Researchers at Theori and Xint disclosed Copy Fail yesterday, a Linux kernel bug introduced in 2017 that lets any unprivileged user with shell access become root in seconds. The exploit is a 732-byte Python script that works without version-specific tweaks on every major Linux distribution since 2017 - Ubuntu, Amazon Linux, RHEL, SUSE. Unlike previous kernel bugs (Dirty Cow, Dirty Pipe), Copy Fail has no race condition and no per-kernel offsets. It also leaves no trace on disk because it only modifies the in-memory page cache. The bug was found using AI-assisted reverse engineering and has been hiding in the open for nearly nine years.
Researchers found a serious bug in VECT 2.0, a new ransomware family making the rounds: the encryption routine corrupts any file larger than about 131 KB instead of encrypting it reversibly. Files smaller than the threshold encrypt and decrypt normally; everything bigger gets permanently destroyed. Operators don't seem to know yet, so victims who pay get a working decryption tool that recovers small files and tells them the large ones are 'corrupted' - which they are, because VECT broke them on the way in. The bug affects Windows, Linux, and VMware ESXi variants. Any large file on a VECT 2.0-hit system is irrecoverable regardless of whether the ransom is paid.
Security Affairs covered new research on April 23 documenting a Linux port of the GoGra backdoor, originally seen as Windows-only. The Linux variant retains GoGra's defining feature: it uses Microsoft Graph API as its command-and-control channel, fetching commands from Outlook drafts in an attacker-controlled Microsoft 365 tenant and writing results back to the same drafts. Because the C2 traffic is HTTPS to graph.microsoft.com - the same endpoint legitimate clients hit constantly - it is invisible to most network-layer detections. The Linux port targets enterprise Linux servers with Outbound 443 access to Microsoft cloud services, broadening reach onto build servers and jump hosts.
Deutsche Telekom's Red Team disclosed CVE-2026-41651, a local privilege escalation in the PackageKit daemon that has shipped in default Linux installations since November 2014. Any unprivileged local user can invoke 'pkcon install' without a polkit prompt, install or remove arbitrary packages, and escalate to root. CVSS 8.8. Confirmed-vulnerable defaults include Ubuntu Desktop and Server LTS, Debian Trixie, Rocky Linux 10.1, and Fedora 43; any RHEL server running Cockpit is also exposed because Cockpit loads PackageKit on demand via D-Bus. PackageKit 1.3.5 fixes it. The researchers credited Anthropic's Claude Opus with helping guide the discovery.