release v0.9.3: CVE metadata refresh (KEV 10→12) + dirtydecrypt bug fix

CVE metadata refresh:
- Added 8 entries to core/cve_metadata.c for the v0.8.0 + v0.9.0 module
  CVEs. Two are CISA-KEV-listed:
  - CVE-2018-14634 mutagen_astronomy (2026-01-26, CWE-190)
  - CVE-2025-32463 sudo_chwoot       (2025-09-29, CWE-829)
- Populated via direct curl when refresh-cve-metadata.py's Python urlopen
  hung on CISA's HTTP/2 endpoint for ~55 min — same data, different
  transport.

dirtydecrypt module bug fix:
- dd_detect() was wrongly gating 'predates the bug' on kernel < 7.0
- Per NVD CVE-2026-31635: bug entered at 6.16.1 stable; vulnerable
  through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0
- Fix: predates-gate now uses 6.16.1; patched_branches[] adds {6,18,23}
- Re-verified: dirtydecrypt now correctly returns VULNERABLE on mainline
  6.19.7 instead of OK. Previously a false negative on real vulnerable
  kernels.

Footer goes from '10 in CISA KEV' to '12 in CISA KEV'. Verified count
stays at 28 but dirtydecrypt's record is now a TRUE VULNERABLE match
(was OK match).

tests/test_detect.c

@@ -318,12 +318,13 @@ static const struct skeletonkey_host h_kernel_5_14_no_userns = {
 static void run_all(void)
 {
 #ifdef __linux__
-	/* dirtydecrypt: kernel.major < 7 → predates the bug → OK */
-	run_one("dirtydecrypt: kernel 6.12 predates 7.0 → OK",
+	/* dirtydecrypt: rxgk RESPONSE bug entered at 6.16.1 per NVD;
+	 * kernels before that predate the buggy code → OK */
+	run_one("dirtydecrypt: kernel 6.12 predates 6.16.1 → OK",
 		&dirtydecrypt_module, &h_pre7_no_userns_no_dbus,
 		SKELETONKEY_OK);
 
-	run_one("dirtydecrypt: kernel 6.14 (fedora) still predates → OK",
+	run_one("dirtydecrypt: kernel 6.14 (fedora) still predates 6.16.1 → OK",
 		&dirtydecrypt_module, &h_fedora_no_debian,
 		SKELETONKEY_OK);