Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: kernel (9 articles)Clear

New Linux kernel flaws give local users root by poisoning cached binaries

Researchers disclosed closely related Linux kernel flaws in the traffic-control subsystem that let an unprivileged local user gain root, and working exploits appeared within a day of disclosure. The main bug, nicknamed pedit COW (CVE-2026-46331), is an out-of-bounds write in the packet-editing action that corrupts shared page-cache memory; a related variant tracked as DirtyClone (CVE-2026-43503) was demonstrated by JFrog. Rather than touching files on disk, the exploit poisons the cached copy of a setuid root program like /bin/su in memory and runs the altered version as root, so file-integrity checks still pass. Exploitation needs the act_pedit module loadable and unprivileged user namespaces enabled, both common defaults on RHEL and Debian.

Check
Identify Linux systems running affected kernels, and check whether unprivileged user namespaces are enabled and whether the act_pedit traffic-control module can be loaded, the two conditions these exploits require.
Affected
Linux systems on affected kernels (CVE-2026-46331 and CVE-2026-43503), including default RHEL and Debian configurations, where any local user can escalate to root despite file-integrity checks passing.
Fix
Apply kernel updates from your distribution as they ship, and as interim hardening, disable unprivileged user namespaces and block loading of the act_pedit module where it is not needed.

Eight-year-old Samsung KNOX kernel flaw exposed Galaxy S9 through S25

Researchers at LucidBit Labs detailed an eight-year-old use-after-free flaw in the kernel of Samsung's KNOX security framework that affected a huge range of Galaxy devices, from the Galaxy S9 to the S25, across A-series and both Exynos and Qualcomm models. The bug (CVE-2026-20971) sits in a race between two KNOX components that verify process integrity, and a malicious app could exploit it to corrupt kernel memory and potentially take full control of the device. Samsung quietly fixed it in its January 2026 security update. Exploitation requires local access and some user interaction, but a lost, borrowed, or stolen phone makes that realistic.

Check
Confirm that Samsung Galaxy devices in your environment have installed the January 2026 or later security update, and identify any older or unmanaged Galaxy phones that may still be missing it.
Affected
Samsung Galaxy devices from the S9 through S25, plus A-series models on both Exynos and Qualcomm chips (CVE-2026-20971), that have not applied the January 2026 security update.
Fix
Apply the January 2026 or later Samsung security update to all Galaxy devices, enforce update compliance through mobile device management, and retire devices no longer receiving security patches.

Public exploit lands for one-character Linux kernel root flaw

A working exploit is now public for a Linux kernel bug that lets an ordinary local user become root and break out of containers. The flaw (CVE-2026-23111) lives in nf_tables, the kernel's packet-filtering code, and came down to a single inverted character that the upstream fix removed in one line back in February. It is reachable on common setups that have nf_tables plus unprivileged user namespaces enabled, both default on most desktops and many servers. Ubuntu rates it 7.8. There is no remote path on its own, but Exodus Intelligence published a full exploit walkthrough on June 8, making weaponization easy.

Check
Check the running kernel version on Linux hosts against your distribution's February 2026 or later patch, and review whether unprivileged user namespaces and nf_tables are enabled.
Affected
Linux systems on a kernel built before the February 5, 2026 nf_tables fix with both nf_tables and unprivileged user namespaces enabled (CVE-2026-23111); multi-tenant and container hosts most at risk.
Fix
Install the patched kernel package from your distribution and reboot. As a mitigation, restrict unprivileged user namespaces, for example setting kernel.unprivileged_userns_clone to 0 where supported.

CIFSwitch Linux LPE: forged cifs.spnego key descriptions trick cifs.upcall into running as root - cifs-utils 6.14+ across multiple distros

SpaceX security engineer Asim Manizada has disclosed CIFSwitch, a Linux kernel local privilege escalation in the CIFS subsystem that lets an unprivileged user forge cifs.spnego key descriptions and trick the kernel's key-request mechanism into running cifs.upcall as root. CIFS (Common Internet File System) mounts and accesses files across a network; when a share uses Kerberos, the kernel asks the user-space cifs-utils helper to authenticate. The CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client, so a local attacker can supply a forged key and gain root. It affects cifs-utils 6.14 and higher, plus some older variants, across multiple distributions.

