Critical Linux Kernel Flaw Exposes SSH Keys and Password Hashes A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-46333 and dubbed "ssh-keysign-pwn," allows attackers to extract highly sensitive data including SSH private keys and password hashes from affected systems. The flaw stems from a race condition in the kernel’s ptrace access control logic, specifically within the `__ptrace_may_access()` function. ### How the Exploit Works The vulnerability arises when a privileged process (e.g., ssh-keysign or chage) shuts down. During this brief window, its memory context is cleared (mm = NULL), but its file descriptors remain open. An unprivileged local attacker can exploit this gap using `pidfd_getfd()` to steal these descriptors, bypassing intended permission checks. A proof-of-concept (PoC) exploit on GitHub demonstrates how attackers can repeatedly spawn processes to race against a privileged helper’s exit, successfully extracting file descriptors in 100–2000 attempts making it a practical threat. ### Impact & Risks - SSH Private Key Theft: Enables attackers to impersonate systems or users, conduct man-in-the-middle (MitM) attacks, and move laterally across networks. - Password Hash Exposure: Full read access to `/etc/shadow`, allowing offline cracking of credentials. - Cascading Compromises: Since SSH keys are often reused, a single breach can lead to wider network access. ### Affected Systems The flaw impacts most Linux distributions running kernels before the May 14, 2026 patch, including: - Ubuntu - Debian - Arch Linux - CentOS - Raspberry Pi OS Given the vulnerability’s six-year existence, many long-term deployments remain exposed. ### Mitigation & Response - Apply kernel patches for CVE-2026-46333. - Rotate all SSH keys, particularly on critical systems. - Audit access to sensitive files like `/etc/shadow`. - Monitor for suspicious `ptrace` or `pidfd` system calls. - Restrict local user access where possible, as exploitation requires local presence. With a public PoC exploit already available, the risk of active exploitation in the wild is heightened, underscoring the urgency for remediation.

Dirty Frag: New Linux Kernel LPE Vulnerability Grants Root Access Across Major Distros A newly disclosed Linux kernel vulnerability, dubbed Dirty Frag, enables local privilege escalation (LPE) by chaining two page-cache write flaws xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write to achieve root access on nearly all major Linux distributions. The exploit, publicly released on May 7, 2026, following an embargo break, leverages a deterministic logic flaw rather than race conditions, ensuring a high success rate without kernel panics. Discovered by security researcher Hyunwoo Kim (@v4bel), Dirty Frag exploits the kernel’s zero-copy send path, where `splice()` inserts a reference to a read-only page cache (e.g., `/etc/passwd` or `/usr/bin/su`) into the `frag` slot of a sender-side `sk_buff`. Receiver-side cryptographic operations then modify the page cache in-place, corrupting files even for unprivileged users. ### Exploit Mechanics 1. xfrm-ESP Variant: - Targets `esp_input()` in the IPsec ESP receive path, skipping buffer allocation checks (`skb_cow_data()`) for non-linear `skb`s. - Attackers use `XFRMA_REPLAY_ESN_VAL` to overwrite arbitrary bytes (e.g., `/usr/bin/su`) with a root-shell ELF, requiring user namespace creation (`unshare(CLONE_NEWUSER)`), which is blocked on some Ubuntu systems via AppArmor. 2. RxRPC Variant: - Exploits `rxkad_verify_packet_1()` to perform in-place decryption on the first 8 bytes of an RxRPC payload. - Attackers brute-force a session key to manipulate plaintext (e.g., emptying `/etc/passwd`’s password field), bypassing PAM authentication. This variant does not require namespace privileges but relies on the `rxrpc.ko` module, absent by default on RHEL but present on Ubuntu. Chaining both exploits ensures root access across distributions, with the PoC first attempting the ESP path before falling back to RxRPC if `unshare` fails. ### Affected Systems The vulnerabilities span nine years, with the ESP flaw introduced in January 2017 (commit `cac2661c53f3`) and the RxRPC flaw in June 2023 (commit `2dc334f1a63a`). Confirmed affected distributions include: - Ubuntu 24.04.4 (kernel 6.17.0-23) - RHEL 10.1 (kernel 6.12.0-124.49.1) - openSUSE Tumbleweed (kernel 7.0.2-1) - CentOS Stream 10, AlmaLinux 10, Fedora 44 ### Patches & Mitigation - The ESP patch, using `SKBFL_SHARED_FRAG` to enforce buffer isolation, was merged into the netdev tree on May 7, 2026. - The RxRPC patch remains unmerged upstream. - No CVEs have been assigned due to the premature embargo break. - Temporary mitigation involves blacklisting the affected modules (`esp4`, `esp6`, `rxrpc`) via: ```bash sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" ``` This disrupts IPsec and RxRPC functionality, requiring careful evaluation for systems reliant on VPNs. The full technical write-up and PoC are available on the researcher’s GitHub repository.

