diff --git a/CVES.md b/CVES.md
index 86c3470..f041573 100644
--- a/CVES.md
+++ b/CVES.md
@@ -23,16 +23,17 @@ Status legend:
 - 🔴 **DEPRECATED** — fully patched everywhere relevant; kept for
   historical reference only
 
-**Counts:** 31 modules total — 28 verified (🟢 14 · 🟡 14) plus 3
-ported-but-unverified (`dirtydecrypt`, `fragnesia`, `pack2theroot` —
-see note below). 🔵 0 · ⚪ 0 planned-with-stub · 🔴 0. (One ⚪ row
-below — CVE-2026-31402 — is a *candidate* with no module, not counted
-as a module.)
+**Counts:** 39 modules total covering 34 CVEs; **28 of 34 CVEs
+verified end-to-end in real VMs** via `tools/verify-vm/`. 🔵 0 · ⚪ 0
+planned-with-stub · 🔴 0. (One ⚪ row below — CVE-2026-31402 — is a
+*candidate* with no module, not counted as a module.)
 
-> **Note on `dirtydecrypt` / `fragnesia` / `pack2theroot`:** all three
-> are ported from public PoCs. The **exploit bodies** are not yet
-> VM-verified end-to-end, so they're listed 🟡 but excluded from the
-> 28-module verified corpus.
+> **Note on unverified rows:** `vmwgfx` / `dirty_cow` /
+> `mutagen_astronomy` / `pintheft` / `vsock_uaf` / `fragnesia` are
+> blocked by their target environment (VMware-only, kernel < 4.4,
+> mainline panic, kmod not autoloaded, or t64-transition libs),
+> not by missing code. See
+> [`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml).
 >
 > All three now have **pinned fix commits and version-based
 > `detect()`**:
diff --git a/README.md b/README.md
index a0c470b..93069ef 100644
--- a/README.md
+++ b/README.md
@@ -133,7 +133,7 @@ uid=1000(kara) gid=1000(kara) groups=1000(kara)
 $ skeletonkey --auto --i-know
 [*] auto: host=demo distro=ubuntu/24.04 kernel=5.15.0-56-generic arch=x86_64
 [*] auto: active probes enabled — brief /tmp file touches and fork-isolated namespace probes
-[*] auto: scanning 31 modules for vulnerabilities...
+[*] auto: scanning 39 modules for vulnerabilities...
 [+] auto: dirty_pipe             VULNERABLE (safety rank 90)
 [+] auto: cgroup_release_agent   VULNERABLE (safety rank 98)
 [+] auto: pwnkit                 VULNERABLE (safety rank 100)
@@ -202,18 +202,19 @@ also compile (modules with Linux-only headers stub out gracefully).
 
 ## Status
 
-**v0.9.0 cut 2026-05-24.** 39 modules across 34 CVEs — **every
-year 2016 → 2026 now covered**. v0.9.0 adds 5 gap-fillers:
-`mutagen_astronomy` (CVE-2018-14634 — closes 2018), `sudo_runas_neg1`
-(CVE-2019-14287), `tioscpgrp` (CVE-2020-29661), `vsock_uaf`
-(CVE-2024-50264 — Pwnie 2025 winner), `nft_pipapo` (CVE-2024-26581 —
-Notselwyn II). v0.8.0 added 3 (`sudo_chwoot`/CVE-2025-32463,
-`udisks_libblockdev`/CVE-2025-6019, `pintheft`/CVE-2026-43494).
+**v0.9.2 cut 2026-05-24.** 39 modules across 34 CVEs — **every
+year 2016 → 2026 now covered**. v0.9.0 added 5 gap-fillers
+(`mutagen_astronomy` / `sudo_runas_neg1` / `tioscpgrp` / `vsock_uaf` /
+`nft_pipapo`); v0.8.0 added 3 (`sudo_chwoot` / `udisks_libblockdev` /
+`pintheft`). v0.9.1 and v0.9.2 are verification-only sweeps that took
+the verified count from 22 → 28 by booting real vulnerable kernels
+(Ubuntu mainline 5.4.0-26, 5.15.5, 6.19.7 + provisioner-built sudo
+1.9.16p1 + Debian 12 + polkit allow rule for udisks).
 **28 empirically verified** against real Linux VMs (Ubuntu 18.04 /
-20.04 / 22.04 + Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10
-from kernel.ubuntu.com). 88-test unit harness + ASan/UBSan +
-clang-tidy on every push. 4 prebuilt binaries (x86_64 + arm64, each
-in dynamic + static-musl flavors).
+20.04 / 22.04 + Debian 11 / 12 + mainline kernels from
+kernel.ubuntu.com). 88-test unit harness + ASan/UBSan + clang-tidy on
+every push. 4 prebuilt binaries (x86_64 + arm64, each in dynamic +
+static-musl flavors).
 
