All news with #zero day exploitation tag

🔍 The Google Threat Intelligence Group (GTIG) reported the first confirmed instance of an AI-crafted zero-day exploit observed in the wild. The researchers identified a Python-based exploit that bypasses two-factor authentication in an open-source web administration tool and disclosed the flaw to the vendor to limit mass exploitation. GTIG found artifacts in the code—help text, a hallucinated CVSS score and textbook LLM-style constructs—consistent with large language model generation, and noted broader AI abuse by threat actors including misuse of Gemini and agentic tooling.

⚠ CISA has ordered U.S. federal agencies to patch a high-severity vulnerability in Ivanti Endpoint Manager Mobile within four days after the flaw was observed exploited as a zero-day (CVE-2026-6973). Ivanti published updates (12.6.1.1, 12.7.0.1, 12.8.0.1) and urged customers to review and rotate Admin credentials. The issue requires administrative authentication, affects only on-prem EPMM appliances, and Shadowserver reports over 800 exposed instances online.

⚠ A newly disclosed Linux zero-day, named Dirty Frag, enables local attackers to obtain root privileges on most major distributions with a single command. Researcher Hyunwoo Kim published a detailed write-up and a proof-of-concept exploit after an embargo was broken on May 7, 2026. The flaw stems from an approximately nine-year-old logic error in the kernel's algif_aead interface and chains two page-cache write issues to modify protected files in memory. As a temporary mitigation, administrators are advised to disable and unload the esp4, esp6, and rxrpc modules until vendor patches are available.

🔒 A new unpatched local privilege escalation in the Linux kernel, called Dirty Frag, was disclosed to maintainers on April 30, 2026. Researcher Hyunwoo Kim (@v4bel) says it deterministically chains two page-cache write primitives (xfrm-ESP and RxRPC) to achieve root on many distributions, and a one-command PoC has been released. Vendors recommend immediately blocklisting the esp4, esp6, and rxrpc modules and monitoring upstream and vendor advisories for patches.

⚠️ Palo Alto Networks has confirmed a critical zero-day in PAN-OS's Captive Portal (CVE-2026-0300) that allows unauthenticated remote code execution as root on exposed PA and VM series firewalls. Reporting indicates suspected state-sponsored actors exploited the flaw for nearly a month. Palo Alto plans updates beginning May 13; customers should restrict or disable the portal until patches are available.

🦙 A critical vulnerability in Ollama (CVE-2026-7482) allows unauthenticated attackers to upload a crafted GGUF model file and trigger an out-of-bounds heap read in the model quantization pipeline. The flaw can leak process memory — including system prompts, conversation history, environment variables, API keys, and other secrets — to remote servers. Update to Ollama 0.17.1 and restrict network access.

🔒 Ivanti is urging customers to patch a high-severity remote code execution flaw (CVE-2026-6973) in Endpoint Manager Mobile (EPMM) after limited zero-day exploitation. The weakness stems from improper input validation and affects on-prem EPMM 12.8.0.0 and earlier; Ivanti released fixes in 12.6.1.1, 12.7.0.1, and 12.8.0.1 and recommends reviewing and rotating admin credentials. The vendor also patched four additional high-severity EPMM issues and noted that Shadowserver currently sees over 850 exposed EPMM hosts online.

🔴 Palo Alto Networks warns that suspected state‑sponsored actors have exploited a critical PAN‑OS zero‑day (CVE-2026-0300) in the User‑ID Authentication Portal, enabling unauthenticated remote code execution as root on exposed PA‑ and VM‑Series firewalls. Unit 42 says initial probing began April 9, with successful exploitation occurring about a week later; attackers cleaned logs and deployed tunneling tools. Palo Alto notes Cloud NGFW and Panorama are not affected and will issue patches starting May 13; administrators should restrict or disable the authentication portal until updates are applied.

🔒 Unit 42 details exploitation of a buffer overflow vulnerability (CVE-2026-0300) in the PAN-OS User-ID Authentication Portal that permits unauthenticated remote code execution as root on affected PA‑Series and VM‑Series firewalls. Observed adversary activity included shellcode injection into an nginx worker, rapid log and evidence cleanup, and deployment of tunneling tools such as EarthWorm and ReverseSocks5. Immediate mitigations are to restrict or disable the portal, apply vendor guidance, and enable available threat signatures and protections.

🔴 Palo Alto Networks warns that a critical unpatched PAN-OS zero-day, CVE-2026-0300, is being actively exploited against the User-ID Authentication Portal (Captive Portal). The flaw is a buffer overflow that can allow unauthenticated attackers to execute arbitrary code as root on Internet-exposed PA-Series and VM-Series firewalls. Palo Alto classifies the bug at the highest severity and advises restricting or disabling the portal until a patch is available. Security telemetry from Shadowserver shows over 5,800 PAN-OS VM-series instances exposed online, increasing urgency for mitigations.

