All news with #privilege escalation tag

🔒 Cybersecurity researchers disclosed four vulnerabilities in OpenClaw — collectively named Claw Chain — that can be chained for data theft, privilege escalation, and persistence. The flaws include two TOCTOU race conditions enabling reads and writes outside sandbox mounts, an allowlist bypass via heredoc expansion, and an access-control weakness allowing owner impersonation. Vendor patches are available in version 2026.4.22; users are urged to update immediately. Successful exploitation can expose credentials, modify configurations, and plant backdoors while mimicking normal agent behavior to evade detection.

🔒 Fragnesia (CVE-2026-46300) is a local Linux kernel privilege escalation that exploits the XFRM ESP-in-TCP subsystem to obtain a memory write primitive, enabling in-memory modification of security-sensitive files while bypassing standard filesystem permissions. A public PoC exists, but remote exploitation is not possible; an attacker needs local access and control of socket operations. Vendors including Red Hat and Ubuntu are issuing patches and workarounds, and administrators should update kernels, consider disabling esp4/esp6 or avoiding kernels built with CONFIG_INET_ESPINTCP, and increase monitoring until systems are patched.

🔔 Talos reports active, in-the-wild exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities, including CVE-2026-20182 and a chained set (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) that enable unauthorized access, persistent webshell deployment, and privilege escalation. The threat cluster UAT-8616 and other adversaries have deployed JSP webshells such as XenShell, Godzilla, and Behinder and have installed miners, C2 implants, and reconnaissance and tunneling tools post-compromise. Customers should urgently apply Cisco updates, follow Talos detection guidance and Snort/ClamAV signatures, and engage TAC for incident support and remediation.

🔒Fragnesia (CVE-2026-46300) is a newly disclosed Linux kernel local privilege escalation discovered by William Bowling of Zellic and the V12 team, with a working PoC published on May 13. The flaw permits unprivileged users to overwrite kernel page-cache contents of read-only files, enabling in-memory tampering that can spawn a root shell without touching disk. It stems from shared page fragment bookkeeping failures tied to ESP-in-TCP decryption behavior and is being mitigated by interim distro backports and module hardening.

🔒 An anonymous researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) disclosed two new Windows zero-days: YellowKey, a BitLocker bypass present in the Windows Recovery Environment (WinRE), and GreenPlasma, a CTFMON-related privilege escalation. YellowKey targets Windows 11 and Windows Server 2022/2025 by placing crafted FsTx files on a USB or EFI partition and replaying them to obtain a shell even when BitLocker is enabled. The GreenPlasma proof-of-concept can create arbitrary memory section objects in SYSTEM-writable directories, potentially enabling higher-privilege manipulation, though the exploit is incomplete. Microsoft says it investigates reported issues and supports coordinated disclosure.

⚠️ A new high-severity Linux kernel privilege escalation, named Fragnasia (CVE-2026-46300), abuses a logic bug in the XFRM ESP-in-TCP subsystem to write arbitrary bytes into the kernel page cache of read-only files, enabling local attackers to gain root. A proof-of-concept exploit demonstrates corrupting /usr/bin/su to obtain a root shell. It affects kernels released before May 13, 2026, and mirrors the mitigation used for the recently disclosed Dirty Frag class.

🔒 A new local privilege escalation dubbed Fragnesia (CVE-2026-46300) was disclosed in the Linux kernel's XFRM ESP-in-TCP subsystem, allowing unprivileged local attackers to corrupt the kernel page cache and gain root. The issue, discovered by William Bowling of V12, is a separate bug from Dirty Frag but affects the same surface. A PoC exploit has been published and multiple distributions have issued advisories. Mitigations for Dirty Frag apply until patched kernels are available.

🔒 A researcher known as Chaotic Eclipse (Nightmare-Eclipse on GitHub) published proof-of-concept exploits named YellowKey and GreenPlasma that bypass BitLocker protections and enable local privilege escalation on affected Windows versions. YellowKey abuses the Windows Recovery Environment (WinRE) and NTFS transaction replay to spawn a shell and access encrypted volumes, while GreenPlasma allows arbitrary memory-section creation that can be escalated to SYSTEM. The author said the disclosures were driven by dissatisfaction with Microsoft's handling of reports. Microsoft says it investigates and supports coordinated disclosure.

🔔 Today's May 2026 Patch Tuesday from Microsoft delivers security updates addressing 120 distinct vulnerabilities, including 17 rated Critical. The release corrects multiple remote code execution, elevation-of-privilege, information disclosure, denial-of-service, spoofing, and security feature bypass flaws across Windows, Office, SharePoint, and developer tools. Notable patches close dangerous RCE vectors in Microsoft Office (Word, Excel, PowerPoint) that can be exploited via malicious attachments or the preview pane, and key fixes include Windows GDI EMF parsing, SharePoint server RCE, and a Windows DNS Client RCE. Administrators are strongly advised to prioritize and deploy updates promptly to reduce exposure.