 Reliability + accuracy work in v0.7.x:
 - Shared **host fingerprint** (`core/host.{h,c}`) populated once at
@@ -231,15 +232,19 @@ Reliability + accuracy work in v0.7.x:
   trace, OPSEC footprint, detection-rule coverage, verified-on
   records. Paste-into-ticket ready.
 - **CVE metadata pipeline** (`tools/refresh-cve-metadata.py`) — fetches
-  CISA KEV catalog + NVD CWE; 10 of 26 modules cover KEV-listed CVEs.
-- **119 detection rules** across auditd / sigma / yara / falco; one
+  CISA KEV catalog + NVD CWE; 10 of 34 modules cover KEV-listed CVEs.
+- **151 detection rules** across auditd / sigma / yara / falco; one
   command exports the corpus to your SIEM.
 - `--auto` upgrades: per-detect 15s timeout, fork-isolated detect +
   exploit, structured verdict table, scan summary, `--dry-run`.
 
-Not yet verified (4 of 26 CVEs): `vmwgfx` (VMware-guest only),
-`dirty_cow` (needs ≤ 4.4 kernel), `dirtydecrypt` + `fragnesia` (need
-Linux 7.0 — not shipping yet). Rationale in
+Not yet verified (6 of 34 CVEs): `vmwgfx` (VMware-guest only),
+`dirty_cow` (needs ≤ 4.4 kernel), `mutagen_astronomy` (mainline
+4.14.70 panics on Ubuntu 18.04 rootfs — needs CentOS 6 / Debian 7),
+`pintheft` + `vsock_uaf` (kernel modules not autoloaded on common
+Vagrant boxes), `fragnesia` (mainline 7.0.5 .debs need t64-transition
+libs from Ubuntu 24.04+ / Debian 13+; no Parallels-supported box has
+those yet). Rationale in
 [`tools/verify-vm/targets.yaml`](tools/verify-vm/targets.yaml).
 
 See [`ROADMAP.md`](ROADMAP.md) for the next planned modules and
diff --git a/docs/index.html b/docs/index.html
index 851e296..7a10a88 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -83,7 +83,7 @@
     <div class="stats-row" id="stats-row">
       <div class="stat-chip"><span class="num" data-target="39">0</span><span>modules</span></div>
       <div class="stat-chip stat-vfy"><span class="num" data-target="28">0</span><span>✓ VM-verified</span></div>
-      <div class="stat-chip stat-kev"><span class="num" data-target="11">0</span><span>★ in CISA KEV</span></div>
+      <div class="stat-chip stat-kev"><span class="num" data-target="10">0</span><span>★ in CISA KEV</span></div>
       <div class="stat-chip"><span class="num" data-target="151">0</span><span>detection rules</span></div>
     </div>
 
