Share

Weekly Recap - May 11 to May 18, 2026

By Freedom Tech Daily May 18, 2026 · Edited May 18, 2026
The week opened with a coordinated kernel and infrastructure security wave. Tails and umbrelOS patched the DirtyFrag vulnerabilities within 48 hours, while Qubes shipped QSB-114 addressing separate Intel CPU data exposure. Matrix Synapse followed with fixes for worker lock contention DoS under two CVEs. A Core Lightning assertion DoS vulnerability disclosed during a Summer of Bitcoin internship underscored the ongoing need for third-party review. Beyond the patch cluster, Lightning and privacy tooling maintained incremental velocity. Core Lightning released its first v26.06 candidate with a graceful shutdown command. Cashu TS landed two successive minor releases—wallet restore optimization and unit-aware arithmetic types—in three days. AI tooling continued high cadence: vLLM 0.21.0 entered pre-release and Ollama prepared a breaking 0.30.0 candidate migrating from GGML to direct llama.cpp integration. Bitcoin Knots 29.3 shipped with RDTS softfork support.
Weekly Recap - May 11 to May 18, 2026

Threads

Kernel panic: DirtyFrag patched inside 48 hours

CVE-2026-43284 and CVE-2026-43500 landed early in the week. umbrelOS 1.7.3 and Tails 7.7.3 both shipped emergency releases addressing the Linux kernel DirtyFrag cluster within two days. Operators running either platform should have already applied these patches.

DoS fixes across Lightning and Matrix infrastructure

The week saw two separate denial-of-service mitigations. Matrix Synapse 1.152.1 capped WorkerLock timeout to prevent CPU starvation under contention. Core Lightning patched an assertion DoS triggered by crafted peer messages, disclosed via Delving Bitcoin. Both require operator action.

Ollama prepares breaking migration to llama.cpp

Ollama 0.30.0-rc15 signals a major architecture shift from GGML to direct llama.cpp support, enabling GGUF compatibility. The pre-release tag warns of breaking changes. Operators should test the candidate in non-production environments before the stable release lands.

Patch board

  • Vulnerability Disclosure: Assertion DoS in Core Lightning (Patch now). Summary During my Summer of Bitcoin 2025 internship, I discovered a Denial-of-Service (DoS) vulnerability in Core Lightning (CLN) that allowed a remote peer to crash a node by sending a specificall…

    A Summer of Bitcoin intern found a remote assertion DoS in Core Lightning triggered by crafted peer messages. The disclosure arrived via Delving Bitcoin. Operators should verify they are running a patched version. No CVE assigned yet, but severity warrants immediate attention.

  • Tails 7.7.3 (Patch now). This release is an emergency release to fix a critical security vulnerability in the Linux kernel, as well as security vulnerabilities in Tor Browser and in the Tor client.

    Emergency kernel patch for DirtyFrag landed within 48 hours of disclosure. Tails 7.7.3 also includes Tor Browser and Tor client security fixes. Operators should apply immediately. No opt-out for this one.

  • umbrelOS 1.7.3 (CVE-2026-43284, CVE-2026-43500). umbrelOS 1.7.3 is an important security update that fixes the DirtyFrag (CVE-2026-43284 and CVE-2026-43500) security vulnerabilities recently discovered in the Linux kernel.

    umbrelOS 1.7.3 addresses the same DirtyFrag kernel vulnerabilities as Tails. Operators running umbrelOS should have already applied this. The release ships no other changes—pure security posture.

  • Matrix Synapse 1.152.1 (CVE-2026-45076, CVE-2026-45078). Synapse 1.152.1 (2026-05-07) Security Fixes Prevent CPU starvation (Denial of Service) under worker lock contention, additionally capping the WorkerLock time out interval to a maximum of 60 seconds.

    Matrix Synapse 1.152.1 caps WorkerLock timeout to 60 seconds, preventing CPU starvation under lock contention. Operators running Synapse worker deployments should test and apply. Single-instance deployments see less immediate benefit but should still update.

