CISA flags actively exploited Linux kernel zero-day (CVE-2026-31431) and SharePoint zero-day (CVE-2026-32201)

CISA added two zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog in early May 2026. CVE-2026-31431 is a privilege escalation flaw in the Linux kernel's cryptographic subsystem that allows local attackers to gain root privileges; Red Hat rated it 'Important' severity and published an advisory on April 30, 2026. CVE-2026-32201 is a SharePoint zero-day with a May 26, 2026 remediation deadline for federal agencies. Additionally, CVE-2026-32202 is a Windows Shell NTLM hash leak attributed to APT28/Fancy Bear threat actors, stemming from an incomplete February 2026 patch for CVE-2026-21510, with a May 12 remediation deadline. CISA set Binding Operational Directive 22-01 requiring FCEB agencies to remediate within the specified deadlines.