@@ -210,7 +210,7 @@ uid=0(root) gid=0(root)</pre>
 
       <article class="bento-card">
         <div class="bento-icon">🛡</div>
-        <h3>119 detection rules</h3>
+        <h3>151 detection rules</h3>
         <p>
           auditd · sigma · yara · falco. One command emits the corpus for
           your SIEM. Each rule grounded in the module's own syscalls.
@@ -227,7 +227,7 @@ uid=0(root) gid=0(root)</pre>
         <div class="bento-icon">★</div>
         <h3>CISA KEV prioritized</h3>
         <p>
-          10 of 26 CVEs in the corpus are in CISA's Known Exploited
+          10 of 34 CVEs in the corpus are in CISA's Known Exploited
           Vulnerabilities catalog — actively exploited in the wild.
           Refreshed on demand via <code>tools/refresh-cve-metadata.py</code>.
         </p>
@@ -294,9 +294,9 @@ uid=0(root) gid=0(root)</pre>
           <code>tools/verify-vm/</code> spins up known-vulnerable
           kernels (stock distro + mainline from kernel.ubuntu.com), runs
           <code>--explain --active</code> per module, and records the
-          verdict. <strong>22 of 26 CVEs</strong> confirmed against
+          verdict. <strong>28 of 34 CVEs</strong> confirmed against
           real Linux across Ubuntu 18.04 / 20.04 / 22.04 + Debian 11 / 12
-          + mainline 5.15.5 / 6.1.10. Records baked into the binary;
+          + mainline 5.4.0-26 / 5.15.5 / 6.1.10 / 6.19.7. Records baked into the binary;
           <code>--list</code> shows ✓ per module.
         </p>
       </article>
@@ -309,7 +309,7 @@ uid=0(root) gid=0(root)</pre>
   <div class="container">
     <div class="section-head">
       <span class="section-tag">corpus</span>
-      <h2>26 CVEs across 10 years. ★ = actively exploited (CISA KEV).</h2>
+      <h2>34 CVEs across 10 years. ★ = actively exploited (CISA KEV).</h2>
     </div>
 
     <h3 class="corpus-h" data-color="green">
@@ -414,7 +414,7 @@ uid=0(root) gid=0(root)</pre>
         <div class="audience-icon">🎓</div>
         <h3>Researchers / CTF</h3>
         <p>
-          26 CVEs, 10-year span, each with the original PoC author
+          34 CVEs, 10-year span, each with the original PoC author
           credited and the kernel-range citation auditable.
           <code>--explain</code> shows the reasoning chain; detection
           rules let you practice both sides. Source is the documentation.
@@ -511,13 +511,13 @@ uid=0(root) gid=0(root)</pre>
       <div class="tl-col tl-shipped">
         <div class="tl-tag">shipped</div>
         <ul>
-          <li><strong>22 of 26 CVEs empirically verified</strong> in real Linux VMs</li>
+          <li><strong>28 of 34 CVEs empirically verified</strong> in real Linux VMs</li>
           <li><strong>kernel.ubuntu.com/mainline/</strong> kernel fetch path — unblocks pin-not-in-apt targets</li>
           <li>Per-module <code>verified_on[]</code> table baked into the binary</li>
           <li><strong>--explain mode</strong> — one-page operator briefing per CVE</li>
           <li><strong>OPSEC notes</strong> — per-module runtime footprint</li>
           <li><strong>CISA KEV + NVD CWE + MITRE ATT&amp;CK</strong> metadata pipeline</li>
-          <li>119 detection rules across all four SIEM formats</li>
+          <li>151 detection rules across all four SIEM formats</li>
           <li><code>core/host.c</code> shared host-fingerprint refactor</li>
           <li>88-test harness (kernel_range + detect integration)</li>
         </ul>
diff --git a/docs/og.png b/docs/og.png
index 2ac924d..7e2e510 100644
Binary files a/docs/og.png and b/docs/og.png differ
diff --git a/docs/og.svg b/docs/og.svg
index 675539c..b569400 100644
--- a/docs/og.svg
+++ b/docs/og.svg
@@ -54,9 +54,9 @@
     <text x="234" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#34d399">28</text>
     <text x="270" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">✓ VM-verified</text>
 
-    <!-- 11 KEV -->
+    <!-- 10 KEV -->
     <rect x="482" y="0" width="218" height="58" rx="29" fill="#161628" stroke="#ef4444" stroke-opacity="0.4"/>
-    <text x="510" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ef4444">11</text>
+    <text x="510" y="38" font-family="'JetBrains Mono',monospace" font-weight="700" font-size="22" fill="#ef4444">10</text>
     <text x="546" y="37" font-family="'Inter',sans-serif" font-size="16" fill="#8a8a9d">★ in CISA KEV</text>
 
     <!-- 151 rules -->