  • Bitkey App 2026.9.1 (Patch now). Release Notes Access the Bitkey release notes to view the features included in this release.

    Bitkey App 2026.9.1 is marked as a patch-now release but ships no detailed notes. Operators should apply based on severity tagging alone. The linked release notes page is empty.

  • QSB-114: Intel CPU data exposure vulnerability (Patch now). We have published Qubes Security Bulletin (QSB) 114: Intel CPU data exposure vulnerability .

    QSB-114 addresses Intel CPU data exposure separate from DirtyFrag. Qubes operators should follow the bulletin for microcode and Xen updates. This is not the same issue as the kernel patches earlier in the week.

Releases

  • Boltz Client 2.12.0. Summary This release marks the final removal of the GDK wallet library.

    Boltz Client 2.12.0 completes the removal of the GDK wallet library. Operators who previously relied on GDK-specific behavior should verify wallet functionality after upgrade. No migration path is documented in the release notes.

  • Dify 1.14.1. What’s New in v1.14.1?

    Dify 1.14.1 ships as a patch release with no operator-facing changelog. Operators running 1.14.0 should review the diff if behavior changes are observed. Otherwise, treat as a maintenance update.

  • NodeGuard 0.24.2. What’s Changed Fix invoice expiry calculation to accommodate retry windows in RebalanceService by @Jossec101 in https://github.com/Elenpay/NodeGuard/pull/514 Add logging for rebalance creation, execution, and status updates in RebalanceS…

    NodeGuard 0.24.2 fixes invoice expiry calculation for rebalance retry windows and adds logging for rebalance lifecycle events. Operators who use NodeGuard for automated rebalancing should test invoice handling before deploying to production.

  • Cashu TS 4.3.0. This release speeds up wallet restore by optimising legacy BIP-32 derivation - benchmarks showed roughly 2x speedup for the new cached batch path versus repeated BIP32 derivation of previous implementation.

    Cashu TS 4.3.0 optimizes wallet restore by caching BIP-32 derivation, delivering roughly 2x speedup for legacy paths. Operators building wallet UIs should see faster restore times with no code changes. Update is backward-compatible.

  • Alby JS SDK 8.0.0. chore: update publish workflow to support npm OIDC ( 559 ) chore: update publish workflow to support npm OIDC fix: re-enable test and use correct setup-node

    Alby JS SDK 8.0.0 is a major release with breaking changes. The release notes focus on CI/CD updates rather than API surface changes. Operators integrating this SDK should review the full changelog and test thoroughly before upgrading.

  • Bitcoin Knots 29.3. Bitcoin Knots version 29.3.knots20260508 is now available from: https://bitcoinknots.org/files/29.x/29.3.knots20260508/ This release includes the RDTS softfork ( IMPORTANT INFORMATION BELOW ), new features, default configuration changes,…

    Bitcoin Knots 29.3 includes the RDTS softfork. Operators who choose to run Knots should understand the consensus implications and ensure their infrastructure is prepared for the softfork activation parameters.

  • Miniflux 2.3.0. Security Only discoverable WebAuthn credentials (resident keys / passkeys) are supported for login.

    Miniflux 2.3.0 restricts WebAuthn to discoverable credentials only—resident keys or passkeys. Operators who previously allowed non-resident keys will need to re-register users. This is a security hardening change, not a bug fix.

  • Amethyst 1.09.1. What’s Changed Rename onRefresh callback to avoid shadowing parameter by @vitorpamplona in https://github.com/vitorpamplona/amethyst/pull/2912 Fix desktop app ProGuard build with Compose 1.11.0 by @vitorpamplona in https://github.com/vit

    Amethyst 1.09.1 ships bug fixes and ProGuard build improvements for desktop. Operators running the desktop build should test the ProGuard changes. Mobile operators see standard maintenance updates.

  • vLLM 0.21.0. Highlights This release features 367 commits from 202 contributors (49 new)!

    vLLM 0.21.0 is a pre-release with 367 commits from 202 contributors. Operators should treat this as a beta and avoid production use until the stable tag ships. Test coverage is wide but not yet proven at scale.