High-Severity Linux Privilege Escalation Flaw "Pack2TheRoot" Disclosed Deutsche Telekom’s Red Team has publicly disclosed a high-severity privilege escalation vulnerability, CVE-2026-41651 (CVSS 8.8), dubbed Pack2TheRoot, affecting default installations of major Linux distributions. The flaw, present in the PackageKit daemon a widely used package management abstraction layer allows any local unprivileged user to silently install or remove system packages, ultimately gaining full root access without authentication. The vulnerability impacts PackageKit versions 1.0.2 through 1.3.4, spanning over 12 years of releases and exposing systems across Debian, Ubuntu, Fedora, and Red Hat-based distributions, including enterprise servers running Cockpit. Confirmed vulnerable default installations include: - Ubuntu Desktop (18.04, 24.04.4 LTS, 26.04 LTS Beta) - Ubuntu Server (22.04, 24.04 LTS) - Debian Desktop (Trixie 13.4) - Rocky Linux Desktop (10.1) - Fedora (43 Desktop and Server) Exploitation is straightforward: an attacker with basic local access can bypass authorization controls, install malicious packages, or remove critical security components. A proof-of-concept (PoC) exists, reliably achieving root code execution in seconds, though it remains undisclosed. The flaw was discovered during Telekom Security’s research into local privilege escalation vectors, with Claude Opus (Anthropic) assisting in the investigation starting in 2025. Findings were responsibly disclosed to PackageKit maintainers, who confirmed the issue and its exploitability. While the attack leaves detectable traces such as PackageKit daemon crashes logged in *journalctl* systems can be checked for vulnerability using: - Debian/Ubuntu: `dpkg -l | grep -i packagekit` - RPM-based: `rpm -qa | grep -i packagekit` - Daemon status: `systemctl status packagekit` or `pkmon` A patch was released in PackageKit 1.3.5 (April 22, 2026), with distribution-specific fixes available via: - Debian: [security-tracker.debian.org](https://security-tracker.debian.org) - Ubuntu: Launchpad CVE tracker - Fedora: PackageKit-1.3.4-3 (via Koji) Administrators are advised to apply updates immediately, particularly on internet-facing servers running Cockpit.

