Dirty Frag: New Linux Kernel LPE Vulnerability Grants Root Access Across Major Distros A newly disclosed Linux kernel vulnerability, dubbed Dirty Frag, enables local privilege escalation (LPE) by chaining two page-cache write flaws xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write to achieve root access on nearly all major Linux distributions. The exploit, publicly released on May 7, 2026, following an embargo break, leverages a deterministic logic flaw rather than race conditions, ensuring a high success rate without kernel panics. Discovered by security researcher Hyunwoo Kim (@v4bel), Dirty Frag exploits the kernel’s zero-copy send path, where `splice()` inserts a reference to a read-only page cache (e.g., `/etc/passwd` or `/usr/bin/su`) into the `frag` slot of a sender-side `sk_buff`. Receiver-side cryptographic operations then modify the page cache in-place, corrupting files even for unprivileged users. ### Exploit Mechanics 1. xfrm-ESP Variant: - Targets `esp_input()` in the IPsec ESP receive path, skipping buffer allocation checks (`skb_cow_data()`) for non-linear `skb`s. - Attackers use `XFRMA_REPLAY_ESN_VAL` to overwrite arbitrary bytes (e.g., `/usr/bin/su`) with a root-shell ELF, requiring user namespace creation (`unshare(CLONE_NEWUSER)`), which is blocked on some Ubuntu systems via AppArmor. 2. RxRPC Variant: - Exploits `rxkad_verify_packet_1()` to perform in-place decryption on the first 8 bytes of an RxRPC payload. - Attackers brute-force a session key to manipulate plaintext (e.g., emptying `/etc/passwd`’s password field), bypassing PAM authentication. This variant does not require namespace privileges but relies on the `rxrpc.ko` module, absent by default on RHEL but present on Ubuntu. Chaining both exploits ensures root access across distributions, with the PoC first attempting the ESP path before falling back to RxRPC if `unshare` fails. ### Affected Systems The vulnerabilities span nine years, with the ESP flaw introduced in January 2017 (commit `cac2661c53f3`) and the RxRPC flaw in June 2023 (commit `2dc334f1a63a`). Confirmed affected distributions include: - Ubuntu 24.04.4 (kernel 6.17.0-23) - RHEL 10.1 (kernel 6.12.0-124.49.1) - openSUSE Tumbleweed (kernel 7.0.2-1) - CentOS Stream 10, AlmaLinux 10, Fedora 44 ### Patches & Mitigation - The ESP patch, using `SKBFL_SHARED_FRAG` to enforce buffer isolation, was merged into the netdev tree on May 7, 2026. - The RxRPC patch remains unmerged upstream. - No CVEs have been assigned due to the premature embargo break. - Temporary mitigation involves blacklisting the affected modules (`esp4`, `esp6`, `rxrpc`) via: ```bash sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" ``` This disrupts IPsec and RxRPC functionality, requiring careful evaluation for systems reliant on VPNs. The full technical write-up and PoC are available on the researcher’s GitHub repository.

Ubuntu Infrastructure Hit by Major DDoS Attack, Disrupting Global Open-Source Services Canonical, the company behind the Ubuntu Linux distribution, is facing widespread service outages following a large-scale Distributed Denial-of-Service (DDoS) attack. The hacktivist group The Islamic Cyber Resistance in Iraq – 313 Team has claimed responsibility for the assault, which has taken down critical Ubuntu web services and developer infrastructure. Affected Services and Impact The attack has disrupted over a dozen key domains and services, including: - Primary websites: `ubuntu.com`, `canonical.com`, `security.ubuntu.com`, `archive.ubuntu.com` - Developer and security resources: `developer.ubuntu.com`, `blog.ubuntu.com`, `portal.canonical.com` - Security APIs: Ubuntu Security API (CVEs and Notices), relied upon by system administrators and automated patching tools - Cloud and automation platforms: `jaas.ai`, `maas.io`, `academy.canonical.com` The outage of `archive.ubuntu.com` has hindered package installations and system updates, while the disruption of security APIs may delay vulnerability patching for organizations dependent on Ubuntu’s real-time advisories. Attack Details and Response The incident was first flagged by threat intelligence account Vecert Analyzer on X (formerly Twitter), describing it as a "massive attack against open-source infrastructure." The 313 Team, known for politically motivated cyberattacks, has previously targeted Western and tech-related entities. While DDoS attacks do not involve data breaches or system compromise, the sustained disruption poses significant operational challenges for developers, enterprises, and cloud providers using Ubuntu. Canonical has acknowledged the outages via its status page and official X account but has not yet issued a formal statement attributing the incident to the DDoS campaign. As of May 1, 2026, services remain disrupted, with no estimated time for restoration. Security teams are advised to use alternative sources like the NVD or OSV for vulnerability data until full recovery.

