The Plumb Line

24 hours ending 2026-04-25T12:00:00 UTC

Thirty critical-severity vulnerabilities. That's what the National Vulnerability Database published in a single 24-hour window — every one of them scored 9.1 or higher, and the list includes flaws in Linux kernel memory management, Azure IoT Central, open-source low-code platforms, and the rust-openssl cryptographic bindings that underpin Rust applications across the industry. On the same day, OpenSanctions quietly updated records on Georgian political figures and Russian-denominated securities. No geopolitical headline drove either story. Both are operational facts.

The CVE surge is the dominant signal in this window. The sheer number — 30 critical-rated disclosures in 24 hours, not the usual trickle — reflects a coordinated upstream patch batch rather than a sudden outbreak of discovery, but the operational consequence is identical: your exposure window opened wide at roughly 13:00 UTC Friday and it stays open until your teams have triaged all 30. Several of the Linux kernel entries target SMB direct and MPTCP paths that matter for storage and cloud networking. The rust-openssl cluster — at least six separate CVEs under one library, all resolved in version 0.10.78 — is the most concentrated single-library risk in this batch.

The seismic picture is active but unremarkable. A M5.5 southeast of Akutan, Alaska drew a green alert and no tsunami flag at 08:05 UTC, the window's most significant shake. Twenty-four other events scattered from the Kermadec Islands to Greece to Guatemala stayed below M5.0 with no alerts triggered. Nothing in the seismic record demands operational response today.

The Patch Queue That Matters Most

Six CVEs in a single library in a single day is unusual. The rust-openssl disclosures — CVE-2026-41676, CVE-2026-41677, CVE-2026-41678, CVE-2026-41681, CVE-2026-41898, and one more covering PSK and stateless callback trampolines — cover memory corruption, incorrect assertions in AES key unwrapping, improper buffer length validation in digest operations, and unsafe FFI callbacks. All are fixed in rust-openssl 0.10.78. If your supply chain includes any Rust binary that wraps cryptographic operations via this library, 0.10.78 is no longer optional. The version range for several of these bugs extends back to 0.9.0 — meaning years of production deployments are potentially in scope.

The AWS Ops Wheel flaw (CVE-2026-6911, CVSS 9.8) is a different category of problem: missing JWT signature verification that lets an unauthenticated attacker forge tokens and claim administrative access, including full read-write-delete on all application data. AWS Ops Wheel is an open-source workforce management tool commonly self-hosted. If you're running it, treat this as a pre-auth RCE equivalent in practical terms.

BridgeHead FileStore versions prior to 24A (CVE-2026-39920) expose an Apache Axis2 administration module on network-accessible endpoints with default credentials. Remote attackers can execute arbitrary OS commands without authentication. Healthcare and enterprise backup environments that haven't updated since early 2024 should treat this as actively exploitable until patched.

The Infrastructure Cluster

Critical CVEs published in one 24-hour window — including 6 in a single Rust cryptography library.

The Linux kernel batch deserves a closer look for infrastructure operators. The SMB-related double-free bugs (CVE-2026-31608, CVE-2026-31609) affect kernel SMB direct code paths used in high-throughput storage. The MPTCP slab-use-after-free (CVE-2026-31669) touches the ehash table in `__inet_lookup_established`, a lockless code path — meaning exploitation doesn't require holding any lock. The seg6 lwtunnel dst_cache sharing bug (CVE-2026-31668) affects IPv6 segment routing, relevant to anyone running SRv6 in a service provider or datacenter spine.

The Dgraph pair (CVE-2026-41492 and CVE-2026-41328) are worth flagging separately. CVE-2026-41328 gives unauthenticated attackers full read access to every piece of data in the database by default — and CVE-2026-41492 leaks the process command line, including admin tokens, through an unauthenticated `/debug/vars` endpoint. Both are fixed in Dgraph 25.3.3. Running Dgraph below that version with any network exposure is a data breach waiting to happen.

CyberPanel's AI Scanner worker API (CVE-2026-41473, CVSS 9.1) allows unauthenticated remote attackers to write arbitrary data to the database. CyberPanel is widely deployed in shared hosting environments, which amplifies blast radius substantially. Versions prior to 2.4.4 are affected.

