.

When a security update, vulnerability, or vendor advisory requires action on a client system, Reliable Penguin will continue to communicate directly through our normal support and account channels.

RP Periscope does not replace regular maintenance, patching, backups, monitoring, or security best practices. Instead, it adds another layer of visibility to help our team stay informed about emerging risks and important updates.

Why we built RP Periscope

Modern websites and hosting environments depend on many different layers of software. Operating systems, control panels, web servers, CMS platforms, plugins, themes, libraries, and vendor tools can all have security updates that matter.

Because these updates come from many different sources, it can be difficult to track everything manually and consistently. RP Periscope was built to help Reliable Penguin centralize this monitoring and make security review more systematic.

By improving how we collect and review security advisories, we can better prioritize issues, reduce noise, and focus attention on updates that may matter most to our clients.

Our goal

RP Periscope reflects Reliable Penguin’s ongoing investment in managed hosting, maintenance, and security operations.

Our goal is simple:

We See Threats. You Stay Secure.

RP Periscope is one more way Reliable Penguin helps clients stay informed, protected, and prepared.

A newly disclosed Linux vulnerability nicknamed CIFSwitch may allow a local, unprivileged user to gain root privileges on some Linux systems.

The issue affects the interaction between the Linux kernel’s CIFS/SMB client and the user-space cifs-utils authentication helper. CIFS is commonly used to mount SMB/Windows-style network shares on Linux systems. The vulnerability is most relevant on systems where CIFS/SMB support and cifs-utils are installed, especially where Kerberos/SPNEGO authentication support is present.

What is the vulnerability?

CIFSwitch is a local privilege escalation vulnerability. It does not allow remote exploitation by itself. An attacker generally needs local access to the system first, such as a shell account, compromised web user, compromised container context, or another foothold.

The vulnerability involves forged cifs.spnego key requests. Under vulnerable conditions, an unprivileged user can trigger the normal CIFS authentication workflow and cause the root-run cifs.upcall helper to trust attacker-controlled fields. The public technical analysis describes an exploit chain involving namespace switching and Name Service Switch behavior before privileges are dropped, which can result in root code execution.

Who may be affected?

The vulnerability is not universal, but several common Linux distributions or configurations may be affected.

Affected or potentially affected environments include combinations of:

• A vulnerable Linux kernel
• cifs-utils, particularly systems where the cifs.upcall helper is present
• CIFS/SMB client functionality enabled or available
• Unprivileged user namespaces enabled
• SELinux, AppArmor, or other local security policies that do not block the exploit path

Public reporting and vendor advisories indicate that this issue can affect multiple Linux distributions depending on package versions, kernel updates, and local security policy.

Reliable Penguin response

Using our automation platform, Reliable Penguin has reviewed all servers in our managed fleet for exposure to this vulnerability and has taken appropriate mitigation steps where needed.

At this point, no action is necessary from clients.

If we identify any system-specific concerns that require client involvement, we will contact the affected client directly.

References

• BleepingComputer: New CIFSwitch Linux flaw gives root on multiple distributions
• Technical analysis: CIFSwitch: a non-universal Linux local root vulnerability
• Openwall oss-security disclosure: CIFSwitch Linux kernel/cifs-utils local root via forged CIFS SPNEGO description
• CloudLinux: CIFSwitch Mitigation and Kernel Update