All news with #privilege escalation tag

⚠️ Two independent research teams disclosed new Rowhammer-style attacks against NVIDIA Ampere GPUs that induce GDDR bitflips to gain arbitrary read/write access to host memory, enabling full system compromise when IOMMU is disabled by default in many BIOS settings. The proofs of concept — GDDRHammer and GeForge — manipulate GPU page tables and page directories to escalate privileges and, in demonstrations, open root shells on affected machines. A subsequent variant was shown to succeed even with IOMMU enabled; tested cards include RTX 3060, RTX A6000, and RTX 6000.

🔒 On April 29, 2026 researchers disclosed CVE-2026-31431, dubbed Copy Fail, a deterministic local privilege escalation impacting Linux kernels 4.14–6.19.12. The flaw resides in the AF_ALG crypto interface's algif_aead module and permits a controlled four-byte overwrite into the kernel page cache. A standalone 732-byte Python proof-of-concept reliably escalates to root across major distributions. Apply vendor kernel updates immediately or temporarily disable algif_aead; Cortex XDR and XSIAM provide layered detection and mitigation.

⚠️ Johnson Controls' CEM AC2000 contains a DLL hijacking vulnerability (CVE-2026-21661) affecting versions 12.0, 11.0, and 10.6 that could allow a local, non‑privileged user to escalate privileges on the host. CISA assigns a CVSS v3.1 base score of 8.7 (High). The issue is not remotely exploitable and no public exploitation has been reported. Johnson Controls has released patched updates and recommends upgrading to the specified releases.

⚠️ Progress Software issued updates for MOVEit Automation to address two vulnerabilities: a critical authentication bypass (CVE-2026-4670, CVSS 9.8) and an improper input validation flaw that could enable privilege escalation (CVE-2026-5174, CVSS 7.7). Affected branches include releases <=2025.1.4, <=2025.0.8, and <=2024.1.7; fixes are available in 2025.1.5, 2025.0.9, and 2024.1.8. Airbus SecLab researchers reported the issues, and Progress states there are no workarounds and no confirmed in-the-wild exploitation; administrators should apply updates promptly and review access to service backend command ports.

🚨 Progress warns customers to patch a critical authentication bypass in MOVEit Automation tracked as CVE-2026-4670, affecting versions before 2025.1.5, 2025.0.9, and 2024.1.8. Remote attackers can exploit the flaw without privileges in low-complexity, no-interaction attacks. Progress says upgrading with the full installer is the only remediation and that an outage will occur during the upgrade. The vendor also released a fix for a high-severity privilege escalation, CVE-2026-5174.

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently disclosed Linux kernel vulnerability, CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of in-the-wild activity. The privilege escalation bug, nicknamed Copy Fail, affects kernels shipped since 2017 and carries a CVSS score of 7.8; patches are available in kernel releases 6.18.22, 6.19.12, and 7.0. Security vendors warn the flaw is especially dangerous for containerized environments when the algif_aead module is exposed on hosts, and detecting exploitation is difficult because the exploit uses legitimate system calls.

🛡️ Microsoft Defender Security Research warns of CVE-2026-31431, known as 'Copy Fail', a high-severity local privilege escalation in the Linux kernel crypto subsystem that impacts many major distributions and cloud workloads. An unprivileged user can abuse AF_ALG and splice() to corrupt the page cache and deterministically escalate to root, enabling container escape and multi-tenant compromise. Apply vendor patches or block AF_ALG socket creation immediately and hunt for indicators of compromise.

🔍 A nine-year high-severity Linux kernel vulnerability called Copy Fail was discovered by Taeyang Lee of Theori using the AI code-analysis tool Xint. Assigned CVE-2026-31431, the logic bug enables an unprivileged local user with physical access to perform a deterministic four-byte write into the page cache of any readable file, potentially escalating to root. The issue affects kernels shipped since 2017; vendors have released a fix that reverts a 2017 AEAD optimization—update kernels to include commit a664bf3d603d.

⚠️ A newly disclosed Linux kernel logic flaw dubbed Copy Fail (CVE-2026-31431) enables an unprivileged local user to write four deterministic bytes into the page cache of any readable file and gain root. Theori researchers published a 732-byte Python proof-of-concept and reported the bug to the kernel team in March; patches were committed in April. Until distributions publish updates — Arch has released a patch so far — CSOs should inventory multi-tenant and container hosts, monitor for privilege escalation, and apply fixes or temporary kernel parameters where feasible.

⚠ An exploit for a local privilege escalation called Copy Fail (CVE-2026-31431) has been published, allowing unprivileged users to obtain root on Linux kernels released since 2017. The issue was discovered by Theori using its Xint Code AI pentesting platform, reported on March 23, and patched upstream in early April by reverting an in-place crypto optimization. Researchers published a compact Python PoC that they demonstrated against multiple distributions and recommend disabling the algif_aead interface as an interim mitigation while vendors distribute kernel updates.

