A Linux kernel privilege escalation bug was publicly disclosed on a Tuesday afternoon. By 6 PM that day, there were already repositories on GitHub with working proof-of-concept exploit code. By Thursday, Shadowserver was tracking 44,000 servers being actively scanned for it across the internet.
We had already patched all of ours on Tuesday – without rebooting a single server.
That sequence – disclosure to active exploitation in under 48 hours – is the new normal for critical vulnerabilities. And it is reshaping what “managed hosting” actually needs to mean.
The exploit window has closed
Not long ago, security teams operated on a mental model of “patch within 30 days.” That model assumed a gap between when a vulnerability was disclosed and when attackers had weaponized it. It was not a bad assumption in 2018, when the median time from CVE disclosure to observed exploitation was 771 days – giving security teams over two years to identify, prioritize, test, and deploy patches.
That median is now measured in hours. The CrowdStrike 2026 Global Threat Report found that 67% of exploited CVEs were weaponized before or on the day of public disclosure – meaning patches frequently arrive after attacks have already started. Mandiant’s M-Trends 2026 report found 28.3% of CVEs are exploited within 24 hours of disclosure.
The accelerant is AI. Security researchers have demonstrated that current AI systems can generate functional, working exploit code for published CVEs in 10 to 15 minutes at a cost of roughly $1 per exploit. What used to require a skilled exploit developer spending days on reverse engineering can now be automated at scale. In February 2026, a documented incident showed a single threat actor using AI-assisted automation to compromise over 600 FortiGate firewalls across 55 countries in five weeks – reconnaissance, exploit generation, and scaling all handled by AI tooling with human operators in a supervisory role.
What the last 30 days looked like from our end
In April and May 2026, there was an unusually dense stretch of critical vulnerabilities affecting the infrastructure that shared hosting runs on. Here is what we actually dealt with:
CVE-2026-41940 (cPanel auth bypass, CVSS 9.8): A logic error in cPanel’s session-handling code allowed unauthenticated attackers to write arbitrary values into session files and escalate to root. It had been actively exploited in the wild for months before the patch dropped. Shadowserver tracked 44,000 servers being scanned the day the advisory went public. We patched our entire fleet within hours of the advisory.
CVE-2026-31431 (“Copy Fail”): A Linux kernel privilege escalation in the algif_aead cryptography subsystem – a logic bug introduced in 2017 that lets any local user write 4 bytes into the page cache of any readable file, leading to trivial root escalation via a setuid binary edit. Public proof-of-concept dropped within hours of disclosure. We livepatched every server across our fleet the same afternoon using KernelCare’s livepatch delivery – no reboots, no downtime, no coordination with clients. A conventional kernel update path would have required a reboot per server. Livepatching meant the fix deployed across thousands of servers without any service interruption.
Exim CVE-2026-40684 through CVE-2026-40687: Exim 4.99.2 released April 30 patching four vulnerabilities including heap corruption bugs in the SPA authenticator and OOB read/write issues in JSON header handling. All shared servers run Exim as the mail transfer agent. Patched fleet-wide in the same maintenance window.
Apache CVE-2026-24072 and nine others: An Apache mod_rewrite vulnerability bundled with nine additional CVEs, patched in ea-apache24 2.4.67 on May 6. Applied across all shared servers and all client-managed cPanel servers with Apache installed on the same day.
cPanel CVE-2026-29201, 29202, 29203: Three more cPanel vulnerabilities patched May 8 – cPanel’s second emergency Technical Security Release in 10 days. The set covered arbitrary file read, arbitrary Perl code execution, and privilege escalation via unsafe symlink handling. Fleet-wide same day.
Five separate patch events in 14 days, across kernel, mail server, web server, and control panel layers.
What “managed hosting” actually means now
The phrase “managed hosting” has been diluted to the point of meaninglessness. Every provider uses it. But in an environment where working exploits land within hours of disclosure, it needs to mean something specific:
- CVE feeds are actively monitored – not reactive (client files a ticket about a CVE they read about), but proactive.
- Critical vulnerabilities are patched within hours, not within a monthly maintenance cycle.
- Livepatching capability exists so kernel updates do not require reboots and client downtime.
- Patches are applied fleet-wide – not made available to clients who know to open a ticket.
- The provider can point to specifics. If you ask “how quickly did you patch Copy Fail?” a managed provider should be able to answer.
A “patch within 30 days” schedule, or a provider that applies updates only when clients request them, is operationally equivalent to unmanaged hosting against a threat actor with AI-assisted exploit generation. The protection gap is not 30 days – it is often measured in hours.
What is your responsibility
Server-layer vulnerabilities – kernel, web server, cPanel, Exim – are the hosting provider’s responsibility. Client-side application vulnerabilities are yours.
WordPress core, themes, and plugins are a separate attack surface, and a heavily targeted one. High-severity WordPress plugin vulnerabilities show up almost every week, and many of them affect hundreds of thousands of installed sites. Keeping WordPress core current, running only actively maintained plugins, and removing deactivated plugins entirely (they can still be exploited even while inactive) are client-side responsibilities that no managed hosting arrangement covers, regardless of how it’s marketed.
The short version: everything at the operating system layer and below is your host’s job. Everything inside your web application directory is yours.
The bottom line
The 30-day patch window is dead. Working exploits for critical CVEs now land the same day they are disclosed, and sometimes before. Managed hosting in 2026 means staying ahead of that: proactive CVE monitoring, same-day patching on critical vulnerabilities, and livepatching capability so fixes do not have to wait for maintenance windows.
The last month was a reasonable stress test of that standard. Five critical vulnerability classes patched across kernel, MTA, web server, and control panel layers in two weeks, most of them same-day, without client-visible downtime. That is the actual job now.
This article is on a hosting provider’s blog. Disclosure: we’re CanSpace, a Canadian-incorporated company with all servers in Canada and Canadian-staffed support. The patching examples above are from our own fleet – not a generic best-practices list.
If you want to know how we handle security patching for your plan, our web hosting plans, VPS, and dedicated servers cover what’s included. If you have specific questions, our support team can answer them directly.
