< ciso
brief />
Tag Banner

All news with #privilege escalation tag

259 articles · page 5 of 13

cPanel/WHM Fixes Three Vulnerabilities in May 2026

🔒 cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could enable privilege escalation, arbitrary code execution, and denial-of-service. The flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, with CVSS scores up to 8.8. Multiple release lines and the WP Squared build are patched, and a direct 110.0.114 update is available for CentOS 6/CloudLinux 6 users. Administrators are advised to apply updates promptly.
read more →

Dirty Frag Linux Vulnerability Widens Post-Compromise Risk

⚠ Microsoft Defender researchers describe Dirty Frag, a Linux local privilege escalation that abuses kernel networking and memory-fragment handling in esp4, esp6, and rxrpc. Public proof-of-concept activity and active targeting suggest the exploit yields more reliable escalation from unprivileged user to root across multiple distributions. Microsoft recommends immediate mitigations—disable unused modules, harden containers, increase monitoring, clear caches cautiously, and prioritize vendor kernel patches—while Defender expands detections.
read more →

New Linux Dirty Frag zero-day grants local root access

⚠ A newly disclosed Linux zero-day, named Dirty Frag, enables local attackers to obtain root privileges on most major distributions with a single command. Researcher Hyunwoo Kim published a detailed write-up and a proof-of-concept exploit after an embargo was broken on May 7, 2026. The flaw stems from an approximately nine-year-old logic error in the kernel's algif_aead interface and chains two page-cache write issues to modify protected files in memory. As a temporary mitigation, administrators are advised to disable and unload the esp4, esp6, and rxrpc modules until vendor patches are available.
read more →

Dirty Frag: New Linux Kernel LPE Chaining Page-Cache Bugs

🔒 A new unpatched local privilege escalation in the Linux kernel, called Dirty Frag, was disclosed to maintainers on April 30, 2026. Researcher Hyunwoo Kim (@v4bel) says it deterministically chains two page-cache write primitives (xfrm-ESP and RxRPC) to achieve root on many distributions, and a one-command PoC has been released. Vendors recommend immediately blocklisting the esp4, esp6, and rxrpc modules and monitoring upstream and vendor advisories for patches.
read more →

Copy Fail (CVE-2026-31431): Fleet Mitigation and Outcome

🔒 Cloudflare assessed and mitigated the Linux local privilege escalation named Copy Fail (CVE-2026-31431) following public disclosure on 2026-04-29. Our behavioral detections flagged the exploit chain within minutes during validation, and threat hunting across a 48-hour window found no evidence of compromise. We deployed an eBPF LSM allow-list (bpf-lsm) to block AF_ALG binds for non-allow-listed binaries, built and staged patched LTS kernels, and completed fleet protection via controlled reboots with no customer impact.
read more →

Meta smart glasses, Copy Fail bug, and deepfake hire

🔍 Meta’s smart glasses were found to upload audio and video to contractors in Nairobi for human labelling, prompting the dismissal of 1,108 workers after whistleblowers exposed the practice. The episode contrasts that privacy failure with a measured analysis of the Linux Copy Fail privilege‑escalation issue and an experiment by Jake Moore demonstrating how a convincing deepfake passed a remote job interview. Practical takeaways include patching kernels promptly, strengthening hiring verification, and demanding clearer vendor transparency.
read more →

Rowhammer GPU Attacks Grant Full Control of NVIDIA CPUs

⚠️ Two independent research teams disclosed new Rowhammer-style attacks against NVIDIA Ampere GPUs that induce GDDR bitflips to gain arbitrary read/write access to host memory, enabling full system compromise when IOMMU is disabled by default in many BIOS settings. The proofs of concept — GDDRHammer and GeForge — manipulate GPU page tables and page directories to escalate privileges and, in demonstrations, open root shells on affected machines. A subsequent variant was shown to succeed even with IOMMU enabled; tested cards include RTX 3060, RTX A6000, and RTX 6000.
read more →

Copy Fail (CVE-2026-31431): Deterministic Linux LPE

🔒 On April 29, 2026 researchers disclosed CVE-2026-31431, dubbed Copy Fail, a deterministic local privilege escalation impacting Linux kernels 4.14–6.19.12. The flaw resides in the AF_ALG crypto interface's algif_aead module and permits a controlled four-byte overwrite into the kernel page cache. A standalone 732-byte Python proof-of-concept reliably escalates to root across major distributions. Apply vendor kernel updates immediately or temporarily disable algif_aead; Cortex XDR and XSIAM provide layered detection and mitigation.
read more →

Johnson Controls AC2000 DLL Hijacking Vulnerability

⚠️ Johnson Controls' CEM AC2000 contains a DLL hijacking vulnerability (CVE-2026-21661) affecting versions 12.0, 11.0, and 10.6 that could allow a local, non‑privileged user to escalate privileges on the host. CISA assigns a CVSS v3.1 base score of 8.7 (High). The issue is not remotely exploitable and no public exploitation has been reported. Johnson Controls has released patched updates and recommends upgrading to the specified releases.
read more →

Progress patches critical MOVEit Automation flaws urgently

⚠️ Progress Software issued updates for MOVEit Automation to address two vulnerabilities: a critical authentication bypass (CVE-2026-4670, CVSS 9.8) and an improper input validation flaw that could enable privilege escalation (CVE-2026-5174, CVSS 7.7). Affected branches include releases <=2025.1.4, <=2025.0.8, and <=2024.1.7; fixes are available in 2025.1.5, 2025.0.9, and 2024.1.8. Airbus SecLab researchers reported the issues, and Progress states there are no workarounds and no confirmed in-the-wild exploitation; administrators should apply updates promptly and review access to service backend command ports.
read more →

