The Linux kernel bug (CVE-2026-31431, CVSS 7.8) lets any unprivileged local user escalate to root — wide blast radius on shared servers and container hosts where kernel namespaces aren't the only trust boundary. The Ivanti Endpoint Manager Mobile flaw requires an admin-level authenticated session but converts that into arbitrary remote code execution, which is the realistic threat model on any enterprise MDM. The PAN-OS entry is the one to prioritize: unauthenticated attackers hit an out-of-bounds write in the User-ID Authentication Portal and land root with no credentials required. All three have confirmed active exploitation. CISA's BOD 22-01 deadline applies to federal agencies, but the PAN-OS path especially warrants immediate patching for anyone running a perimeter firewall — unauthenticated root on a network appliance is about as bad as it gets.