🔒 Security researchers Xint.io and Theori disclosed a high-severity Linux local privilege escalation tracked as CVE-2026-31431 and dubbed Copy Fail, which lets an unprivileged user write four controlled bytes into the page cache of any readable file to gain root. The defect stems from a logic flaw in the kernel cryptographic algif_aead module introduced in 2017. A compact 732‑byte Python exploit can inject shellcode into a setuid binary such as /usr/bin/su and spawn a root shell, and major distributions have issued advisories.

🔒 The AWS Customer Incident Response Team (AWS CIRT) released the March 2026 update to the Threat Technique Catalog for AWS, adding three new entries that address identity abuse, persistence, infrastructure destruction, and privilege escalation. The update highlights concrete, real-world techniques — Cognito refresh token abuse, AMI deregistration, and misuse of UpdateAssumeRolePolicy — that let attackers hide in legitimate operations. Each entry includes detection guidance and straightforward mitigations you can apply today, such as enabling refresh token rotation, protecting AMIs with Recycle Bin retention rules, and monitoring trust-policy changes.

🔒 An underscoped built-in role in Microsoft Entra ID, Agent ID Administrator, allowed users to assume ownership of arbitrary service principals and then add credentials to authenticate as those principals, enabling full service principal takeover. Silverfort researchers, led by Noa Ariel, reported the vulnerability on March 1, 2026, and Microsoft issued a patch across all cloud environments on April 9, 2026. After the update, attempts to assign ownership of non-agent service principals using the role are blocked and return a 'Forbidden' error. Organizations are advised to monitor sensitive role usage, audit service principal ownership and credential changes, and secure privileged non-human identities.

🔒 Researchers at Silverfort discovered that Microsoft’s Agent ID Administrator role could modify and take ownership of unrelated service principals, allowing role holders to create credentials and authenticate as compromised applications. The flaw stemmed from scope enforcement failing in the Agent Identity Platform, where agent identities share primitives with applications. Microsoft deployed a fix by April 9, 2026; organizations should audit role assignments and service principal ownership and monitor for unexpected changes.

⚠️ A newly disclosed vulnerability, dubbed Pack2TheRoot (CVE-2026-41651), permits local Linux users to install or remove system packages and obtain root privileges by abusing the PackageKit daemon. The bug dates back to 2014 and affects PackageKit versions 1.0.2 through 1.3.4; it is resolved in PackageKit 1.3.5. Administrators should upgrade immediately, verify if packagekit is running, and monitor logs for assertion failures or crashes as likely indicators of attempted exploitation.

🔐 Cisco Talos reports that UAT-4356 exploited FXOS n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a custom backdoor named FIRESTARTER on Cisco Firepower, ASA and FTD appliances. The implant injects into the LINA process, replaces a WebVPN XML handler, and executes shellcode delivered via specially crafted requests. Operators should follow Cisco advisories for detection, remediation and recommended software upgrades.

🔒 CISA has ordered federal agencies to urgently patch a high-severity Microsoft Defender privilege escalation vulnerability tracked as CVE-2026-33825 and publicly dubbed BlueHammer, after evidence of active exploitation. Microsoft released a patch on April 14 following public disclosure and proof-of-concept code published by a researcher using the handle 'Chaotic Eclipse', who also revealed related Defender issues. Huntress Labs reported attacks showing hands‑on‑keyboard activity and suspicious FortiGate SSL VPN access tied to a Russia‑geolocated IP. Agencies must apply mitigations or update systems within two weeks, with a compliance deadline of May 7.

🔒 Microsoft released an out-of-band update to address a high-severity privilege-escalation flaw in ASP.NET Core tracked as CVE-2026-40372 (CVSS 9.1). A regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 allowed the managed encryptor to compute HMAC validation over incorrect payload bytes, enabling forged payloads to pass authenticity checks and potentially grant SYSTEM-level access on non-Windows hosts. Microsoft fixed the issue in ASP.NET Core 10.0.7 and warned tokens issued during the vulnerable window remain valid until the DataProtection key ring is rotated.

🔒 Microsoft has released out-of-band updates to fix a critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in the ASP.NET Core Data Protection APIs. A regression in the Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 packages caused HMAC validation to be computed over the wrong bytes, allowing forged auth cookies and decryption of protected payloads. Developers should update to 10.0.7, redeploy, and rotate DataProtection key rings to invalidate tokens issued during the vulnerable window.

🔒 Siemens has identified a privilege escalation vulnerability (CVE-2026-27668) in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) that permits authenticated User Administrators to grant themselves access to any device group. The issue affects SAM-P versions prior to V5.8; Siemens has released V5.8 to remediate the flaw and recommends immediate updates. Operators should also minimize network exposure and follow established industrial security guidelines.