• Threads
  • Coordinated kernel patch wave across Bitcoin infrastructure
  • Three Cashu TS releases in four days
  • Ollama preparing GGML deprecation
• Patch board
• Releases
• News
• What to watch
• By the numbers

The week opened with a rare coordinated kernel vulnerability response. Tails and umbrelOS shipped DirtyFrag patches within 48 hours, Qubes followed with QSB-114 addressing a separate Intel CPU data exposure issue. Core Lightning disclosed a peer-triggered assertion DoS discovered during a Summer of Bitcoin internship. Matrix Synapse patched worker lock contention issues under separate CVEs. Beyond the security wave, the week saw incremental Lightning releases including NodeGuard rebalance logging and Boltz Client removing the GDK library. Three successive Cashu TS improvements landed within four days—wallet restore optimization, type fixes, and a new unit-aware arithmetic type. Core Lightning released its first v26.06 candidate with a graceful shutdown command. Bitcoin Knots 29.3 shipped with RDTS softfork support. AI tooling velocity remained high with vLLM 0.21.0 entering pre-release and Ollama preparing a migration from GGML to direct llama.cpp integration in its 0.30.0 release candidate.

§Threads

§Coordinated kernel patch wave across Bitcoin infrastructure

Tails 7.7.3 and umbrelOS 1.7.3 both addressed the DirtyFrag CVEs (CVE-2026-43284, CVE-2026-43500) within 48 hours of disclosure. Qubes followed with QSB-114 for a separate Intel CPU exposure. The rapid cross-project response shows maturing patch discipline in the freedom tech stack. Operators who delayed updates beyond the weekend window were exposed.

§Three Cashu TS releases in four days

Cashu TS shipped 4.3.0 with a 2x wallet restore speedup via cached BIP-32 derivation, 4.2.1 with type fixes for the experimental batch mint API, and 4.4.0 with a new AmountWithUnit type enabling safe multi-unit arithmetic. The burst of incremental changes signals active development ahead of wider mint adoption. Integrators should pin versions until the batch API stabilizes.

§Ollama preparing GGML deprecation

Ollama 0.30.0-rc15 begins the migration from GGML to direct llama.cpp integration for GGUF compatibility. The shift consolidates inference backends but introduces breaking changes. Operators self-hosting Ollama should test the release candidate with existing model workflows before the stable cut. Five llama.cpp tags shipped this week, indicating upstream churn.

§Patch board

Five distinct vulnerability classes shipped patches this week. Tails and umbrelOS addressed the DirtyFrag kernel CVEs (CVE-2026-43284, CVE-2026-43500) within 48 hours. Qubes published QSB-114 for a separate Intel CPU data exposure issue. Matrix Synapse patched worker lock contention DoS under CVE-2026-45076 and CVE-2026-45078. Core Lightning disclosed a peer-triggered assertion DoS with no CVE assigned. All patches are available. Operators should prioritize kernel updates on Tails and umbrelOS, then Synapse if running multi-worker deployments, then CLN if exposed to untrusted peers.

• Vulnerability Disclosure: Assertion DoS in Core Lightning (Patch now). Summary During my Summer of Bitcoin 2025 internship, I discovered a Denial-of-Service (DoS) vulnerability in Core Lightning (CLN) that allowed a remote peer to crash a node by sending a specificall…

  The disclosed assertion DoS allowed a remote peer to crash a Core Lightning node with a crafted message. No patch details were provided in the summary—operators should check the disclosure thread for affected versions and mitigation steps. If running CLN in production, assume exposure until confirmed otherwise.

• Tails 7.7.3 (Patch now). This release is an emergency release to fix a critical security vulnerability in the Linux kernel, as well as security vulnerabilities in Tor Browser and in the Tor client.

  Emergency release addressing critical kernel vulnerabilities in addition to Tor Browser and Tor client issues. Operators running Tails for airgapped signing or as a live OS should update immediately. The “emergency” classification suggests exploit likelihood was high.

• umbrelOS 1.7.3 (CVE-2026-43284, CVE-2026-43500). umbrelOS 1.7.3 is an important security update that fixes the DirtyFrag (CVE-2026-43284 and CVE-2026-43500) security vulnerabilities recently discovered in the Linux kernel.

  Patches the DirtyFrag kernel CVEs. umbrelOS runs on Linux so node operators are directly exposed. Update path is straightforward—pull the release and reboot. No application-layer changes.