🔒 On April 29, 2026 researchers disclosed CVE-2026-31431, dubbed Copy Fail, a deterministic local privilege escalation impacting Linux kernels 4.14–6.19.12. The flaw resides in the AF_ALG crypto interface's algif_aead module and permits a controlled four-byte overwrite into the kernel page cache. A standalone 732-byte Python proof-of-concept reliably escalates to root across major distributions. Apply vendor kernel updates immediately or temporarily disable algif_aead; Cortex XDR and XSIAM provide layered detection and mitigation.

🔐Google updated its Android and Chrome vulnerability rewards, increasing top-tier payouts for the most difficult exploits while lowering awards for issues AI has made easier to find. The highest Android prize is $1.5 million for zero-click, full-chain persistent exploits against a Pixel Titan M2 security chip, with $750,000 for non-persistent variants. For Chrome, full-chain browser process exploits pay up to $250,000 plus a $250,128 bonus for exploiting MiraclePtr-protected allocations; Google also narrows Android scope to Linux kernel bugs in Google-maintained components unless concrete device exploitability is shown.

🚨 DarkSword is a newly identified iOS full-chain exploit that chained multiple zero-day vulnerabilities to achieve full device compromise. Google Threat Intelligence Group (GTIG) links the chain to commercial surveillance vendors and suspected state-sponsored operators active since at least November 2025, with observed targeting in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit supports iOS 18.4–18.7 and installs one of three final-stage payload families—GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. A version leaked online a week after discovery; ensure devices are patched promptly.

🔒CISA warns that threat actors are actively exploiting the Linux "Copy Fail" vulnerability tracked as CVE-2026-31431. The flaw exists in the kernel's algif_aead cryptographic algorithm interface and lets unprivileged local users gain root by writing four controlled bytes to the page cache of any readable file. Theori published a "100% reliable" Python PoC; vendors are issuing kernel fixes and CISA has ordered federal patches under BOD 22-01.

⚠️ Microsoft and CISA have warned that a Windows shell spoofing vulnerability (CVE-2026-32202) is being actively exploited and has prompted a CISA directive requiring federal agencies to patch by May 12. Microsoft says exploitation can expose sensitive data though it does not allow full system takeover. Security experts caution the situation was aggravated by an incomplete earlier fix for CVE-2026-21510, creating a patch gap between vendor updates and organizational deployment. CISOs face a difficult balance between rapid remediation and careful testing to avoid service disruption, and are urged to apply interim mitigations where possible.

⚠️ CISA added CVE-2026-31431 (Linux Kernel Incorrect Resource Transfer Between Spheres) to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by required due dates; CISA notes this vulnerability type is a frequent attack vector and poses significant risk to the federal enterprise. CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management and says it will continue updating the KEV Catalog as new exploitation evidence emerges.

🔍 A nine-year high-severity Linux kernel vulnerability called Copy Fail was discovered by Taeyang Lee of Theori using the AI code-analysis tool Xint. Assigned CVE-2026-31431, the logic bug enables an unprivileged local user with physical access to perform a deterministic four-byte write into the page cache of any readable file, potentially escalating to root. The issue affects kernels shipped since 2017; vendors have released a fix that reverts a 2017 AEAD optimization—update kernels to include commit a664bf3d603d.

⚠️ A newly disclosed Linux kernel logic flaw dubbed Copy Fail (CVE-2026-31431) enables an unprivileged local user to write four deterministic bytes into the page cache of any readable file and gain root. Theori researchers published a 732-byte Python proof-of-concept and reported the bug to the kernel team in March; patches were committed in April. Until distributions publish updates — Arch has released a patch so far — CSOs should inventory multi-tenant and container hosts, monitor for privilege escalation, and apply fixes or temporary kernel parameters where feasible.

🔒 Security researchers Xint.io and Theori disclosed a high-severity Linux local privilege escalation tracked as CVE-2026-31431 and dubbed Copy Fail, which lets an unprivileged user write four controlled bytes into the page cache of any readable file to gain root. The defect stems from a logic flaw in the kernel cryptographic algif_aead module introduced in 2017. A compact 732‑byte Python exploit can inject shellcode into a setuid binary such as /usr/bin/su and spawn a root shell, and major distributions have issued advisories.

🛡️ Xu Zewei, a 34-year-old accused of working for China's Ministry of State Security and linked to the state-backed hacking group Hafnium (also called Silk Typhoon), has been extradited from Italy to the United States and arrived in Houston. He pleaded not guilty at a federal hearing and is being held at the Federal Detention Center. U.S. prosecutors allege Xu targeted COVID-19 researchers in early 2020 and participated in the 2021 Microsoft Exchange zero-day campaign; if convicted on charges including wire fraud, conspiracy to damage protected computers, and aggravated identity theft, he faces decades in prison.