Ubuntu Desktop Flaw (CVE-2026-3888) Grants Root Access via Default System Components A critical local privilege escalation (LPE) vulnerability, tracked as CVE-2026-3888, has been discovered in default installations of Ubuntu Desktop 24.04 and later, allowing unprivileged local attackers to gain full root access. The flaw stems from an unintended interaction between two native Ubuntu daemons snap-confine (part of the Snap package manager) and systemd-tmpfiles rather than a traditional malicious exploit. The issue arises when systemd-tmpfiles automatically clears a Snap’s private `/tmp` directory after 10–30 days of uptime. An attacker can exploit this by strategically recreating the directory, hijacking the execution environment and escalating privileges. Since both components are deeply embedded in Ubuntu’s default setup, the vulnerability poses a significant risk to unpatched systems. Ubuntu has released patches (USN-8102-1) to address the flaw, urging users to update affected LTS machines. The incident highlights a growing trend in privilege escalation attacks, where trusted system components rather than individual binaries create unexpected security gaps. The discovery also raises concerns about potential risks in other Ubuntu-based distributions relying on similar default configurations.

Critical Telnetd Vulnerability (CVE-2026-32746) Exposes Legacy Systems to Remote Code Execution A severe buffer overflow vulnerability (CVE-2026-32746) has been identified in the GNU InetUtils telnetd daemon, allowing unauthenticated attackers to execute arbitrary code with root privileges. The flaw, rated 9.8 (CVSS 3.1), was discovered by Dream Security Labs and affects all versions of the software up to 2.7. The vulnerability stems from improper handling of LINEMODE SLC (Set Local Characters) option negotiation during the initial connection handshake. By sending a maliciously crafted message with an excessive triplet count over TCP port 23, attackers can trigger a buffer overflow before authentication occurs meaning no credentials or user interaction are required. Since telnetd typically runs with root privileges, successful exploitation grants full system compromise, enabling backdoor deployment, data exfiltration, or lateral movement within a network. While modern IT environments have largely replaced Telnet with SSH, the protocol persists in legacy Industrial Control Systems (ICS), operational technology (OT), and government networks, including PLCs, SCADA systems, and embedded devices where upgrades are costly or operationally disruptive. This makes the flaw particularly dangerous for critical infrastructure, such as power grids, water treatment facilities, and manufacturing plants, where security modernization is slow and exposed systems remain common. Mitigation efforts include disabling telnetd where possible, blocking port 23 at the network perimeter, restricting access to trusted IPs, and running the daemon without root privileges. Detection requires network-level monitoring, as standard logs won’t capture the attack. Security teams should configure firewalls to log all port 23 connections and deploy IDS/IPS solutions (e.g., Suricata, Snort) to flag LINEMODE SLC payloads exceeding 90 bytes. No active exploitation has been confirmed, but the flaw’s severity demands immediate action.

Critical OpenSSH GSSAPI Vulnerability (CVE-2026-3497) Exposes Linux Systems to Remote Crashes and Privilege Escalation Risks A severe vulnerability in the GSSAPI Key Exchange implementation of OpenSSH, tracked as CVE-2026-3497, has been discovered by security researcher Jeremy Brown. The flaw affects multiple Linux distributions that applied the GSSAPI patch to their OpenSSH packages, enabling attackers to crash SSH child processes reliably and violate privilege separation boundaries with a single crafted network packet. The issue originates from a one-line coding error in kexgsss.c, the server-side GSSAPI key exchange handler. The function `sshpkt_disconnect()` intended to queue a disconnect message was mistakenly used instead of `ssh_packet_disconnect()`, which terminates the process. This oversight causes the error handler to proceed into code that reads an uninitialized stack variable (`recv_tok`), whose contents are then passed to the privileged monitor process via IPC. The result is heap corruption when `gss_release_buffer()` attempts to free a garbage pointer. Key details of the vulnerability include: - Exploitation requirements: A single 300-byte SSH packet no authentication needed. - Impact: 100% reliable crashes of SSH child processes on tested systems, with a 90-second lockout on x86_64 platforms. Crashes may trigger SIGABRT (signal 6) or SIGSEGV (signal 11). - Privilege separation risk: Up to 127KB of heap data can be transmitted to the root-level monitor process via the privsep IPC channel, potentially enabling further exploitation. - Variability across systems: Compiler flags and optimizations affect the severity. For example: - Clang (-O0): Leaves a pointer value of `0xfffbe600` (4 bytes). - GCC (-O2 -fno-stack-protector): Leaves a valid heap address (127,344 bytes). - Tested configurations: `recv_tok.value` may point to NULL, stack/heap addresses, or unmapped memory. Affected systems include Ubuntu and Debian servers with `GSSAPIKeyExchange` enabled, though the scope likely extends to other distributions due to variations in the GSSAPI KEX patch. The fix is straightforward: replacing all instances of `sshpkt_disconnect()` with `ssh_packet_disconnect()` in kexgsss.c. Ubuntu has already released a patch, and administrators are advised to apply updates or disable GSSAPIKeyExchange as a temporary mitigation.

