< ciso
brief />
Tag Banner

All news with #vulnerability disclosure tag

573 articles · page 7 of 29

New Linux Dirty Frag zero-day grants local root access

⚠ A newly disclosed Linux zero-day, named Dirty Frag, enables local attackers to obtain root privileges on most major distributions with a single command. Researcher Hyunwoo Kim published a detailed write-up and a proof-of-concept exploit after an embargo was broken on May 7, 2026. The flaw stems from an approximately nine-year-old logic error in the kernel's algif_aead interface and chains two page-cache write issues to modify protected files in memory. As a temporary mitigation, administrators are advised to disable and unload the esp4, esp6, and rxrpc modules until vendor patches are available.
read more →

Dirty Frag: New Linux Kernel LPE Chaining Page-Cache Bugs

🔒 A new unpatched local privilege escalation in the Linux kernel, called Dirty Frag, was disclosed to maintainers on April 30, 2026. Researcher Hyunwoo Kim (@v4bel) says it deterministically chains two page-cache write primitives (xfrm-ESP and RxRPC) to achieve root on many distributions, and a one-command PoC has been released. Vendors recommend immediately blocklisting the esp4, esp6, and rxrpc modules and monitoring upstream and vendor advisories for patches.
read more →

Google Raises Bug Bounty Maximums for Android and Chrome

🔒Google has increased maximum payouts for its vulnerability reward programs, raising the top prize to $1.5 million. The new maximum applies to critical issues impacting Android, with reports indicating the full amount requires compromising the Pixel Titan M2 security chip. Rewards for vulnerabilities in Chrome now top out at $250,000. Since launching its programs in 2010, Google has paid $81.6 million to researchers.
read more →

Critical vm2 JavaScript Sandbox Flaws Allow Host Escape

⚠️ Thirteen critical vulnerabilities have been disclosed in the vm2 JavaScript sandbox, including a full sandbox escape (CVE-2026-26956) that can allow attacker-controlled code to execute host commands under specific Node.js 25/WebAssembly conditions. Another high-risk issue (CVE-2026-44007) involves NodeVM nesting interacting with the legacy module resolver and was patched in 3.11.1. Developers should upgrade to vm2 3.11.2 immediately and consider interim mitigations such as avoiding Node 25 runtimes or disabling WebAssembly for untrusted sandboxes.
read more →

Critical WebSocket Flaw in Cline Kanban Enables RCE

🔒 A critical WebSocket vulnerability in Cline's Kanban server (CVSS 9.7) allows any webpage a developer visits to silently exfiltrate workspace data, inject terminal commands and terminate agent sessions. Disclosed by Oasis Security on May 7, it affects the Kanban npm package v0.1.59 and stems from missing origin validation and authentication on three local WebSocket endpoints. Updating to v0.1.66 and disabling the default bypass permissions flag are recommended mitigations.
read more →

Copy Fail (CVE-2026-31431): Fleet Mitigation and Outcome

🔒 Cloudflare assessed and mitigated the Linux local privilege escalation named Copy Fail (CVE-2026-31431) following public disclosure on 2026-04-29. Our behavioral detections flagged the exploit chain within minutes during validation, and threat hunting across a 48-hour window found no evidence of compromise. We deployed an eBPF LSM allow-list (bpf-lsm) to block AF_ALG binds for non-allow-listed binaries, built and staged patched LTS kernels, and completed fleet protection via controlled reboots with no customer impact.
read more →

CISA Adds Ivanti EPMM Vulnerability to KEV Catalog

🔔 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-6973, an Ivanti Endpoint Manager Mobile (EPMM) improper input validation flaw. CISA cites evidence of active exploitation and emphasizes the significant risk this class of vulnerability poses to the federal enterprise. The agency reminds FCEB agencies of remediation requirements under BOD 22-01 and strongly urges all organizations to prioritize timely fixes.
read more →

MAXHUB Pivot Client Vulnerability Exposes Emails Now

⚠️The MAXHUB Pivot client (versions prior to v1.36.2) contains a vulnerability (CVE-2026-6411) that can expose tenant email addresses and related metadata in cleartext due to a hardcoded AES key embedded in the application. An attacker who obtains the encrypted data can decrypt it, and the product's MQTT enrollment mechanism may be abused to register multiple unauthorized devices, potentially causing denial of service. MAXHUB released v1.36.2 via OTA; update immediately.
read more →

ThreatsDay: Stealers, AI-Powered Exploits, and Patching

⚠️ ThreatsDay reports a mix of blunt‑force commodity attacks and high‑impact technical flaws this week. A new MicroStealer campaign is targeting education and telecom organizations, exfiltrating browser credentials, active sessions and wallets via Discord webhooks and attacker servers. Researchers disclosed critical ICS and MOVEit vulnerabilities while analysis shows the VECT 2.0 ransomware encryptor is broken. Browsers and AI are accelerating risk vectors — patch and verify installs urgently.
read more →

Critical vm2 Node.js sandbox escape vulnerabilities

⚠️ Multiple critical vulnerabilities have been disclosed in the vm2 Node.js library that allow untrusted code to break out of sandboxes and execute arbitrary host commands. The defects include numerous sandbox escapes, code injection vectors, and an allowlist bypass, with several issues rated CVSS 9.8–10.0. Affected releases span multiple 3.9.x–3.11.x builds; maintainers recommend upgrading to v3.11.2 and auditing any vm2-based sandbox deployments. The project lead has acknowledged that further bypasses are likely as research continues.
read more →

