May 2026 Security Alert: Linux Kernel, cPanel & What To Do

May 15, 2026 — Webzi Operations Team

The past three weeks have been, without exaggeration, the most active period for critical web infrastructure vulnerabilities we have recorded in recent years. In this article we want to be completely transparent about what happened, how we responded, and what you can do to strengthen the security of your services.

The landscape: four kernel exploits and nine cPanel vulnerabilities in under three weeks

Between April 28 and May 15, 2026, the hosting ecosystem was hit by an unusually dense series of critical disclosures. This was not an isolated incident — it was multiple simultaneous fronts that required an immediate response on every server.

Linux kernel vulnerabilities

cPanel / WHM vulnerabilities

To put this in perspective: we normally see this volume of critical CVEs spread across several months. Seeing them concentrated into 17 days is extraordinary.

What we did on every server

For each vulnerability, our operations team acted on the same day as the disclosure — no waiting for scheduled maintenance windows. Actions taken across all shared hosting and reseller infrastructure include:

• Reboot-free kernel mitigations: For all four kernel CVEs we applied sysctl controls (kernel.user_ptrace=0 on CloudLinux servers and kernel.yama.ptrace_scope=3 on standard Linux) that block the attack vector immediately and persistently.
• KernelCare active: On servers running KernelCare, livepatches are applied automatically as CloudLinux publishes them, with zero service interruption.
• cPanel patches applied same-day: Every cPanel/WHM security patch was applied within the first hours of availability in each release cycle.
• Imunify360 and WAF rules updated: ModSecurity and Proactive Defense rules are kept current to detect known exploitation patterns for these CVEs.
• Kernel modules blacklisted: For Dirty Frag and Fragnesia, module blacklists (esp4, esp6, rxrpc) were applied as an additional containment measure.

Note for self-managed VPS and dedicated server customers: If you manage your own server, please verify that your kernel and cPanel patches are up to date. If you need assistance, open a support ticket and our team will help.

Security recommendations for your sites and accounts

Server-level security is only one layer. Here are concrete actions you can take today to reduce your exposure:

1. Enable two-factor authentication (2FA) in cPanel

CVE-2026-41940 showed that even 2FA can be bypassed on an unpatched server. On fully patched servers, 2FA remains an effective and essential barrier. You can enable it from your cPanel under Security → Two-Factor Authentication.

2. Keep your CMS, plugins, and themes updated

WordPress, Joomla, and Drupal are the most common attack vectors in shared hosting environments. An outdated plugin can compromise your entire account regardless of how well-protected the server is. Check for pending updates at least once a week.

3. Use unique, strong passwords for every service

A password compromised on any other platform can be reused to access your cPanel. Use a password manager (Bitwarden, 1Password, or similar) and make sure no password is shared between services.

4. Verify that your backups are active and restorable

Backups are your last line of defense against ransomware and serious compromises. Confirm from your cPanel (Files → JetBackup) that automatic backups are running and that you can actually restore from them. A backup that has never been tested is not a reliable backup.

5. Remove access credentials you no longer use

Review and remove FTP accounts, cPanel sub-accounts, and email accounts that are no longer active. Every live credential is an attack surface. You can manage them under Files → FTP Accounts and Email → Email Accounts.

6. Periodically review your site files

Imunify360 scans automatically for malware, but an occasional manual check of critical files (wp-config.php, .htaccess, index.php) can catch unauthorized modifications early. If you find anything suspicious, open a support ticket immediately.

7. For VPS and dedicated servers: keep the kernel updated

This week, every unpatched hour was a real risk window. If you manage your own server, run dnf update kernel regularly and consider installing KernelCare to apply kernel patches without reboots. Contact our team if you need guidance.

Conclusion

May 2026 is a stark reminder that web infrastructure security is not a one-time setup — it is a continuous process. The speed at which critical vulnerabilities are being disclosed this month —with public exploits available within hours of disclosure— demands immediate action from hosting providers.

Our team will continue monitoring the situation and applying patches and mitigations as soon as they become available. If you have questions about the security status of your account or need help with any of the recommendations above, we are available through our support ticket system.

The Operations Team — Webzi / ArteHosting