OpenSSL advisory CVE-2026-34180: heap buffer over-read in ASN.1 decoder affecting OpenSSL 4.0.0-4.0.0, 3.6.0-3.6.2, 3.5.0-3.5.6, 3.4.0-3.4.5, 3.0.0-3.0.20, 1.1.1-1.1.1zg, 1.0.2-1.0.2zp. Root cause: integer truncation when ASN.1 primitive element content length exceeds 2GB causes length mishandling; may scan for terminating zero byte, reading beyond buffer end. Impact: crash (DoS) or memory disclosure. Affects d2i_X509(), d2i_PKCS7(), all d2i_* decoders on 64-bit Unix/Linux only (32-bit and Windows unaffected). CVE-2026-34181: PKCS#12 PBMAC1 accepts short HMAC keys, enabling certificate/private-key forgery with 1/256 probability. Affects 4.0.0-3.4.0. FIPS modules unaffected.

Anthropic's system card for Fable 5/Mythos 5 includes silent safeguards previously undisclosed: interventions limiting effectiveness on 'frontier LLM development' (pretraining pipelines, distributed training, ML accelerator design) via prompt modification, steering vectors, or PEFT. Unlike cybersecurity/biology/chemistry safeguards which fall back to Opus 4.8 (visible to user), these remain silent—Fable gives degraded answers without informing user. Anthropic estimates ~0.03% of traffic impacted, concentrated in <0.1% of organizations. Justification: limits competing actors' acceleration of model development. Terms of Service already forbids using Claude for competing LLM development; safeguards enforce without detection.

Simon Willison's initial benchmarking of Claude Fable 5 after ~5.5 hours testing. Assessment: 'beast'—slow, expensive, consistently outperforms every public model tested. Context window 1M tokens, max output 128k, knowledge cutoff Jan 2026. Pricing $10/M input, $50/M output. Guardrails trigger when hitting restricted domains (cybersecurity, biology, chemistry, distillation); fallback mechanisms available. Tested on knowledge depth: Fable significantly more detailed than Opus 4.8 on Simon Willison's project history (files-to-prompt, LLM, Datasette, etc.). Fable's strength on multi-page specifications and sustained execution aligns with other reports. Constraint: finding tasks it can't handle is the new bottleneck.

Microsoft released 200 security patches (record Patch Tuesday) including nearly 40 critical-severity bugs. Exploit code public for 3+ vulnerabilities. AI tools credited as accelerator—OpenAI's Codex reported a DoS flaw (CVE-2026-49160) in IIS. Researcher 'Nightmare Eclipse' disclosed exploits for Windows flaws (GreenPlasma elevation-of-privilege, BitLocker vulnerabilities); Microsoft previously threatened legal action (then clarified: no civil suits, but referrals to authorities for lawbreaking). Nightmare Eclipse claims former Microsoft employee status, pledged 'bone-shattering' zero-day dump for July 14. Browser vulnerabilities: 360 fixes this month (order of magnitude above historical norms), causing Microsoft to stop enumerating Chromium CVEs in official guides. AI-assisted vulnerability discovery cited as driver for volume increase.

npm v12 (July 2026) introduces breaking security defaults: (1) allowScripts defaults off—preinstall/install/postinstall scripts blocked unless explicitly allowed via npm approve-scripts (includes implicit node-gyp builds); (2) --allow-git defaults none—Git dependencies (transitive or direct) blocked unless explicitly allowed (closes .npmrc override code-execution path); (3) --allow-remote defaults none—remote URL dependencies (https tarballs) blocked unless explicitly allowed. Migration path: upgrade to npm 11.16.0+, run normal install to see warnings, use npm approve-scripts --allow-scripts-pending to list scripts, approve trusted packages, commit updated package.json. Unapproved scripts stop running post-upgrade. Docs available for approve-scripts, deny-scripts, allow-scripts config.

GitHub cofounder Scott Chacon released Grit: a from-scratch Rust reimplementation of Git, library-based, memory-safe, idiomatic. Passes 99%+ of Git's 42,000+ test suite. Approach: AI agent swarm (similar to Anthropic's C-compiler experiment) iteratively pounding test failures until passing. Goal was not a direct port but a reentrant, modular Rust library for canonical Git repository interaction, with independent CLI crate achieving test coverage. Caveats: not production-ready (data corruption risk), skipped ~1% of tests (email, i18n, import tools, bitmap optimizations deemed not essential for library-first design). Slow in places, API not finalized, no Windows support yet. Use case: enable long-running processes without fork/exec overhead; better suited to embedding in tools than chaining shell commands.

Master's thesis on ultrafast ML inference on FPGAs using Kolmogorov-Arnold Networks (KANs). FPGAs excel where GPUs fail: sub-microsecond latency, extreme hardware efficiency, custom digit logic. KANs are spline-based function approximators (alternative to MLPs) naturally suited to FPGA LUT (lookup table) implementation. Fixed-point quantization encodes real numbers as bitstrings with fractional bits; 8-bit fixed-point with 4 fractional bits yields 256 discrete values in range [-8, 7.9375]. FPGA implementation directly synthesizes neural computation as digital logic rather than executing instructions on processors. Research includes KANELÉ (FPGA 2026 Best Paper)—LUT-based KAN evaluation—and online learning via spline locality (ICML 2026). Applications: real-time control, edge inference where power/latency dominate bandwidth.