Critical Linux Kernel Flaw "Copy Fail" Grants Root Access Across Decade of Releases A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2026-31431 and dubbed "Copy Fail," allows local attackers to gain full root access on affected systems with near-perfect reliability. The flaw, discovered by offensive security firm Theori, impacts Linux kernel versions released since 2017, exposing millions of systems globally. ### Discovery and Disclosure Theori’s researchers identified the bug using Xint Code, an AI-assisted penetration testing platform, in just one hour of automated analysis targeting the kernel’s cryptographic subsystem. The vulnerability was responsibly disclosed to the Linux kernel security team on March 23, 2026, with patches released within a week. However, the subsequent public release of technical details and a proof-of-concept exploit has heightened urgency for system administrators. ### Technical Breakdown Copy Fail is a logic flaw in the kernel’s cryptographic processing pipeline, specifically within the authentication encryption ("authenc") template. The exploit leverages the AF_ALG interface and the splice() system call to perform a controlled 4-byte write into the page cache of any readable file. By targeting setuid-root executables, attackers can manipulate file contents in memory, escalating privileges to root access. The root cause stems from a 2017 performance optimization in Linux kernel 4.14, which allowed in-place buffer processing a design choice that inadvertently enabled memory manipulation. ### Impact and Exploitation Theori demonstrated successful exploitation across major Linux distributions, including Ubuntu, Debian, Fedora, and RHEL, using a 732-byte Python script with a 100% success rate in testing. The flaw’s portability, reliability, and simplicity make it more dangerous than previous high-profile vulnerabilities like Dirty Pipe (CVE-2022-0847), as it affects a broader range of kernel versions without requiring complex offsets or environment tuning. ### Patch Status and Mitigation The Linux kernel maintainers addressed the issue by reverting the problematic optimization, with fixes included in kernel versions 6.18.22, 6.19.12, and 7.0. Major distributions have begun rolling out updates, though some like Fedora 42+ have not yet published formal advisories, potentially delaying awareness. For unpatched systems, temporary mitigation involves disabling the vulnerable crypto interface: ```bash echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead ``` ### High-Risk Environments Security teams are prioritizing patching in multi-tenant servers, Kubernetes clusters, CI/CD pipelines, and cloud-based SaaS environments, where a single compromised low-privilege user could lead to full system takeover or lateral movement. ### Broader Implications The discovery underscores the growing role of AI in vulnerability research, with tools like Xint Code accelerating flaw detection from weeks to hours. While this speeds up defensive patching, it also raises concerns about attackers adopting similar automation to exploit vulnerabilities faster. The security community’s response remains clear: immediate patching is critical to prevent system compromise.

Critical Telnetd Vulnerability (CVE-2026-32746) Exposes Legacy Systems to Remote Code Execution A severe buffer overflow vulnerability (CVE-2026-32746) has been identified in the GNU InetUtils telnetd daemon, allowing unauthenticated attackers to execute arbitrary code with root privileges. The flaw, rated 9.8 (CVSS 3.1), was discovered by Dream Security Labs and affects all versions of the software up to 2.7. The vulnerability stems from improper handling of LINEMODE SLC (Set Local Characters) option negotiation during the initial connection handshake. By sending a maliciously crafted message with an excessive triplet count over TCP port 23, attackers can trigger a buffer overflow before authentication occurs meaning no credentials or user interaction are required. Since telnetd typically runs with root privileges, successful exploitation grants full system compromise, enabling backdoor deployment, data exfiltration, or lateral movement within a network. While modern IT environments have largely replaced Telnet with SSH, the protocol persists in legacy Industrial Control Systems (ICS), operational technology (OT), and government networks, including PLCs, SCADA systems, and embedded devices where upgrades are costly or operationally disruptive. This makes the flaw particularly dangerous for critical infrastructure, such as power grids, water treatment facilities, and manufacturing plants, where security modernization is slow and exposed systems remain common. Mitigation efforts include disabling telnetd where possible, blocking port 23 at the network perimeter, restricting access to trusted IPs, and running the daemon without root privileges. Detection requires network-level monitoring, as standard logs won’t capture the attack. Security teams should configure firewalls to log all port 23 connections and deploy IDS/IPS solutions (e.g., Suricata, Snort) to flag LINEMODE SLC payloads exceeding 90 bytes. No active exploitation has been confirmed, but the flaw’s severity demands immediate action.