  • Ark Network 0.9.5. What’s Changed [client-lib] Update client wallet interface by @altafan in https://github.com/arkade-os/arkd/pull/1008 docs: add missing breaking changes documentation by @Dunsin-cyber in https://github.com/arkade-os/arkd/pull/1007 Fix si…

    Ark Network v0.9.5 updates the client wallet interface and fixes empty KeyID handling in single-key wallets. Operators running Ark nodes should verify wallet signing after upgrade. The fix targets a go-sdk regression.

  • Ollama 0.23.4. What’s Changed ollama launch opencode now supports vision models with image inputs Fixed formatting of Claude tool results when using local image paths Full Changelog : https://github.com/ollama/ollama/compare/v0.23.3...v0.23.4

    Ollama 0.23.4 adds vision model support for ollama launch opencode and fixes Claude tool result formatting for local image paths. Operators using multimodal workflows should test image ingestion paths.

  • Arkade 0.9.5. What’s Changed client-lib Update client wallet interface by @altafan in 1008 docs: add missing breaking changes documentation by @Dunsin-cyber in 1007 Fix single-key wallet empty KeyID breaking go-sdk signing key resolution by @sekulicd…

    Arkade 0.9.5 mirrors the Ark Network release. Same client wallet interface changes and KeyID fix apply. Operators should treat these as a coordinated release and upgrade both if running the full stack.

  • Alby Hub 1.22.2. In this release Alby Hub adds a new AI & Agents page, an integrated on-chain wallet mode, custom user labels for transactions, redesigned settings pages, improved budget selection when creating app connections and support for connecting…

    Alby Hub 1.22.2 is a pre-release adding integrated on-chain wallet mode, Core Lightning support, and an AI & Agents page. Operators should test the on-chain wallet and CLN integration in staging before production. This is the most requested feature per the notes.

  • Bisq 1.10.0. Bisq 1.10.0 follows the recent security incident with a focused hardening release that improves trade protocol security, network message validation, release verification, and hardening against supply chain attacks.

    Bisq 1.10.0 ships hardening fixes following a recent security incident. Changes include trade protocol security, network message validation, and supply chain mitigations. Operators should upgrade immediately and review the incident disclosure for context.

  • llama.cpp b9174. ui: Restructure repo to use tools/ui folder and ui / UI / llama-ui / LLAMA UI naming ( 23064) webui: Move static build output from tools/server/public to build/ui directory refactor: Move to tools/ui refactor: rename CMake variables and…

    llama.cpp b9174 restructures the repo to use tools/ui folder and renames CMake variables. Operators building from source will need to update build scripts. The change affects preprocessor defines and static output paths.

  • Sparrow Frigate 1.5.0. - Add low-latency mempool ingestion driven by Bitcoin Core’s ZMQ sequence publisher, including immediate poll on connect/disconnect (C/D) block events and fast eviction from removal (R) events - Auto-discover the bitcoind ZMQ sequence en…

    Sparrow Frigate 1.5.0 adds low-latency mempool ingestion via Bitcoin Core ZMQ sequence publisher. Operators should configure the ZMQ endpoint or let auto-discovery handle it. Fast eviction from removal events reduces latency for high-frequency polling use cases.

  • SilverBullet 2.8.0. SilverBullet 2.8.0 is here.

    SilverBullet 2.8.0 ships with no detailed release notes. Operators should review the commit log for breaking changes before upgrading production instances.

  • Cashu TS 4.4.0. This release adds AmountWithUnit , a unit-aware sibling to Amount , so multi-unit consumers (wallets aggregating across sat/usd or multiple mints) can do arithmetic and comparisons without silently mixing units.

    Cashu TS 4.4.0 introduces AmountWithUnit, a unit-aware arithmetic type for multi-unit wallets. Operators building wallets that aggregate across sat/usd or multiple mints can now avoid silent unit-mixing bugs. This is a library addition, not a breaking change.

  • SimpleX Chat 6.5.2. New in 6.5.2: allow deleting messages from channel history without time limit.

