week of critical vulnerabilities

The past seven days have been one of the busier stretches our security team has worked through Four serious vulnerabilities landed in rapid succession - two in cPanel/WHM, two in the Linux kernel - and several were under active exploitation almost …

The past seven days have been one of the busier stretches our security team has worked through. Four serious vulnerabilities landed in rapid succession – two in cPanel/WHM, two in the Linux kernel – and several were under active exploitation almost immediately after disclosure. Every server under our management was patched or mitigated ahead of widespread exploitation in each case. Here is how it unfolded.

CVE-2026-41940: a cPanel zero-day, discovered on a forum

We learned about CVE-2026-41940 by accident.

One of our engineers was scrolling a security forum when they saw a link someone had posted to a cPanel advisory published roughly twenty minutes earlier. There was no email from cPanel in our inbox yet. No notification in our usual vendor channels. No patch. Just an advisory describing a serious vulnerability in cPanel/WHM, and a comment thread already starting to speculate about exploitation paths.

We did not wait for the email.

The rough timeline:

  • T+0: Advisory surfaced internally.
  • T+~5 min: Decision made to restrict access to cPanel and WHM administrative interfaces across our entire infrastructure.
  • T+2 hours: cPanel released the official patch.
  • T+3.5 hours: Every server under our management was patched and verified.

Our public incident timeline lives here: status.fullhost.com/cmoj53xm403uywn225c3pn27j

The unfortunate footnote is what happened everywhere else. Active exploitation began almost immediately and continued for days as unpatched servers – many run by providers and operators who hadn’t yet seen the advisory – were compromised. The window between disclosure and exploitation is narrowing every time. It is no longer unusual to see attacks underway before the official advisory email even reaches operators’ inboxes.

CopyFail

A few days later, CopyFail was disclosed: a Linux kernel vulnerability serious enough to warrant immediate action. KernelCare live patches weren’t available yet, so we rolled out a temporary mitigation across our managed fleet within two hours of the disclosure becoming public. Once KernelCare’s live patches were released, they were applied across the fleet.

DirtyFrag

Yesterday, DirtyFrag broke embargo. The vulnerability was meant to be released on a coordinated date; it surfaced earlier than planned. As soon as we became aware, we started implementing the temporary mitigation, and had it deployed across every managed server within ninety minutes.

That work is ongoing as ofthis morning. KernelCare patches are out, kernels are being updated, and we are coordinating reboots into the patched kernels with customers where required. The mitigation holds in the meantime.

This morning: another cPanel critical patch

Late last night, our account manager at cPanel reached out to give us a heads-up: a new cPanel release fixing several critical vulnerabilities would ship at 9:00 AM PT.

We used the lead time. By the time the patch was live, we already had a plan – which servers patched first, which automation rolled the rest, what verification we’d run after each batch, and who was on the bridge.

  • 9:00 AM PT: Patch released.
  • 9:05 AM PT: Patching began.
  • 10:30 AM PT: Every server under our management was updated.

How we move this fast

We get asked this question regularly. There is no single answer, but a few things matter more than the rest.

Watch where the news actually breaks. Vendor mailing lists are not always first. Security forums, research mailing lists, and the broader community frequently surface advisories before official channels do. CVE-2026-41940 is a clean example – twenty minutes ahead ofany vendor email is twenty minutes that matters.

Mitigate before you patch. A temporary access restriction or workaround applied in twenty minutes is worth more than a perfect patch applied in twelve hours. Both CopyFail and DirtyFrag were initially handled this way, and the cPanel zero-day’s first response was an access restriction, not a patch.

Plan in advance when you can. When you know a patch is dropping at 9:00 AM, the conversation about who does what happens at 8:00 AM, not 9:01 AM.

Maintain relationships with your vendors. The advance notice from our cPanel account manager gave us a meaningful head start this morning. That kind of communication doesn’t happen by accident.

The honest answer underneath all of this is that the speed in cases like these comes from doing the boring parts well the rest of the time. Inventory is current. Automation is tested. People know who is on call and what to do. None of that is glamorous, and none of it is something you can stand up in the middle of an incident.

It has been a long week. We expect the next one to be quieter. We are not counting on it.

FullHost is a Canadian cloud hosting and infrastructure provider, operating since 2009 with a focus on data sovereignty and managed security. If you operate cPanel infrastructure and are uncertain about your patching posture, get in touch.

Wordpress Hosting

Experience the difference with the fastest WordPress hosting platform.

Elastic Hosting

A flexible managed hosting solution that will grow with you and your needs grow.

Cloud Servers

Your dedicated cloud servers that are managed by us or managed by you.

Made InCanada
Made by Canadians,
for Canadians

Never worry about compliance again. Our servers are hosted directly on Canadian soil, and support is given by a 100% Canadian team.

We Start,
Where Others Stop.

If you've been burned by terrible hosting services before, we get you. We want every client to feel important and fully taken care of, and we'll spend the time it takes to solve any problem that arises.

Trusted by Clients Across All Industries

Don't take our word for it - let our happy clients do the talking. See More

Full Host did an amazing job of migrating my site seamlessly onto their server. My only regret was not switching my site over to them sooner. Now it is performing great, images are uploading way faster than ever before.

" Vancouver Sofa and Patio - Jerry Schmidt

Two thumbs up for Fullhost! Agents reply to me fairly quickly or at least let me know they received the ticket and are looking into it. Kudos to the support team as they have always given me exactly what I need without delays.

" Universal Staffing Inc. - Anthony Calvano

FullHost is an absolute pleasure to work with, and their customer service is exceptional. Whenever I have questions or need adjustments, they are there to help, quickly, efficiently, with answers and insights.

" Mooseworld Inc. Norine Leibel

With coast to coast coverage,
We help you serve the world.

Whether your audience is located in Europe, Asia, Africa, or Australia, provide them with lightening speed!

FullHost's data centers are located in Toronto and Vancouver to ensure worldwide quality and speed.

Get in Touch
We Trust Only The Best Tech to Support You

FullHost operates with the most innovative technology to bring you unparalleled levels of hosting services.