Working exploits are circulating publicly, and administrators should apply vendor kernel updates without delay. During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid. The primitive is reliable and turns any local shell into a path to root or to sensitive credential material [including host private keys under /etc/ssh ]

CVE-2026-46333 is local-only, but the impact is severe… Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts.

Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination. A short time later, an independent exploit derived from the public kernel commit appeared.... Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven, and independent researchers have already achieved local root and published exploit material. Doing so gives defenders, detection engineers, and downstream maintainers a single authoritative reference for the flaw, the race against do_exit(), the role of pidfd_getfd(), and the four exploitation case studies.

Anthropic CEO Dario Amodei has called for similar public-relief measures, including, potentially, universal basic income, or UBI. Eventually “our current economic setup will no longer make sense,” he wrote in a blog post, adding that “there will be a need for a broader societal conversation about how the economy should be organized.”

Though OpenAI CEO Sam Altman once championed universal basic income, he has since embraced a new structure where the public has “collective ownership” of aspects of AI, according to Business Insider. “I think any version of the future that I can get really excited about means that everybody’s got to participate in the upside,” he said in a recent podcast interview. In April, OpenAI laid out a set of policy proposals aiming to address the coming upheaval, referencing the transition to the industrial age and the New Deal as points of comparison for what’s on the horizon…

But some experts question whether tech billionaires, who spent decades resisting regulation, unions and higher taxes, would support the kind of massive redistribution such programs would require. “The only way to pay for UBI is to massively tax those enormously rich people who own the UBI machines,” said Jesse Rothstein, a professor of public policy and economics at the University of California at Berkeley who served as chief economist at the U.S. Department of Labor. “It’s a nice surprise to hear Elon Musk advocating for that....” Rothstein co-authored a study in 2019 that estimated granting a small income to the entire country would cost a massive amount — nearly double the total spending of Social Security, Medicare and Medicaid. To issue payments of $12,000 a year to U.S. adults, for example, “would require nearly doubling federal tax revenues,” according to the paper…

Economists appear to broadly support other solutions beyond redistribution, such as job retraining. A working paper published this spring by the Federal Reserve Bank of Chicago showed economists support more narrowly tailored solutions to the economic disruption. In late April, Meta appeared to embrace that path, announcing “a multi-year initiative that provides free, rapid training to turn thousands of Americans with no prior experience into high-paid fiber technicians” for projects including data centers.

• Elon Musk said in an X post that “Universal HIGH INCOME via checks issued by the Federal government is the best way to deal with unemployment caused by AI.”

• “I think it’s a marketing tactic” responded Scott Santens, a universal basic income advocate and is CEO of the nonprofit Income to Support All Foundation. He argued to the Washington Post that Musk’s comment is “trying to thread this needle of, ‘I want to solve this stuff that will potentially put a lot of people out of work.’ And how do you avoid people getting really [angry] at that? Okay, well, you’re still going to get money, everything will be great it’s just you won’t have to work anymore....”

• The article also cites a recent commentary from Jay W. Richards, a senior research fellow and VP of social and domestic policy at the Heritage Foundation. “The new AI prophets of doom suffer from a failure of imagination. They simply cannot envision what work the future will bring, so they conclude it will bring none,”

According to the JPL statement, Caltech has been preparing for this possible transition since last summer, so the news “comes as no surprise.” But the potential change is part of a larger shakeup for the agency. Earlier this morning, NASA announced a major reorganization, which is separate from the JPL news. “To support the agency’s ambitious short- and long-term goals, NASA is taking action to increase specialization at centers and integrate mission directorates, elevating delivery of technically excellent work,” the agency said in a statement today.

JPL is NASA’s lead center for the robotic exploration of Mars and other deep-space locales. The agency has worked with JPL through Caltech as a manager for nearly 70 years. Though JPL still counts as one of NASA’s field centers, it’s run as a contracted FFRDC (federally funded research and development center). This status has allowed the lab to function slightly differently than other NASA centers; it has a unique sort of independence, though NASA has always had significant oversight of the lab. “As an FFRDC, JPL operates under a special contractual and governance framework designed to ensure that its work is performed in the public interest and aligned with national priorities,” NASA has stated. “The FFRDC model enables NASA to retain access to this depth of capability while maintaining a clear separation between government decision-making authority and contractor execution responsibilities.”

Opening up the competition for institutions beyond Caltech to operate JPL could mean significant changes for everything from day-to-day mission management to big NASA science programs. Until now, JPL and Caltech have been heavily intertwined, with mission personnel, scientists, leadership, and others working closely “across the pond” between JPL and Caltech. JPL mission and program meetings often include Caltech employees and sometimes even take place on its Pasadena campus.

