Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: lpe (3 articles)Clear

Broadcom patches macOS local privilege escalation in VMware Fusion - SETUID TOCTOU lets unprivileged users get root on the host (CVE-2026-41702)

Broadcom released a security update for VMware Fusion to fix CVE-2026-41702, a high-severity local privilege escalation that lets any non-administrative user on a Mac running Fusion become root on the host. The flaw is a time-of-check time-of-use race condition inside a SETUID binary used by Fusion - the kind of bug that turns a foothold on a developer workstation into full host control. Researcher Mathieu Farrell reported it privately. Broadcom rated the issue 'important' (CVSSv3 7.8). The advisory landed the same week as Pwn2Own Berlin, where VMware ESXi exploits can earn participants up to 200,000 dollars - Broadcom is on-site.

Check
Inventory macOS endpoints with VMware Fusion installed (especially developer, security research, and lab fleets), check the installed Fusion version against the patched 26H1 release, and review who has local user access on those Macs.
Affected
VMware Fusion 25H2 on macOS. Exploit requires local user access to the Mac but not administrative privileges - so any shared, lab, or developer workstation is in scope.
Fix
Update VMware Fusion to 26H1 from the Broadcom Support Portal. On managed Mac fleets, push the update through MDM. Until patched, restrict shared access to Fusion-equipped Macs and prefer admin-only accounts for hands-on lab work.

Third Linux kernel root exploit in three weeks - 'Fragnesia' rides the same ESP-in-TCP code path as Dirty Frag and ships with a public proof-of-concept (CVE-2026-46300)

Six days after Dirty Frag was patched, researcher William Bowling and the V12 Security team disclosed Fragnesia - a separate Linux kernel bug in the same ESP-in-TCP networking code that lets any unprivileged local user become root in one command. The public proof-of-concept overwrites /usr/bin/su in memory using a logic flaw that loses track of shared socket-buffer fragments, then re-runs su to drop into a root shell. The on-disk binary is left untouched, which makes the change harder to spot. Tracked as CVE-2026-46300 (CVSS 7.8), it follows Copy Fail (April 29) and Dirty Frag (May 7) in the same family.

Check
List Linux hosts where untrusted users can get a shell (multi-tenant servers, container build farms, CI runners) and verify whether the esp4/esp6/rxrpc module blacklist from Dirty Frag is still in place.
Affected
All Linux kernels released before May 13, 2026, including AlmaLinux 8/9/10, CloudLinux 7h/8/9/10, RHEL, Ubuntu, Debian, and openSUSE. Requires unprivileged user namespace creation enabled.
Fix
Install the patched kernel from your distribution as it lands (AlmaLinux and CloudLinux first), or use KernelCare for rebootless livepatches. Interim mitigation: blacklist esp4, esp6, and rxrpc modules, then drop the page cache.

Brand-new Linux 'Dirty Frag' bug lets any local user become root on every major distribution - PoC exploit is public, no patches yet

Researcher Hyunwoo Kim disclosed Dirty Frag yesterday after an unrelated third party broke the embargo five days early. The flaw chains two Linux kernel page-cache write bugs (xfrm-ESP and RxRPC) to give any local user root access on every major distribution - Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Like Dirty Pipe and last week's Copy Fail, it's a deterministic logic bug with no race condition required and no kernel panic on failure. PoC is public on GitHub. The ESP variant patch was merged into the netdev tree on May 7 but distribution kernels remain unpatched. No CVE assigned yet because the embargo broke early.

Check
Inventory Linux servers, container hosts, CI runners, and Kubernetes nodes that allow shell access or run untrusted code. Check whether esp4, esp6, and rxrpc kernel modules are loaded with 'lsmod | grep -E "esp4|esp6|rxrpc"'.
Affected
Every Linux distribution with kernel 4.10+ (ESP variant) and 5.x+ (RxRPC variant). All major distros confirmed: Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Acute risk: shared-kernel multi-tenant environments (Kubernetes nodes, container hosts), CI/CD runners executing untrusted PR code. Firecracker microVMs and gVisor are not affected.
Fix
Blacklist vulnerable modules: 'sh -c "printf \'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n\' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"'. This breaks IPsec VPNs and AFS filesystems but stops the exploit. Apply distribution kernel patches as soon as they ship - AlmaLinux has early test patches. Treat container boundaries as broken until patched.