GitHub Fixes Critical RCE Bug CVE-2026-3854 Within Hours of Discovery

GitHub disclosed CVE-2026-3854, a critical RCE in how user-supplied git push options were sanitized that allowed attackers to inject fields into internal headers (via semicolons) and execute arbitrary commands; GitHub patched cloud services the same day and released Enterprise Server updates, found no evidence of exploitation, and advised admins to upgrade immediately and review audit logs for suspicious push options.