In one video from the Middle East in 2019, taken “likely from an infrared sensor aboard a US military platform operating within the US Central Command area of responsibility,” according to the Pentagon, three UAP are captured flying in formation over the Persian Gulf. Another formation of four unidentified objects is seen flying past vessels on the water off Iran in a video from 2022.

Footage taken over Syria in 2021 shows a mysterious object racing away at speed akin to instantaneous warp-speed acceleration from science fiction movies. Few of the objects seem to resemble flying saucers, discs or other traditionally perceived forms for UAP, although one October 2022 clip taken at an undisclosed location shows a cigar-shaped entity racing over what appears to be a residential area.

None of the videos are accompanied by explanations, and the Pentagon’s all-domain anomaly resolution office (AARO) has previously stated it has no evidence to suggest any of the thousands of objects seen on video, or described in written testimony, is of extraterrestrial origin. In its May 8 release, a statement from the defense department said the public “can ultimately make up their own minds about the information contained in these files.” Additionally, the information is collated from a diverse range of sources, including government agencies including several military branches, the FBI, the state department and Nasa. “Many of these materials lack a substantiated chain-of-custody,” the Pentagon notes

The towering vehicle, consisting of the upper-stage Starship astronaut vessel stacked atop a Super Heavy booster rocket, blasted off at about 5:30 p.m. CT on Friday (2230 GMT) from SpaceX facilities in Starbase, Texas, on the Gulf of Mexico near Brownsville. A live SpaceX webcast of the liftoff showed the rocketship, more than 40 stories tall, climbing from the launch tower as the Super Heavy’s cluster of Raptor engines thundered to life in a ball of flames and billowing clouds of vapor and exhaust. The test ended about an hour later when the Starship vehicle made it through a blazing re-entry through Earth’s atmosphere and splashed down into the Indian Ocean, nose up as planned, as SpaceX employees who gathered to watch a live webcast of the flight cheered. The lower-stage Super Heavy came down separately in the Gulf of Mexico about six minutes after blast-off.

The launch marked SpaceX’s 12th Starship test flight since 2023 and the first ever for the V3 iteration of both the cruise vessel and its Super Heavy booster, as well as the first blast-off from a new launch pad designed for the more powerful rocket. During its suborbital cruise phase, Starship successfully released its payload of 20 mock Starlink satellites one by one, plus two actual modified satellites that scanned the spacecraft’s heat shield and transmitted data back to operators on the ground during the vehicle’s descent. Starship made it to its cruise phase despite the loss of one of its six upper-stage engines, and mission controllers opted not to attempt an inflight re-ignition of the engines before re-entry. But the vehicle did execute a return-landing burn at the very end of its flight, along with several aerodynamic maneuvers deliberately intended to place the spacecraft under maximum stress, and Starship completed those moves intact for its controlled final descent.

Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window — the time between a key’s deletion and its last successful authentication — for the cloud giant’s API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case. In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window was up to 23 minutes, “an incredibly long time” for API keys to continue authenticating successfully, he said.

And these windows have serious repercussions for organizations. “An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations,” Leon said. “The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google’s infrastructure to eventually catch up.”

[…] Leon tells Dark Reading the revocation windows for Google’s API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach. “This breaks the mental model IR teams have when responding to leaked credentials,” he says. “It’s assumed that when you click ‘Delete’ or ‘Revoke’ that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that ‘Deleted’ credential still works for attackers.”

To that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the “Enabled APIs and services” portion of the GCP console, and review API requests by credential. “If you see unexpected usage from that credential after deletion, someone could be actively exploiting it,” Leon wrote. Aikido reported the findings to Google, but the company closed the report as “won’t fix,” according to the blog post.

“The total contributions are expected to stabilize the funding at more than $2 billion in support of Canadian and Indigenous content, such as French-language content and news,” the regulator said in a press release. The CRTC made the decisions as part of its implementation of the Online Streaming Act, which the U.S. has identified as a trade irritant ahead of trade negotiations with Canada.

The CRTC also set out rules on how the money must be spent for both streamers and broadcasters, including contributions toward production funds and direct spending on Canadian content. Most of the streamers’ financial contributions can go toward content, though the CRTC is imposing rules on how that money must be spent for the largest streamers. For instance, streamers with Canadian revenues of more than $100 million annually must direct 30 percent of spending toward partnerships with Canadian broadcasters and independent producers. Large Canadian broadcasters will have to direct at least 15 percent of their contributions toward news.