Critical Linux Kernel Vulnerability (CVE-2026-23111) Enables Local Privilege Escalation A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, allowing unprivileged local attackers to escalate privileges to root on widely used distributions, including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. The bug resides in the nft_map_catchall_activate() function within nftables, a packet filtering framework built on Linux’s Netfilter hooks. Testing in a controlled lab environment revealed that Rocky Linux exhibited lower vulnerability exposure post-update compared to Ubuntu and Red Hat systems. However, kernel backports and system configurations influence risk, meaning version numbers alone may not fully indicate exposure. The vulnerability appears to affect Linux kernels 5.15 and later, while default kernels in AlmaLinux and Rocky Linux (5.14) remain unaffected. The flaw underscores the ongoing risks of privilege escalation in Linux environments, particularly in systems relying on nftables for network filtering.

Critical RCE Vulnerability in GNU InetUtils telnetd Exposes 800,000 Systems A severe remote code execution (RCE) vulnerability, CVE-2026-24061, has been identified in the GNU InetUtils telnetd component, affecting approximately 800,000 exposed instances worldwide. The flaw, rated Critical (CVSS 9.8), allows unauthenticated attackers to execute arbitrary commands with root privileges on vulnerable systems. The vulnerability stems from inadequate input validation in the telnetd service, enabling threat actors to craft malicious payloads that compromise systems. Proof-of-concept exploits have already been demonstrated, increasing the risk of widespread attacks. Since telnetd often runs with elevated privileges on legacy systems, successful exploitation grants full control over affected infrastructure. Data from the Shadowserver Foundation’s Accessible Telnet Report reveals that exposed instances span multiple geographies and networks, with many systems running unpatched versions for extended periods. While safe vulnerability-specific scanning remains unavailable, organizations can use Shadowserver’s report to identify at-risk systems by cross-referencing their infrastructure against publicly accessible telnet services. Immediate remediation steps include disabling telnetd on public-facing systems, implementing network segmentation, and upgrading to patched versions of GNU InetUtils. For systems where telnetd cannot be removed, restricting access via firewall rules and monitoring for exploitation attempts is recommended. The combination of widespread exposure, exploit availability, and delayed patching makes this a high-priority threat for affected organizations.

Critical AppArmor Vulnerabilities Expose Millions of Linux Systems to Attack Cybersecurity firm Qualys has uncovered nine severe vulnerabilities in AppArmor, the default security enforcement tool for major Linux distributions, including Ubuntu, Debian, and SUSE. These flaws, present since 2017 (version v4.11), affect an estimated 12.6 million enterprise systems worldwide, leaving them vulnerable to privilege escalation and container escapes. The vulnerabilities stem from a "confused deputy" attack, where a low-privileged user manipulates trusted system tools (such as Sudo or Postfix) to bypass security restrictions. By exploiting hidden pseudo-files, attackers can gain root access, disable protections, or even break out of isolated containers often without detection. The risks include denial-of-service (DoS) attacks, unauthorized system modifications, and the removal of critical security policies. The impact extends to banking, healthcare, and telecommunications, with CISA and DHS issuing emergency alerts for energy, water, and defense sectors, citing potential alignment with state-sponsored hacking tactics. Qualys CTO Dilip Bachwani emphasized that these flaws demonstrate how even default security mechanisms can be compromised without admin credentials. While no CVE identifiers have been assigned, vendors including Ubuntu, Debian, SUSE, and Sudo have collaborated with Qualys to release patches. Administrators are advised to apply the latest kernel updates immediately to mitigate exposure.