Surge in Vulnerabilities and Exploit Activity in Q1 2026
Threat actors expanded their exploit kits in Q1 2026, leveraging a range of new vulnerabilities targeting Microsoft Office and both Windows and Linux operating systems. Detailed statistics on vulnerabilities and their exploitation were shared in a recent report by Kaspersky, shedding light on current trends in cybersecurity threats.
The analysis reveals a continuous rise in registered vulnerabilities, including a noteworthy focus on critical vulnerabilities. Despite a slight decrease in newly published critical vulnerabilities (CVSS score greater than 8.9), an upward trend remains. High-profile vulnerabilities, such as those associated with mobile platforms and web frameworks, are driving this increase. Notably, as AI agents become increasingly adept at identifying security flaws, this trend is likely to continue.
Kaspersky identified several long-standing vulnerabilities that persist in exploitation rates. These include CVE-2018-0802, CVE-2017-11882, and CVE-2023-38831, largely affecting user systems through remote code execution and privilege escalation. Newly registered vulnerabilities, particularly CVE-2026-21509 and CVE-2026-21514, exploit flaws allowing malicious files to execute code despite security features being enabled. Attackers have leveraged these vulnerabilities in conjunction to amplify their impact, although their effectiveness as a chain may decrease over time.
On the Linux front, notable vulnerabilities include CVE-2022-0847 (Dirty Pipe) and CVE-2019-13272, which facilitate privilege escalation. Furthermore, the report highlights a decrease in the number of exploits detected compared to past metrics, although detections are on the rise compared to the same quarter last year.
Defensive Context
Organizations running Microsoft Office or Linux systems should prioritize awareness of these vulnerabilities, especially those listed by Kaspersky. Enterprises with exposed applications or systems that have not implemented timely updates are particularly vulnerable. Notable vulnerabilities like CVE-2026-21514 and the critical conclusions drawn about the exploitation of Windows components underscore the need for heightened vigilance.
Why This Matters
The ongoing exploitation of both legacy and new vulnerabilities poses a constant threat, particularly to organizations reliant on Microsoft products or using Linux systems without up-to-date patches. Any lapse in vigilance could lead to significant breaches, especially in environments that commonly deploy these platforms.
Defender Considerations
Defenders need to take immediate steps to understand the implications of targeted vulnerabilities in their environments. Engaging in active monitoring for signs of exploitation of the listed vulnerabilities—such as those recorded in APT (advanced persistent threat) attacks—will be essential. Organizations should scrutinize their vulnerability management practices to ensure they are prepared for potential exploit attempts.
Indicators of Compromise (IOCs)
- CVEs of interest: CVE-2018-0802, CVE-2017-11882, CVE-2023-38831, CVE-2026-21509, CVE-2026-21514, CVE-2022-0847, CVE-2019-13272.
Securing patch management processes and understanding potential entry points for exploitation will be crucial in effectively mitigating risks associated with these vulnerabilities.