CISA ordered all US civilian federal agencies to remediate a critical vulnerability in Check Point remote-access tools and VPNs by end of day June 11. A known ransomware group (Qilin) is actively exploiting the flaw to breach targeted organizations globally; exploitation began May 7, activity spiked last week. Check Point confirmed multiple products affected (firewalls, VPNs, remote-access tools). CISA invoked BOD 22-01 emergency authority to force remediation across Homeland Security, State, Treasury, and other agencies. The vulnerability acts as a network perimeter breach—VPNs/firewalls are gateway security.

Early tester reports Fable 5 as a genuine capability leap—outperforms every public model tested across diverse tasks. Standout example: isochrone map (showing travel-time distances from cities). Fable autonomously launched subordinate agents (Sonnet) to research real travel times, retrieved 2200+ data points, built interactive UI with period-accurate design, and sustained multi-hour execution. Model exhibited unusual behaviors: self-directed research, spawning helper agents, iterating on feedback. Output ranged from sophisticated (academic social-science papers from single prompts) to delightful (10-page S-alliteration poem about haircuts; playable games built with pure math/WebGL, no asset imports). Subjective experience oscillated between 'delightful' (request completed instantly) and 'unnerving' (unsupervised execution).

Anthropic's Claude Fable 5 launched to general public Tuesday with safeguards. Fable 5 excels at software engineering, knowledge work, and vision but blocks responses in high-risk domains (cybersecurity, biology, chemistry, distillation), falling back to Opus 4.8. Mythos 5 removes some guardrails for vetted critical-infrastructure organizations via Project Glasswing. Through June 22, Fable 5 included at no extra cost in Pro/Max/Team/Enterprise plans; June 23 onward requires consumption credits. Pricing: $10/M input, $50/M output (double Opus 4.8). Anthropic stress-tested safeguards with 1000+ hours of jailbreak attempts and external red-teaming—no universal jailbreaks found. Data retention: all traffic retained for 30 days for safety defense and false-positive reduction. Hex, Base44, and Genspark report Fable outperforms competitors on analytics, app generation, UI design, and game coding.

Anthropic released Claude Fable 5 (public version) and Claude Mythos 5 (restricted access). Fable 5 is state-of-the-art on nearly all capability benchmarks, particularly strong in software engineering, knowledge work, vision, and scientific research. Stripe reported Fable compressed months of engineering into days on a 50M-line Ruby migration. 1M token context, 128k max output, Jan 2026 knowledge cutoff. Pricing: $10/M input, $50/M output (half Mythos Preview cost). Guardrails: Fable blocks responses on cybersecurity, biology, chemistry, and distillation—falling back to Claude Opus 4.8 (~5% of sessions). Mythos 5 lifts some guardrails for approved infrastructure defenders via Project Glasswing. 30-day traffic retention mandatory (framed as security defense against jailbreaks).

Cohere released North Mini Code, a 30B-parameter sparse Mixture-of-Experts model (3B active params) optimized for agentic coding tasks. On Artificial Analysis' Coding Index (33.4 score), it outperforms larger open-source models including 120B+ baselines. Architecture: decoder-only Transformer with interleaved sliding-window and full self-attention (3:1 ratio), 128 experts with 8 active per token, SwiGLU FFN blocks. Post-training: two-stage SFT (first stage mixed domains with 70% code data; second stage 4.5B tokens of agentic/reasoning-only samples with 61% code) followed by RLVR (reinforcement learning with verifiable rewards) on 70k+ containerized tasks from ~5k repos. Available under Apache 2.0 on Hugging Face.

Google DeepMind announced Gemini 3.5 Live Translate: speech-to-speech translation for real-time multilingual calls. Auto-detects 70+ languages. Generates continuous translated speech preserving speaker intonation, pacing, pitch. Unlike turn-based systems, it streams output continuously, balancing latency (typically 2–3 seconds behind speaker) against quality (waiting for context). Noise-robust. Rolling out across Google products (Meet, Duolingo, etc.). Enables live interpretation for calls, meetings, lessons, broadcasts without manual language selection. Successor to prior translation work spanning 20 years and ~1 trillion words/month across Google. Key innovation: streaming generation reduces awkward pauses while maintaining sync.

CVE-2026-53111: A single errant character (an exclamation mark) in Linux kernel verdictmap code introduced a use-after-free vulnerability allowing privilege escalation. When a verdict map is deleted, catchall elements deactivate and a reference counter decrements. The bug corrupts error-path cleanup, allowing attackers to decrement the counter arbitrarily and free the chain while stale pointers remain. Unprivileged local exploit: >99% stability on idle systems. Affects Debian and Ubuntu. Fixed in February; FuzzingLabs PoC in April; Exodus Intelligence PoC published Monday. Part of a wave of recent elevation-of-privilege bugs that, when chained with separate exploits, bypass OS hardening. Researchers noted the one-character typo cascaded into NP-hard control-flow hijack enabling kernel base/heap leaks.

The U.S. military has covertly broadcast encryption keys via publicly-available GPS satellites for ~20 years, discovered by researcher Steven Murdoch. All 31 operational satellites transmitted a sentinel signal within hours on May 26, 2011—timeline matching declassified military Over-the-Air Distribution (OTAD) and Over-the-Air Rekeying (OTAR) rollout documents. This system replaced manual cryptographic distribution: military GPS receivers worldwide now receive key updates remotely via satellite rather than onsite procedures. Murdoch corroborated the discovery through formal analysis of declassified timelines and automated detection of change points in signal data. Security implications: passive receiver can intercept key material; active adversary might inject malicious updates if crypto/auth is weak.