The new financial contribution rules apply to streamers and broadcasters with at least $25 million in annual Canadian broadcasting revenues. The decision covers audiovisual programming, meaning it affects traditional TV broadcasters and online services that stream television content. The regulator also said Thursday online streamers will have to take steps to ensure Canadian and Indigenous content is available and visible to audiences. “This will make it easier for people to find this content on the platforms they use, while giving broadcasters flexibility in how they meet the new expectations,” the CRTC said in the release. Details of those requirements will be determined at a later time.

Cockpit voice recordings, often referred to as the CVR, capture everything commercial pilots say and are valuable during NTSB investigations, but are almost never released out of respect for the victims and their families. UPS flight 2976 crashed on November 4, when an engine separated from the wing while it was taking off from Louisville, Kentucky. The three crew members onboard were killed along with 12 people on the ground. During a two-day investigative hearing this week, the board released a docket full of details about the crash. Besides thousands of pages of reports and video showing the engine separating, it included a transcript of the CVR and a PDF file showing an analysis of the spectrogram of the audio it recorded.

A spectrogram is a still image that is a visual representation of the audio, showing the ups and downs of the frequencies. Using that still image, members of the public were able to recreate the voices of the pilots in the moments before the plane crashed and post the results online. The clip, which included background noise and echoes, covered the last 30 seconds of the flight as the pilots struggled with the disabled aircraft as well as recordings of testing the NTSB did on another aircraft.

In a statement on Thursday, the board made clear it “does not release cockpit voice recordings” due to federal law and because of the highly sensitive nature of what they include, but it was “aware that advances in image recognition and computational methods have enabled individuals to reconstruct approximations of cockpit voice recorder audio from sound spectrum imagery.” Investigation dockets are made public for transparency, but this week, the board took the rare step of closing public access to all dockets, including the one for the UPS crash. […] The NTSB is urging platforms like X and Reddit to remove posts with the audio.

Chris Walker, a spokesperson for the Trump-branded phone maker, told TechCrunch that the company is investigating the exposure and has not found evidence that content or financial information spilled online. The company said there was no breach of Trump Mobile’s network, systems, or infrastructure. Walker said that the exposure was linked to a third-party platform provider that supports “certain Trump Mobile operations.” He did not name the provider.

[…] On Wednesday, two YouTubers who ordered Trump Mobile’s phone said a researcher alerted them that their personal information was exposed online. The YouTubers Coffeezilla and penguinz0 said they tried to alert Trump Mobile of the exposure after the researcher also tried but to no avail. Walker said Trump Mobile is evaluating whether it needs to notify customers of the exposure of their personal data.

Spotify and Universal Music Group (UMG) announced a licensing deal for recorded music and publishing rights, enabling Spotify to launch generative AI music models in the future. With this deal, Spotify’s models will allow fans to create covers and remixes of their favorite songs from participating artists and songwriters signed to UMG. The new deal was announced on Thursday (May 21) as part of Spotify’s Investor Day presentation, and the company touts that it will open up additional revenue streams on top of what artists already earn on Spotify and will provide new discovery opportunities for participating UMG talent. These AI products will eventually become available to premium users as a paid add-on. It is unclear when they are set to launch.

What might surprise viewers is how much technical film know-how was needed to create the movie, said Adil Alimzhanov, a content lead at Higgsfield who also worked on it. “You have to understand camera composition, which shots are changed. Like you can’t have two close-ups back to back, you have to start with an establishing shot,” he said. “You still need those filmmaking skills.” Higgsfield, which was valued at $1.3 billion in its latest funding round earlier this year, crossed $400 million in annual revenue run rate in May. It doesn’t make the actual video-generation models, relying instead on existing tools like Google’s Veo 3. But it does provide the tooling on top to make sure that the visuals are consistent across all the incoming generations.

The core of the movie-making process here was prompting the AI models and getting clips back, Alimzhanov said. Each prompt would generate about 15 seconds of footage. Those 15 seconds needed to be generated a number of times, with tweaks to the prompt to get the best possible version. The first 25 minutes of the movie required 16,181 initial video generations, which ended up as 253 final shots. One of the biggest difficulties in making longer-form films with AI is maintaining consistency across the outputs. AI models can be unpredictable, and a feature-length film can’t have scenes that look completely different from one moment to the next.

Because of that, every prompt had to be extremely long and detailed. Each one would typically start with a prefix that defined requirements like style (8k IMAX, photorealistic), lighting (natural light only, “contre-jour” backlight, camera on shadow side) and the type of camera it should look like it was being shot on (“cine lens,” 180-degree shutter motion blur). The lighting was key to avoiding the AI sheen that typically gets branded as “slop,” said Alimzhanov. AI-generated video tends to over-light scenes in an unnatural way. That prefix would also have to remind the AI to obey the laws of physics with wording like: “gravity and inertia respected — mass has real weight, correct contact shadows, no floating props.” The individual prompts were, on average, 3,000 words each.