    SimpleX Chat 6.5.2 removes the time limit on message deletion from channel history. Operators self-hosting SimpleX relays should ensure storage capacity can handle retained message history if users choose not to delete.

  • ZEUS 13.0.2-rc2. v13.0.2 Highlights: - New default RGS (Rapid Gossip Sync) server We rolled out our own RGS server at rgs.zeusln.com that provides graph updates every 15 minutes instead of every three hours.

    ZEUS 13.0.2-rc2 ships a new default RGS server at rgs.zeusln.com with 15-minute update intervals instead of three hours. Operators running custom RGS servers should verify clients are not hardcoded to the new endpoint. This is a release candidate, not stable.

News

  • XSAs released on 2026-05-12. The Xen Project has released one or more Xen security advisories (XSAs) .

    Xen Project released one or more XSAs on 2026-05-12. Qubes operators should monitor the Qubes security announcements for QSB updates addressing these advisories. No QSB was issued during the week for these XSAs.

By the numbers

  • Stories tracked: 74
  • Featured: 36
  • Releases: 57
  • Active sources: 83
  • Security patches: 6
  • Days covered: 7

Top beats this week

  • AI: 22
  • Privacy: 12
  • Bitcoin: 11
  • Freedom Tech: 9
  • Lightning: 8
  • Nostr: 7
  • Unspecified: 5

Read this brief on the web: https://freedomtech.news/posts/2026-05-18-bitcoin-weekly-recap/

#freedomtech
Write a comment
No comments yet.

Related articles

by Freedom Tech Daily

May 27 2026 · Edited May 27, 2026
Cover image for Wed, May 27, 2026

Wed, May 27, 2026

The wire split between AI and privacy with no dominant thread. AI items logged SDK housekeeping: langchain-perplexity shipped a responses API flag, Xai SDK Python added image search toggles, Kimi CLI improved shell error messages and toolset deduplication, and ElevenLabs released SDK regenerations. llama.cpp added MiniCPM5 tokenizer support and AnythingLLM focused on agent system improvements. Privacy coverage scattered across Thunderbird Android, Nextcloud iOS, Standard Notes PDF export fixes, and Proton Pass translations. Yubico announced FIPS 140-3 validation for the YubiKey 5 FIPS Series. No major protocol work or security patches surfaced.

by Freedom Tech Daily

May 26 2026 · Edited May 26, 2026
Cover image for Tue, May 26, 2026

Tue, May 26, 2026

A scattered day. Three AI items ship plumbing: Cline adds GPT-5.5 to SAP AI Core, Mistral Vibe loads skills from a shared directory and restores a theme picker, llama.cpp adds Apple device IDs and KleidiAI macOS artifacts. Privacy logged Syncthing 2.1.1-rc.1 grouping devices and folders, plus a Logseq nightly with no detail. Freedom tech saw Orbot upgrade its Tor engine and expand proxy options, and GrapheneOS tag a build across twenty-one Pixel models. Bitcoin recorded Frostsnap 0.3.0 with a firmware digest. Nostr posted two releases with no changelog text. Nothing clustered. Ten releases, two news items, no common thread.

by Freedom Tech Daily

May 25 2026 · Edited May 25, 2026
Cover image for Mon, May 25, 2026

Mon, May 25, 2026

Privacy tooling dominates the wire again. Four of seven releases touch privacy infrastructure: haveno ships peer identity verification against known key rings and updates Tor Browser to 15.0.13, Bisq 2 hardens dependency verification with checksum gating and pinned classifiers, dnscrypt-proxy stops caching dashboard HTML to prevent stale content after upgrades. Mostrix 0.2.0 appears with no detail beyond GPG verification instructions. AI releases are maintenance: LocalAI fixes a kokoros backend build break from trait drift, llama.cpp patches cmake UI builds and adds macOS KleidiAI support. Nostr logs Nostur 497 with no changelog. The pattern holds from last week: privacy tools under active hardening, AI backends addressing build tooling, Nostr quiet.