Check
Inventory Linux hosts with cifs-utils 6.14+ that mount Kerberos-authenticated CIFS shares. Identify multi-user systems where untrusted local users have shell access. Check distribution advisories for patched cifs-utils.
Affected
Linux distributions shipping cifs-utils 6.14 and higher (some older variants also affected) where the kernel CIFS subsystem fails to verify cifs.spnego key-request origin. Local shell access required.
Fix
Apply distribution kernel and cifs-utils updates as they ship. Where patches lag, restrict local user access on systems mounting Kerberos CIFS shares. Monitor request-key and cifs.upcall invocations.

Qualys discloses 9-year-old Linux kernel ptrace flaw CVE-2026-46333 (ssh-keysign-pwn) - root via chage, ssh-keysign, pkexec, accounts-daemon

Qualys has disclosed a 9-year-old privilege management flaw in the Linux kernel that lets an unprivileged local user disclose /etc/shadow and host SSH private keys, then chain four different post-disclosure exploits (chage, ssh-keysign, pkexec, and accounts-daemon) to execute commands as root. The bug is tracked as CVE-2026-46333 and was introduced in November 2016 in the kernel's __ptrace_may_access() function. It affects default installs of Debian, Fedora, and Ubuntu. A proof-of-concept has been released and a public kernel commit landed. Qualys recommends rotating SSH host keys on any host that allowed untrusted local users before patching.

Check
Run uname -r to inventory kernels. Identify hosts that allow untrusted local users (shared dev boxes, multi-tenant CI runners, jump hosts). Search /var/log/auth.log for unusual chage/ssh-keysign/pkexec/accounts-daemon invocations.
Affected
Default installs of Debian, Fedora, and Ubuntu running Linux kernels that include the November 2016 __ptrace_may_access() change. Servers that allow local user shells are at highest risk.
Fix
Apply the latest distribution kernel updates. Temporary workaround: set kernel.yama.ptrace_scope = 2. Rotate SSH host keys and any credentials held by setuid processes on hosts that allowed untrusted local users.

PinTheft Arch Linux LPE: RDS zerocopy double-free turned into io_uring page-cache overwrite, PoC released

The V12 security team has released a working PoC for PinTheft, a Linux kernel local privilege escalation tied to a double-free in the RDS (Reliable Datagram Sockets) zerocopy send path that can be turned into a page-cache overwrite through io_uring fixed buffers. The bug was patched earlier in May but has no assigned CVE yet. Exploitation requires the RDS module to be loaded - default only on Arch Linux among the major distributions - plus io_uring enabled and a readable SUID-root binary. PinTheft joins DirtyDecrypt, Dirty Frag, Fragnesia, and Copy Fail in a recent run of Linux LPE disclosures.

Check
Inventory Arch Linux hosts with `pacman -Q linux`. Check if RDS is loaded via `lsmod | grep rds`. Look for unexpected root shells from low-privilege users in audit logs since 2026-05-20.
Affected
Linux kernels with the RDS module enabled (default only on Arch Linux among common distros) plus io_uring enabled and a readable SUID-root binary. PoC tested on x86_64.
Fix
Apply the latest Arch Linux kernel update. Temporary mitigation: `rmmod rds_tcp rds` and blacklist via /etc/modprobe.d/pintheft.conf. Audit io_uring usage and consider raising its sysctl restrictions.

DirtyDecrypt Linux kernel root escalation PoC released - rxgk pagecache write affects Fedora, Arch, openSUSE Tumbleweed

A working proof-of-concept exploit for a recently patched Linux kernel local privilege escalation is now public. Researchers at V12 found the bug in May and were told it had already been fixed in the mainline kernel on April 25, matching CVE-2026-31635 per Tharros analyst Will Dormann. The flaw is a missing copy-on-write check in rxgk_decrypt_skb, the kernel routine that decrypts RxGK packets for the Andrew File System. Exploitation requires CONFIG_RXGK, limiting impact to leading-edge distros like Fedora, Arch Linux, and openSUSE Tumbleweed. DirtyDecrypt joins Dirty Frag, Fragnesia, and Copy Fail in a recent wave of Linux LPE disclosures.