One aspect of what Higgsfield has built, and sells to clients, is an AI tool that generates these complex, detailed prompts. Users can enter a page from the original script, and the Higgsfield tool will return with a prompt that could be thousands of words long, designed to create production-quality outputs. And all that prompting is how the company racked up a $400,000 AI compute bill on the project. Co-founder and CEO Alex Mashrabov, however, noted that working with “cloud” providers, like Nebius and CoreWeave, rather than big hyperscalers, helped it keep costs from going even higher.

It’s a notable update for a platform that has struggled with privacy in the past. In 2021, BuzzFeed News tracked down President Joe Biden’s Venmo account and the accounts of people in his inner circle because Venmo, at the time, had no way to keep your Venmo contacts private. It fixed that soon after.

As part of the redesign, if you’re a new user and you do want your posts to be public (or private just to you), you’ll be able to set that as part of the new onboarding flow. You can also change your preference in settings after the fact; an updated screen for sending money will also show if that post is private, visible just to friends, or is visible publicly before you make the transaction.

The agreement, subject to a union ratification vote running May 22 through May 27, calls for Samsung to direct 10.5% of operating profit into stock bonuses along with a separate 1.5% cash component, according to Bloomberg. The program runs for 10 years, contingent on the company meeting profit thresholds. One-third of the stock award can be liquidated right away, with the rest parceled out in installments across the next two years, Bloomberg reported. The first payout is expected in early 2027.

Not all workers will fare equally. As an illustration, Reuters cited a union source estimating that someone in the memory chip unit earning an 80-million-won base salary could take home roughly 626 million won in total bonuses this year. By comparison, workers at SK Hynix stand to collect upward of 700 million won should their employer post annual profit of 250 trillion won, Reuters calculated. Unlike at Samsung, SK Hynix employees are not limited to stock payouts and may instead opt for cash, Reuters reported.

US lawmakers plan to introduce an amendment Thursday at a House committee markup hearing that would prohibit any recipient of federal highway funding from using automated license plate readers for any purpose other than tolling — a sweeping restriction that, if adopted, would bring an immediate end to state and local ALPR programs across the United States. The amendment, obtained first by WIRED, is sponsored by Representative Scott Perry, a Pennsylvania Republican and Freedom Caucus member, and Representative Jesus “Chuy” Garcia, an Illinois progressive whose state has become a flash point in the national fight over ALPR misuse.

The House Transportation and Infrastructure Committee will mark up the underlying bill — a $580 billion, five-year reauthorization of federal surface transportation programs — at 10 am ET on Thursday. The amendment runs a single sentence: “A recipient of assistance under Title 23, United States Code, may not use automated license plate readers for any purpose other than tolling.” The amendment is brief, but its reach would be vast. Title 23 funds roughly a quarter of all public road mileage in the US, including most state and county arteries and many city streets where ALPR cameras are becoming ubiquitous. Conditioning that funding on a ban of the technology would, in practical effect, force any state, county, or municipality that takes federal highway money (essentially all of them) to either remove the cameras or restructure their use around tolling alone.

The amendment’s cosponsors, Perry and Garcia, represent opposite ends of the House’s ideological spectrum but converge on a surveillance concern that has gathered momentum in legislatures and city halls across the US as ALPR networks have quietly become a pervasive layer of American road infrastructure. ALPR cameras — mounted on poles, overpasses, traffic signals, and police cruisers — photograph every passing license plate, log times and locations, and feed data into searchable databases shared across agencies and jurisdictions. […] Privacy advocates have long warned that the aggregation of license plate data amounts to a de facto warrantless tracking system. New York University School of Law’s Brennan Center for Justice has documented the integration of ALPR feeds into police data-fusion systems that combine plate data with surveillance and social media monitoring. And the Electronic Frontier Foundation, a digital rights nonprofit, has documented a range of police misuse, including the past targeting of mosques and the disproportionate deployment of the technology in low-income neighborhoods.

Steve Wozniak did what other college graduation commencement speakers couldn’t this year: earn applause when talking about AI. The Apple cofounder took the stage during Grand Valley State University’s graduation ceremony earlier this month. During his speech, Wozniak offered reassurance to new graduates who are entering the workforce at the height of the AI revolution.

“It would take too long to go deeply into what I think about AI, but we’ve been trying to create a brain,” Wozniak said. “Is there a way we can duplicate a routine a trillion times and have it work like a brain? AI is one of those attempts.” […]

During his commencement address, Wozniak reflected on working at Apple and offered students some advice as they begin their careers. “You should always try to think different,” he said. “Don’t follow the same steps as a million other people. Think, is there something I can do a little different?”