• Matrix Synapse 1.152.1 (CVE-2026-45076, CVE-2026-45078). Synapse 1.152.1 (2026-05-07) Security Fixes Prevent CPU starvation (Denial of Service) under worker lock contention, additionally capping the WorkerLock time out interval to a maximum of 60 seconds.

  Addresses CPU starvation under worker lock contention and caps WorkerLock timeout to 60 seconds. Synapse operators who saw unexplained worker hangs or DoS symptoms under load should prioritize this. Single-worker deployments are less exposed.

• Bitkey App 2026.9.1 (Patch now). Release Notes Access the Bitkey release notes to view the features included in this release.

  Patch release with no detailed changelog. The severity marking suggests a user-facing or stability fix. Bitkey users should update via the normal app update flow.

• QSB-114: Intel CPU data exposure vulnerability (Patch now). We have published Qubes Security Bulletin (QSB) 114: Intel CPU data exposure vulnerability .

  Qubes security bulletin for an Intel CPU vulnerability. Operators running Qubes on Intel hardware should apply dom0 and template updates. The lack of CVE detail in the summary means checking the full QSB is required.

§Releases

• Boltz Client 2.12.0. Summary This release marks the final removal of the GDK wallet library.

  Final removal of the GDK wallet library. If automation or scripts depend on GDK-specific calls, they will break. Review integration points before deploying.

• Dify 1.14.1. What’s New in v1.14.1?

  Patch release with unspecified changes. Dify operators should review the linked release notes for breaking changes or security fixes before deploying.

• NodeGuard 0.24.2. What’s Changed Fix invoice expiry calculation to accommodate retry windows in RebalanceService by @Jossec101 in https://github.com/Elenpay/NodeGuard/pull/514 Add logging for rebalance creation, execution, and status updates in RebalanceS…

  Adds logging for rebalance creation, execution, and status updates. Fixes invoice expiry calculation to handle retry windows. Operators running NodeGuard can now audit rebalance behavior more easily. Test severity suggests non-critical but useful for debugging.

• Cashu TS 4.3.0. This release speeds up wallet restore by optimising legacy BIP-32 derivation - benchmarks showed roughly 2x speedup for the new cached batch path versus repeated BIP32 derivation of previous implementation.

  Optimizes wallet restore with cached batch BIP-32 derivation, roughly 2x faster than repeated calls. No breaking changes. Wallets integrating Cashu TS should test restore flows to confirm the speedup applies to their key setup.

• Alby JS SDK 8.0.0. chore: update publish workflow to support npm OIDC ( 559 ) chore: update publish workflow to support npm OIDC fix: re-enable test and use correct setup-node

  Major version bump, likely breaking. The summary mentions only workflow and npm OIDC changes. Developers integrating Alby JS SDK should check migration notes before upgrading.

• Bitcoin Knots 29.3. Bitcoin Knots version 29.3.knots20260508 is now available from: https://bitcoinknots.org/files/29.x/29.3.knots20260508/ This release includes the RDTS softfork ( IMPORTANT INFORMATION BELOW ), new features, default configuration changes,…

  Ships the RDTS softfork. Operators should read the IMPORTANT INFORMATION section in the release notes before running. RDTS activation is consensus-relevant and requires informed choice.

• Miniflux 2.3.0. Security Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.

  Now requires discoverable WebAuthn credentials (resident keys / passkeys) for login. Operators must ensure users have compatible authenticators or risk locking accounts. Test the login flow post-upgrade.

• Amethyst 1.09.1. What’s Changed Rename onRefresh callback to avoid shadowing parameter by @vitorpamplona in https://github.com/vitorpamplona/amethyst/pull/2912 Fix desktop app ProGuard build with Compose 1.11.0 by @vitorpamplona in https://github.com/vit…

  Patch with UI and pull-to-refresh fixes. No operator-visible changes for self-hosted relay operators.

• Cashu TS 4.2.1. This release is technically a breaking change to the public type BatchMintRequest (and by extension, BatchMintPreview ), but treating as a patch as batch minting is new and experimental, not widely supported or used, the payload is short…

  Type fix for BatchMintRequest and BatchMintPreview. Marked as patch despite breaking change because batch minting is experimental. Integrators using batch mint should expect payload shape changes.

• vLLM 0.21.0. Highlights This release features 367 commits from 202 contributors (49 new)!

  Pre-release with 367 commits from 202 contributors. Operators should wait for stable unless testing is required. Large commit delta suggests non-trivial risk.