🔒 CISA published an advisory describing a privilege-escalation vulnerability in Fuji Electric Tellus arising from a kernel driver that grants all users read and write permissions. Successful exploitation could elevate a user to system privileges and may enable temporary denial of service, file opening, or file deletion. The vendor recommends installing Tellus only with administrator privileges; CISA notes the issue is not remotely exploitable and no public exploitation has been reported. CISA advises implementing ICS defensive measures and following established reporting procedures.

⚠ copy.fail is a severe Linux kernel local privilege escalation disclosed on 29 April 2026 with a working proof-of-concept. It abuses the kernel crypto API (AF_ALG sockets) together with splice() to write four bytes at a time directly into the page cache of files the attacker does not own, leaving on-disk files unchanged. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux and Fedora, bypasses checksum-based monitoring, and has no race or per-distro offsets; the mainline fix landed on 1 April and distros are rolling patches.

🔐 This Unit 42 report examines how misconfigured Active Directory Certificate Services (AD CS) components create high-impact attack surfaces that enable privilege escalation, identity impersonation, and persistent access. It details exploitation techniques—especially certificate template misconfigurations and shadow credential abuse—tools observed in the wild, and a five-phase adversary lifecycle. The report emphasizes behavioral detection, telemetry correlation, and mitigation guidance to help defenders close monitoring gaps.

🛡️ Major Linux distributions are rushing to apply fixes after the embargo on a two‑bug kernel exploit, dubbed Dirty Frag, was broken. The flaw chains CVE-2026-43284 (xfrm‑ESP write‑what‑where, CVSS 8.8) and CVE-2026-43500 (RxRPC out‑of‑bounds write, CVSS 7.8) to enable local privilege escalation to root. Researcher Hyunwoo Kim published a proof‑of‑concept after coordinating with maintainers. Vendors recommend temporarily blacklisting esp4/esp6/rxrpc modules and prioritising immediate patching.

🔒 Microsoft warns of a new local Linux privilege escalation called Dirty Frag that abuses fragmented page-cache handling to gain root. The chain uses two kernel flaws — CVE-2026-43284 (ESP) and CVE-2026-43500 (RxRPC) — and is already observed in post-compromise attacks. Administrators are urged to disable esp4, esp6, and rxrpc modules, limit local shell access, and monitor for abnormal privilege escalation while vendors roll out patches.

🔒 cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could enable privilege escalation, arbitrary code execution, and denial-of-service. The flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, with CVSS scores up to 8.8. Multiple release lines and the WP Squared build are patched, and a direct 110.0.114 update is available for CentOS 6/CloudLinux 6 users. Administrators are advised to apply updates promptly.

⚠ Microsoft Defender researchers describe Dirty Frag, a Linux local privilege escalation that abuses kernel networking and memory-fragment handling in esp4, esp6, and rxrpc. Public proof-of-concept activity and active targeting suggest the exploit yields more reliable escalation from unprivileged user to root across multiple distributions. Microsoft recommends immediate mitigations—disable unused modules, harden containers, increase monitoring, clear caches cautiously, and prioritize vendor kernel patches—while Defender expands detections.

⚠ A newly disclosed Linux zero-day, named Dirty Frag, enables local attackers to obtain root privileges on most major distributions with a single command. Researcher Hyunwoo Kim published a detailed write-up and a proof-of-concept exploit after an embargo was broken on May 7, 2026. The flaw stems from an approximately nine-year-old logic error in the kernel's algif_aead interface and chains two page-cache write issues to modify protected files in memory. As a temporary mitigation, administrators are advised to disable and unload the esp4, esp6, and rxrpc modules until vendor patches are available.

🔒 A new unpatched local privilege escalation in the Linux kernel, called Dirty Frag, was disclosed to maintainers on April 30, 2026. Researcher Hyunwoo Kim (@v4bel) says it deterministically chains two page-cache write primitives (xfrm-ESP and RxRPC) to achieve root on many distributions, and a one-command PoC has been released. Vendors recommend immediately blocklisting the esp4, esp6, and rxrpc modules and monitoring upstream and vendor advisories for patches.

🔒 Cloudflare assessed and mitigated the Linux local privilege escalation named Copy Fail (CVE-2026-31431) following public disclosure on 2026-04-29. Our behavioral detections flagged the exploit chain within minutes during validation, and threat hunting across a 48-hour window found no evidence of compromise. We deployed an eBPF LSM allow-list (bpf-lsm) to block AF_ALG binds for non-allow-listed binaries, built and staged patched LTS kernels, and completed fleet protection via controlled reboots with no customer impact.

🔍 Meta’s smart glasses were found to upload audio and video to contractors in Nairobi for human labelling, prompting the dismissal of 1,108 workers after whistleblowers exposed the practice. The episode contrasts that privacy failure with a measured analysis of the Linux Copy Fail privilege‑escalation issue and an experiment by Jake Moore demonstrating how a convincing deepfake passed a remote job interview. Practical takeaways include patching kernels promptly, strengthening hiring verification, and demanding clearer vendor transparency.