The Sanctions Ledger

The OpenSanctions updates are quieter but worth a due-diligence flag. Tea Tsulukiani — a Georgian politician who served as Minister of Justice and later as a senior figure in Georgian Dream — received a sanctions update in this window alongside Viktor Japaridze and three linked Georgian companies including Vitakan-Georgia Ltd and Duta & F Ltd. Seven Russian-denominated structured bond ISINs were also updated in the sanctions dataset, tagged against the Russian National Settlement Depository (NSD) tracking list. None of these appear to be new designations; they are data refreshes that could affect screening matches.

On the U.S. debarment side, six individuals and one entity — Northern Pacific Oil and Gas Incorporated — received SAM.gov exclusion updates. Waleed Fathi Salam Baidhani carries the most serious profile: he appears across OFAC press releases, SAM exclusions, and the consolidated trade screening list simultaneously. Compliance teams running counterparty screens should expect these records to propagate through KYC vendor databases over the next 48–72 hours.

Ground Shaking, Briefly

The Alaska M5.5 is the one event in the seismic batch that could, in theory, affect infrastructure. Akutan Island sits near the eastern Aleutian arc and hosts a major seafood processing facility. The USGS green alert means predicted shaking is below the threshold for significant losses, and no tsunami warning was issued. The M5.2 near Vilyuchinsk, Russia — home to a Pacific Fleet submarine base — sits at 80 km depth, which attenuates surface impact significantly.

Greece saw two events (M4.4 near Kentri, M4.4 southeast of Ierapetra on Crete) within the same 24-hour window, both shallow at 10 km depth. Neither triggered alerts, but the clustering is consistent with the ongoing regional seismic sequence in the eastern Mediterranean. No operational implication today.

The Detail That Doesn't Fit a Category

Mehul Ramesh Khatiwala received a U.S. SAM.gov debarment exclusion update in this window. The record contains no elaboration on cause — just the exclusion tag and the U.S. government procurement bar that follows it. In a 24-hour window dominated by software vulnerabilities and sanctions ledger maintenance, one debarred individual's name appearing in a federal exclusion database is the kind of fact that turns up in due diligence reports months later. It's here now.

What We Can't Tell You

1. Whether any of today's CVEs are actively exploited in the wild — CISA's Known Exploited Vulnerabilities catalog had no additions in this window, but KEV lags discovery.

2. What triggered the Georgian sanctions-linked record updates — the OpenSanctions data shows refreshes but not whether they follow a new designation decision by the EU, UK, or U.S.

3. The specific cause of the Yury Nesterenko PEP/sanction record update — he appears across Russian anti-corruption and bribetaker datasets, but no underlying event in this window explains the refresh timing.

By the Numbers

Metric	Value	Context
Critical CVEs published (24h)	30	All scored ≥ 9.1; 6 in a single library (rust-openssl)
Max CVSS score in window	9.9	Azure IoT Central (CVE-2026-21515) and Saltcorn SQL injection (CVE-2026-41478)
rust-openssl CVEs (single library)	6	All fixed in version 0.10.78
Dgraph unauthenticated data exposure	Full DB read	Default configuration, no auth required — fixed in 25.3.3
Seismic events logged	25	No tsunami warnings; highest M5.5 near Akutan, Alaska
Seismic events triggering any alert	1	Green-level alert only; no casualties or tsunami
OpenSanctions record updates	25	Includes Georgian politicians, Russian bond ISINs, U.S. debarments
SAM.gov debarment updates	7	Includes one multi-list OFAC/trade/SAM individual
Russian bond ISINs refreshed	7	NSD tracking list; structured and exchange-traded paper

Today's wire carried thirty critical CVEs, six Georgian sanctions-linked entity updates, a debarment sweep, and a minor seismic cluster in Alaska and Greece. The truth score on everything you just read is 1.0 — every claim traces back to a primary record on disk. rust-openssl 0.10.78 shipped with the fixes; the only question left is how many Rust binaries in your supply chain still link against 0.10.77 or earlier.

— *The Plumb Line*. Sourced from 80 grounded events across 27 source databases.