• Ark Network 0.9.5. What’s Changed [client-lib] Update client wallet interface by @altafan in https://github.com/arkade-os/arkd/pull/1008 docs: add missing breaking changes documentation by @Dunsin-cyber in https://github.com/arkade-os/arkd/pull/1007 Fix si…

  Updates client wallet interface and fixes KeyID handling for single-key wallets. Ark operators should test client library integration before deploying.

• Ollama 0.23.4. What’s Changed ollama launch opencode now supports vision models with image inputs Fixed formatting of Claude tool results when using local image paths Full Changelog : https://github.com/ollama/ollama/compare/v0.23.3...v0.23.4

  Vision model support for Claude tools and local image path formatting fixes. Operators using Ollama with vision workflows should test image input handling.

• Arkade 0.9.5. What’s Changed client-lib Update client wallet interface by @altafan in 1008 docs: add missing breaking changes documentation by @Dunsin-cyber in 1007 Fix single-key wallet empty KeyID breaking go-sdk signing key resolution by @sekulicd…

  Same release as Ark Network 0.9.5—updates client wallet interface and fixes single-key wallet signing. Operators using Arkade CLI should sync versions.

• Alby Hub 1.22.2. In this release Alby Hub adds a new AI & Agents page, an integrated on-chain wallet mode, custom user labels for transactions, redesigned settings pages, improved budget selection when creating app connections and support for connecting…

  Pre-release adds AI & Agents page, integrated on-chain wallet mode, custom transaction labels, and Core Lightning support. Operators testing Alby Hub should validate CLN backend connectivity and on-chain wallet balance reporting.

• Bisq 1.10.0. Bisq 1.10.0 follows the recent security incident with a focused hardening release that improves trade protocol security, network message validation, release verification, and hardening against supply chain attacks.

  Hardening release following a security incident. Improves trade protocol security, message validation, release verification, and supply chain attack resistance. Bisq operators should review the incident writeup and deploy promptly.

• llama.cpp b9174. ui: Restructure repo to use tools/ui folder and ui / UI / llama-ui / LLAMA UI naming ( 23064) webui: Move static build output from tools/server/public to build/ui directory refactor: Move to tools/ui refactor: rename CMake variables and…

  Restructures repo to use tools/ui folder and renames CMake variables. Operators building llama.cpp from source should check build scripts for hardcoded paths.

• Sparrow Frigate 1.5.0. - Add low-latency mempool ingestion driven by Bitcoin Core’s ZMQ sequence publisher, including immediate poll on connect/disconnect (C/D) block events and fast eviction from removal (R) events - Auto-discover the bitcoind ZMQ sequence en…

  Adds low-latency mempool ingestion via Bitcoin Core ZMQ sequence publisher with immediate poll on block events. Operators running Frigate should configure the ZMQ endpoint or allow auto-discovery from getzmqnotifications.

• SilverBullet 2.8.0. SilverBullet 2.8.0 is here.

  Minor release with unspecified changes. SilverBullet operators should check release notes for breaking changes before deploying.

• Cashu TS 4.4.0. This release adds AmountWithUnit , a unit-aware sibling to Amount , so multi-unit consumers (wallets aggregating across sat/usd or multiple mints) can do arithmetic and comparisons without silently mixing units.

  Introduces AmountWithUnit for unit-aware arithmetic. Multi-mint or multi-unit wallet operators can now safely aggregate balances without silent unit mixing. No breaking changes to existing Amount usage.

• SimpleX Chat 6.5.2. New in 6.5.2: allow deleting messages from channel history without time limit.

  Allows deleting messages from channel history without time limit. Operators hosting SimpleX relays are unaffected—this is a client-side feature.

§News

• XSAs released on 2026-05-12. The Xen Project has released one or more Xen security advisories (XSAs) .

  Xen Project released one or more XSAs. Qubes operators should check the advisory list and apply patches as needed.

§What to watch

• Core Lightning v26.06 release candidate progression — First RC shipped with a new graceful shutdown command. Operators should track the RC cycle for showstoppers before the stable cut. The graceful command is operator-relevant for planned maintenance windows.
• Ollama 0.30.0 stable release with llama.cpp migration — Release candidate 15 began the migration from GGML to direct llama.cpp integration. The stable release will introduce breaking changes for GGUF compatibility. Operators self-hosting Ollama should test model loading workflows before production rollout.
• Additional Xen Security Advisories post-2026-05-12 — Qubes noted XSAs released on 2026-05-12 but provided no detail. Operators running Qubes or Xen should monitor the advisory list for follow-up patches and check for updates in dom0.

§By the numbers

Top beats this week

Read this brief on the web: https://freedomtech.news/posts/2026-05-17-bitcoin-weekly-recap/