Check
Run 'uname -r' across your Linux fleet, flag hosts on Fedora, Arch, openSUSE Tumbleweed, or any mainline kernel with CONFIG_RXGK. Search audit logs for unexpected setuid execs since 2026-04-25.
Affected
Linux kernels built with CONFIG_RXGK enabled, primarily Fedora, Arch Linux, and openSUSE Tumbleweed. Distributions on long-term stable kernels (RHEL, Debian stable, Ubuntu LTS) are not typically affected.
Fix
Apply your distribution's latest kernel updates. Temporary mitigation (also breaks AFS and IPsec VPNs): blacklist esp4, esp6, and rxrpc via /etc/modprobe.d/, unload with rmmod, drop the page cache.

Third Linux kernel root exploit in three weeks - 'Fragnesia' rides the same ESP-in-TCP code path as Dirty Frag and ships with a public proof-of-concept (CVE-2026-46300)

Six days after Dirty Frag was patched, researcher William Bowling and the V12 Security team disclosed Fragnesia - a separate Linux kernel bug in the same ESP-in-TCP networking code that lets any unprivileged local user become root in one command. The public proof-of-concept overwrites /usr/bin/su in memory using a logic flaw that loses track of shared socket-buffer fragments, then re-runs su to drop into a root shell. The on-disk binary is left untouched, which makes the change harder to spot. Tracked as CVE-2026-46300 (CVSS 7.8), it follows Copy Fail (April 29) and Dirty Frag (May 7) in the same family.

Check
List Linux hosts where untrusted users can get a shell (multi-tenant servers, container build farms, CI runners) and verify whether the esp4/esp6/rxrpc module blacklist from Dirty Frag is still in place.
Affected
All Linux kernels released before May 13, 2026, including AlmaLinux 8/9/10, CloudLinux 7h/8/9/10, RHEL, Ubuntu, Debian, and openSUSE. Requires unprivileged user namespace creation enabled.
Fix
Install the patched kernel from your distribution as it lands (AlmaLinux and CloudLinux first), or use KernelCare for rebootless livepatches. Interim mitigation: blacklist esp4, esp6, and rxrpc modules, then drop the page cache.

9-year-old Linux kernel bug 'Copy Fail' lets any user with shell access become root in seconds - works on every major distribution since 2017 (CVE-2026-31431)

Researchers at Theori and Xint disclosed Copy Fail yesterday, a Linux kernel bug introduced in 2017 that lets any unprivileged user with shell access become root in seconds. The exploit is a 732-byte Python script that works without version-specific tweaks on every major Linux distribution since 2017 - Ubuntu, Amazon Linux, RHEL, SUSE. Unlike previous kernel bugs (Dirty Cow, Dirty Pipe), Copy Fail has no race condition and no per-kernel offsets. It also leaves no trace on disk because it only modifies the in-memory page cache. The bug was found using AI-assisted reverse engineering and has been hiding in the open for nearly nine years.

Check
Update the kernel on every Linux server, container host, and CI runner you operate today, especially anything that runs untrusted code or hosts multiple tenants.
Affected
Every Linux distribution since 2017 with kernel 4.14 or later. CVE-2026-31431, CVSS 7.8. Acute risk: shared-kernel multi-tenant environments (Kubernetes nodes, Docker hosts), CI/CD runners that execute untrusted PR code (GitHub Actions self-hosted, GitLab runners, Jenkins agents), notebook hosts, and anything using Linux containers as a security boundary. Firecracker microVMs and gVisor are not affected.
Fix
Apply the kernel update from your distribution that includes commit a664bf3d603d. Until patched, blacklist the algif_aead module: 'echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf' then 'rmmod algif_aead'. The disable does not break dm-crypt, kTLS, IPsec, or SSH. For multi-tenant Kubernetes clusters, treat container boundaries as broken until patched.