Sources

Vulnerability (NVD/CVE)

nvd_cve/CVE-2026-21515 — Azure IoT Central privilege escalation, CVSS 9.9
nvd_cve/CVE-2026-41478 — Saltcorn SQL injection, CVSS 9.9
nvd_cve/CVE-2026-41492 — Dgraph /debug/vars token leak, CVSS 9.8
nvd_cve/CVE-2026-41328 — Dgraph unauthenticated full DB read, CVSS 9.1
nvd_cve/CVE-2026-25660 — CodeChecker authentication bypass, CVSS 9.8
nvd_cve/CVE-2026-41678 — rust-openssl AES unwrap assertion, CVSS 9.8
nvd_cve/CVE-2026-41676 — rust-openssl EVP_PKEY_derive buffer, CVSS 9.8
nvd_cve/CVE-2026-41677 — rust-openssl PEM callback length, CVSS 9.1
nvd_cve/CVE-2026-41681 — rust-openssl EVP_DigestFinal OOB write, CVSS 9.8
nvd_cve/CVE-2026-41898 — rust-openssl FFI trampolines, CVSS 9.8
nvd_cve/CVE-2026-6911 — AWS Ops Wheel JWT forgery, CVSS 9.8
nvd_cve/CVE-2026-39920 — BridgeHead FileStore default-creds RCE, CVSS 9.8
nvd_cve/CVE-2026-31608 — Linux kernel SMB direct double-free, CVSS 9.8
nvd_cve/CVE-2026-31609 — Linux kernel smbd double-free, CVSS 9.8
nvd_cve/CVE-2026-31669 — Linux kernel MPTCP slab-use-after-free, CVSS 9.8
nvd_cve/CVE-2026-31668 — Linux kernel seg6 dst_cache sharing, CVSS 9.8
nvd_cve/CVE-2026-31649 — Linux kernel stmmac integer underflow, CVSS 9.8
nvd_cve/CVE-2026-31589 — Linux kernel mm folio_unmap_invalidate, CVSS 9.8
nvd_cve/CVE-2026-31536 — Linux kernel smbdirect IB_SEND_SIGNALED, CVSS 9.8
nvd_cve/CVE-2026-31607 — Linux kernel USB/IP packet validation, CVSS 9.8
nvd_cve/CVE-2026-31659 — Linux kernel batman-adv TT buffer overflow, CVSS 9.8
nvd_cve/CVE-2026-31657 — Linux kernel batman-adv backbone gateway refcount, CVSS 9.8
nvd_cve/CVE-2026-31633 — Linux kernel rxrpc integer overflow, CVSS 9.8
nvd_cve/CVE-2026-31637 — Linux kernel rxrpc undecryptable tickets, CVSS 9.8
nvd_cve/CVE-2026-31636 — Linux kernel rxrpc OOB read, CVSS 9.1
nvd_cve/CVE-2026-31685 — Linux kernel ip6t_eui64 invalid MAC, CVSS 9.4
nvd_cve/CVE-2026-41473 — CyberPanel AI Scanner auth bypass, CVSS 9.1
nvd_cve/CVE-2026-41428 — Budibase unanchored regex auth bypass, CVSS 9.1
nvd_cve/CVE-2026-41415 — PJSIP out-of-bounds read SIP multipart, CVSS 9.1
nvd_cve/CVE-2026-6951 — simple-git RCE (incomplete CVE-2022-25912 fix), CVSS 9.8

Seismic (USGS)

usgs_earthquakes/us6000sssg — M5.5 SE of Akutan, Alaska; green alert
usgs_earthquakes/us6000sst4 — M5.2 SE of Vilyuchinsk, Russia
usgs_earthquakes/us6000ssja — M5.1 E of Petropavlovsk-Kamchatsky
usgs_earthquakes/us6000ssqp — M4.4 SE of Ierapetra, Greece
usgs_earthquakes/us6000ssjn — M4.3 NNE of Kentri, Greece
(remaining 20 USGS events on file)

Sanctions & Debarment (OpenSanctions)

opensanctions/Q13589522 — Tea Tsulukiani, Georgian politician, sanctions update
opensanctions/Q97464150 — Viktor Japaridze, Georgian politician, sanctions update
opensanctions/ge-dec-93146bc879ef55c0ce182d3c0d7bbc85a74f732c — Vitakan-Georgia Ltd
opensanctions/ge-dec-e1c1ca2fe3f8f84cdb81c38c59345c82e0a6a407 — Duta & F Ltd
opensanctions/NK-3zKatenZzkowaunwYtYawK — Waleed Fathi Salam Baidhani, OFAC/SAM/trade triple-list
opensanctions/usgsa-53d90f872ee0702c7e89e193d11ddf653117b9fd — Northern Pacific Oil and Gas Inc., debarment
opensanctions/isin-RU000A10EHW9 through isin-RU000A10EYR4 — seven Russian NSD-tracked bond ISINs
opensanctions/Q122421765 — Yury Nesterenko, Russian PEP/sanction/bribetaker record
(remaining OpenSanctions debarment records on file)