Critical MOVEit Automation Auth Bypass Patch Urged

🚨 Progress warns customers to patch a critical authentication bypass in MOVEit Automation tracked as CVE-2026-4670, affecting versions before 2025.1.5, 2025.0.9, and 2024.1.8. Remote attackers can exploit the flaw without privileges in low-complexity, no-interaction attacks. Progress says upgrading with the full installer is the only remediation and that an outage will occur during the upgrade. The vendor also released a fix for a high-severity privilege escalation, CVE-2026-5174.
read more →

CISA Adds Actively Exploited Linux Root Bug to KEV

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently disclosed Linux kernel vulnerability, CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of in-the-wild activity. The privilege escalation bug, nicknamed Copy Fail, affects kernels shipped since 2017 and carries a CVSS score of 7.8; patches are available in kernel releases 6.18.22, 6.19.12, and 7.0. Security vendors warn the flaw is especially dangerous for containerized environments when the algif_aead module is exposed on hosts, and detecting exploitation is difficult because the exploit uses legitimate system calls.
read more →

Linux 'Copy Fail' CVE-2026-31431: kernel LPE across distros

🛡️ Microsoft Defender Security Research warns of CVE-2026-31431, known as 'Copy Fail', a high-severity local privilege escalation in the Linux kernel crypto subsystem that impacts many major distributions and cloud workloads. An unprivileged user can abuse AF_ALG and splice() to corrupt the page cache and deterministically escalate to root, enabling container escape and multi-tenant compromise. Apply vendor patches or block AF_ALG socket creation immediately and hunt for indicators of compromise.
read more →

Copy Fail: Nine-Year Linux Kernel Zero-Day Patched

🔍 A nine-year high-severity Linux kernel vulnerability called Copy Fail was discovered by Taeyang Lee of Theori using the AI code-analysis tool Xint. Assigned CVE-2026-31431, the logic bug enables an unprivileged local user with physical access to perform a deterministic four-byte write into the page cache of any readable file, potentially escalating to root. The issue affects kernels shipped since 2017; vendors have released a fix that reverts a 2017 AEAD optimization—update kernels to include commit a664bf3d603d.
read more →

Trivial Linux kernel bug allows local users to gain root

⚠️ A newly disclosed Linux kernel logic flaw dubbed Copy Fail (CVE-2026-31431) enables an unprivileged local user to write four deterministic bytes into the page cache of any readable file and gain root. Theori researchers published a 732-byte Python proof-of-concept and reported the bug to the kernel team in March; patches were committed in April. Until distributions publish updates — Arch has released a patch so far — CSOs should inventory multi-tenant and container hosts, monitor for privilege escalation, and apply fixes or temporary kernel parameters where feasible.
read more →

Linux 'Copy Fail' LPE (CVE-2026-31431) Roots Major Distros

⚠ An exploit for a local privilege escalation called Copy Fail (CVE-2026-31431) has been published, allowing unprivileged users to obtain root on Linux kernels released since 2017. The issue was discovered by Theori using its Xint Code AI pentesting platform, reported on March 23, and patched upstream in early April by reverting an in-place crypto optimization. Researchers published a compact Python PoC that they demonstrated against multiple distributions and recommend disabling the algif_aead interface as an interim mitigation while vendors distribute kernel updates.
read more →

Linux LPE 'Copy Fail' Vulnerability CVE-2026-31431

🔒 Security researchers Xint.io and Theori disclosed a high-severity Linux local privilege escalation tracked as CVE-2026-31431 and dubbed Copy Fail, which lets an unprivileged user write four controlled bytes into the page cache of any readable file to gain root. The defect stems from a logic flaw in the kernel cryptographic algif_aead module introduced in 2017. A compact 732‑byte Python exploit can inject shellcode into a setuid binary such as /usr/bin/su and spawn a root shell, and major distributions have issued advisories.
read more →

March 2026 TTC Update: New Cloud Persistence and Risk

🔒 The AWS Customer Incident Response Team (AWS CIRT) released the March 2026 update to the Threat Technique Catalog for AWS, adding three new entries that address identity abuse, persistence, infrastructure destruction, and privilege escalation. The update highlights concrete, real-world techniques — Cognito refresh token abuse, AMI deregistration, and misuse of UpdateAssumeRolePolicy — that let attackers hide in legitimate operations. Each entry includes detection guidance and straightforward mitigations you can apply today, such as enabling refresh token rotation, protecting AMIs with Recycle Bin retention rules, and monitoring trust-policy changes.
read more →

Microsoft Patches Entra ID Role Flaw Allowing Takeover

🔒 An underscoped built-in role in Microsoft Entra ID, Agent ID Administrator, allowed users to assume ownership of arbitrary service principals and then add credentials to authenticate as those principals, enabling full service principal takeover. Silverfort researchers, led by Noa Ariel, reported the vulnerability on March 1, 2026, and Microsoft issued a patch across all cloud environments on April 9, 2026. After the update, attempts to assign ownership of non-agent service principals using the role are blocked and return a 'Forbidden' error. Organizations are advised to monitor sensitive role usage, audit service principal ownership and credential changes, and secure privileged non-human identities.
read more →

Microsoft Fixes Agent ID Administrator Role Privilege Flaw

🔒 Researchers at Silverfort discovered that Microsoft’s Agent ID Administrator role could modify and take ownership of unrelated service principals, allowing role holders to create credentials and authenticate as compromised applications. The flaw stemmed from scope enforcement failing in the Agent Identity Platform, where agent identities share primitives with applications. Microsoft deployed a fix by April 9, 2026; organizations should audit role assignments and service principal ownership and monitor for unexpected changes.
read more →