The past seven days have been one of the busier stretches our security team has worked through. Four serious vulnerabilities landed in rapid succession – two in cPanel/WHM, two in the Linux kernel – and several were under active exploitation almost immediately after disclosure. Every server under our management was patched or mitigated ahead of widespread exploitation in each case. Here is how it unfolded.

CVE-2026-41940: a cPanel zero-day, discovered on a forum
We learned about CVE-2026-41940 by accident.
One of our engineers was scrolling a security forum when they saw a link someone had posted to a cPanel advisory published roughly twenty minutes earlier. There was no email from cPanel in our inbox yet. No notification in our usual vendor channels. No patch. Just an advisory describing a serious vulnerability in cPanel/WHM, and a comment thread already starting to speculate about exploitation paths.
We did not wait for the email.
The rough timeline:
- T+0: Advisory surfaced internally.
- T+~5 min: Decision made to restrict access to cPanel and WHM administrative interfaces across our entire infrastructure.
- T+2 hours: cPanel released the official patch.
- T+3.5 hours: Every server under our management was patched and verified.
Our public incident timeline lives here: status.fullhost.com/cmoj53xm403uywn225c3pn27j
The unfortunate footnote is what happened everywhere else. Active exploitation began almost immediately and continued for days as unpatched servers – many run by providers and operators who hadn’t yet seen the advisory – were compromised. The window between disclosure and exploitation is narrowing every time. It is no longer unusual to see attacks underway before the official advisory email even reaches operators’ inboxes.
CopyFail
DirtyFrag
Yesterday, DirtyFrag broke embargo. The vulnerability was meant to be released on a coordinated date; it surfaced earlier than planned. As soon as we became aware, we started implementing the temporary mitigation, and had it deployed across every managed server within ninety minutes.
That work is ongoing as ofthis morning. KernelCare patches are out, kernels are being updated, and we are coordinating reboots into the patched kernels with customers where required. The mitigation holds in the meantime.
This morning: another cPanel critical patch
Late last night, our account manager at cPanel reached out to give us a heads-up: a new cPanel release fixing several critical vulnerabilities would ship at 9:00 AM PT.
We used the lead time. By the time the patch was live, we already had a plan – which servers patched first, which automation rolled the rest, what verification we’d run after each batch, and who was on the bridge.
- 9:00 AM PT: Patch released.
- 9:05 AM PT: Patching began.
- 10:30 AM PT: Every server under our management was updated.
How we move this fast
We get asked this question regularly. There is no single answer, but a few things matter more than the rest.
Watch where the news actually breaks. Vendor mailing lists are not always first. Security forums, research mailing lists, and the broader community frequently surface advisories before official channels do. CVE-2026-41940 is a clean example – twenty minutes ahead ofany vendor email is twenty minutes that matters.
Mitigate before you patch. A temporary access restriction or workaround applied in twenty minutes is worth more than a perfect patch applied in twelve hours. Both CopyFail and DirtyFrag were initially handled this way, and the cPanel zero-day’s first response was an access restriction, not a patch.
Plan in advance when you can. When you know a patch is dropping at 9:00 AM, the conversation about who does what happens at 8:00 AM, not 9:01 AM.
Maintain relationships with your vendors. The advance notice from our cPanel account manager gave us a meaningful head start this morning. That kind of communication doesn’t happen by accident.
The honest answer underneath all of this is that the speed in cases like these comes from doing the boring parts well the rest of the time. Inventory is current. Automation is tested. People know who is on call and what to do. None of that is glamorous, and none of it is something you can stand up in the middle of an incident.
It has been a long week. We expect the next one to be quieter. We are not counting on it.
FullHost is a Canadian cloud hosting and infrastructure provider, operating since 2009 with a focus on data sovereignty and managed security. If you operate cPanel infrastructure and are uncertain about your patching posture, get in touch.