Critical vm2 sandbox vulnerability allows host RCE

🚨 A critical vulnerability in the Node.js sandbox library vm2 (CVE-2026-26956) can be exploited to escape the sandbox and execute arbitrary code on the host. The issue has been confirmed in vm2 3.10.4 on Node.js 25 (tested on 25.6.1) when WebAssembly exception handling and JSTag support are enabled. A proof-of-concept exploit is public; users should upgrade to vm2 3.10.5 or later (latest 3.11.2) immediately.
read more →

CISA Adds One Known Exploited Vulnerability to KEV

⚠️ CISA has added CVE-2026-0300, an Palo Alto Networks PAN-OS out-of-bounds write vulnerability, to the KEV Catalog after evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by their due dates. Although the directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management. CISA will continue to update the catalog when vulnerabilities meet its criteria.
read more →

Rowhammer GPU Attacks Grant Full Control of NVIDIA CPUs

⚠️ Two independent research teams disclosed new Rowhammer-style attacks against NVIDIA Ampere GPUs that induce GDDR bitflips to gain arbitrary read/write access to host memory, enabling full system compromise when IOMMU is disabled by default in many BIOS settings. The proofs of concept — GDDRHammer and GeForge — manipulate GPU page tables and page directories to escalate privileges and, in demonstrations, open root shells on affected machines. A subsequent variant was shown to succeed even with IOMMU enabled; tested cards include RTX 3060, RTX A6000, and RTX 6000.
read more →

Critical PAN-OS Buffer Overflow Exploited in the Wild

⚠️ Palo Alto Networks has warned of a critical buffer overflow (CVE-2026-0300) in the User-ID Authentication Portal component of PAN-OS, allowing unauthenticated remote code execution as root. The flaw carries a CVSS of 9.3 when the portal is internet-accessible (8.7 for internal-only access). Palo Alto reports limited in-the-wild exploitation targeting publicly accessible portals; fixes are scheduled to begin May 13, 2026. Administrators should restrict or disable the portal until patches are applied.
read more →

Critical Apache HTTP/2 Double-Free May Enable RCE Now

⚠ Apache Software Foundation released updates to address CVE-2026-23918, a high-severity (CVSS 8.8) double-free bug in mod_http2 that can cause denial-of-service and potentially remote code execution. The flaw impacts Apache HTTP Server 2.4.66 and is fixed in 2.4.67. Researchers provided an x86_64 proof-of-concept and warned the RCE path is practical on systems using APR with the mmap allocator. Administrators should upgrade or mitigate by disabling mod_http2 or using the prefork MPM until patched.
read more →

Hitachi Energy PCM600 Zip-Slip Vulnerability and Guidance

⚠️ Hitachi Energy reported a directory traversal vulnerability (CVE-2018-1002208) affecting PCM600 product lines, including legacy 2.11 and several 3.x releases. The flaw resides in an affected SharpZipLib component (pre-1.0 RC1) and allows crafted ZIP archives to write files outside intended extraction directories, creating an integrity risk. Hitachi Energy recommends migrating to maintained 3.x builds, following vendor guidance and immediate mitigations such as network isolation, removal of default credentials, and secure remote access while awaiting a planned 3.1 SP4 update.
read more →

ABB Automation Studio Certificate Validation Vulnerability

🔒 ABB has released an update for Automation Studio to address an improper certificate validation vulnerability affecting the OPC-UA and ANSL over TLS clients (CVE-2025-11043). An attacker with network access who can intercept or redirect communications could present forged certificates that pass validation, enabling interception or manipulation of data. The issue is fixed in Automation Studio 6.5; users should apply the update promptly and follow recommended network segmentation and secure remote-access practices. CISA rates this flaw as High (CVSS 7.4) and recorded no reports of active exploitation at publication.
read more →

AI-Assisted Analysis Uncovers Old Bugs in Databases

🔍 Researchers using AI-assisted analysis at Wiz's zeroday.cloud event disclosed multiple high-severity memory-safety flaws in PostgreSQL and MariaDB. Two PostgreSQL issues — including a heap overflow in the pgcrypto extension — date back more than 20 years and can enable remote code execution when fed attacker-controlled input. MariaDB's JSON schema validator also contains a heap overflow reachable by any authenticated SQL session, which under certain memory conditions can be escalated to code execution. Patches are available and maintainers strongly urge immediate upgrades.
read more →

Critical RCE in Weaver E-cology Exploited Since March

🔒 Researchers observed exploitation of a critical unauthenticated RCE (CVE-2026-22679) in Weaver E-cology 10.0 beginning in mid-March, days after the vendor released a patch and before public disclosure. Attackers abused an exposed debug API that allowed user-supplied parameters to reach backend RPC handlers and be executed as system commands, performing discovery and attempting PowerShell-based payloads and an MSI deployment. The vendor's update (build 20260312) removes the debug endpoint entirely, and administrators are urged to apply the update immediately.
read more →

Critical MOVEit Automation Auth Bypass Patch Urged

🚨 Progress warns customers to patch a critical authentication bypass in MOVEit Automation tracked as CVE-2026-4670, affecting versions before 2025.1.5, 2025.0.9, and 2024.1.8. Remote attackers can exploit the flaw without privileges in low-complexity, no-interaction attacks. Progress says upgrading with the full installer is the only remediation and that an outage will occur during the upgrade. The vendor also released a fix for a high-severity privilege escalation, CVE-2026-5174.
read more →