Critical OpenSSH GSSAPI Vulnerability (CVE-2026-3497) Exposes Linux Systems to Remote Crashes and Privilege Escalation Risks A severe vulnerability in the GSSAPI Key Exchange implementation of OpenSSH, tracked as CVE-2026-3497, has been discovered by security researcher Jeremy Brown. The flaw affects multiple Linux distributions that applied the GSSAPI patch to their OpenSSH packages, enabling attackers to crash SSH child processes reliably and violate privilege separation boundaries with a single crafted network packet. The issue originates from a one-line coding error in kexgsss.c, the server-side GSSAPI key exchange handler. The function `sshpkt_disconnect()` intended to queue a disconnect message was mistakenly used instead of `ssh_packet_disconnect()`, which terminates the process. This oversight causes the error handler to proceed into code that reads an uninitialized stack variable (`recv_tok`), whose contents are then passed to the privileged monitor process via IPC. The result is heap corruption when `gss_release_buffer()` attempts to free a garbage pointer. Key details of the vulnerability include: - Exploitation requirements: A single 300-byte SSH packet no authentication needed. - Impact: 100% reliable crashes of SSH child processes on tested systems, with a 90-second lockout on x86_64 platforms. Crashes may trigger SIGABRT (signal 6) or SIGSEGV (signal 11). - Privilege separation risk: Up to 127KB of heap data can be transmitted to the root-level monitor process via the privsep IPC channel, potentially enabling further exploitation. - Variability across systems: Compiler flags and optimizations affect the severity. For example: - Clang (-O0): Leaves a pointer value of `0xfffbe600` (4 bytes). - GCC (-O2 -fno-stack-protector): Leaves a valid heap address (127,344 bytes). - Tested configurations: `recv_tok.value` may point to NULL, stack/heap addresses, or unmapped memory. Affected systems include Ubuntu and Debian servers with `GSSAPIKeyExchange` enabled, though the scope likely extends to other distributions due to variations in the GSSAPI KEX patch. The fix is straightforward: replacing all instances of `sshpkt_disconnect()` with `ssh_packet_disconnect()` in kexgsss.c. Ubuntu has already released a patch, and administrators are advised to apply updates or disable GSSAPIKeyExchange as a temporary mitigation.

Critical Linux Kernel Vulnerability (CVE-2026-23111) Enables Local Privilege Escalation A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, allowing unprivileged local attackers to escalate privileges to root on widely used distributions, including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. The bug resides in the nft_map_catchall_activate() function within nftables, a packet filtering framework built on Linux’s Netfilter hooks. Testing in a controlled lab environment revealed that Rocky Linux exhibited lower vulnerability exposure post-update compared to Ubuntu and Red Hat systems. However, kernel backports and system configurations influence risk, meaning version numbers alone may not fully indicate exposure. The vulnerability appears to affect Linux kernels 5.15 and later, while default kernels in AlmaLinux and Rocky Linux (5.14) remain unaffected. The flaw underscores the ongoing risks of privilege escalation in Linux environments, particularly in systems relying on nftables for network filtering.

Critical RCE Vulnerability in GNU InetUtils telnetd Exposes 800,000 Systems A severe remote code execution (RCE) vulnerability, CVE-2026-24061, has been identified in the GNU InetUtils telnetd component, affecting approximately 800,000 exposed instances worldwide. The flaw, rated Critical (CVSS 9.8), allows unauthenticated attackers to execute arbitrary commands with root privileges on vulnerable systems. The vulnerability stems from inadequate input validation in the telnetd service, enabling threat actors to craft malicious payloads that compromise systems. Proof-of-concept exploits have already been demonstrated, increasing the risk of widespread attacks. Since telnetd often runs with elevated privileges on legacy systems, successful exploitation grants full control over affected infrastructure. Data from the Shadowserver Foundation’s Accessible Telnet Report reveals that exposed instances span multiple geographies and networks, with many systems running unpatched versions for extended periods. While safe vulnerability-specific scanning remains unavailable, organizations can use Shadowserver’s report to identify at-risk systems by cross-referencing their infrastructure against publicly accessible telnet services. Immediate remediation steps include disabling telnetd on public-facing systems, implementing network segmentation, and upgrading to patched versions of GNU InetUtils. For systems where telnetd cannot be removed, restricting access via firewall rules and monitoring for exploitation attempts is recommended. The combination of widespread exposure, exploit availability, and delayed patching makes this a high-priority threat for affected organizations.

Critical AppArmor Vulnerabilities Expose Millions of Linux Systems to Attack Cybersecurity firm Qualys has uncovered nine severe vulnerabilities in AppArmor, the default security enforcement tool for major Linux distributions, including Ubuntu, Debian, and SUSE. These flaws, present since 2017 (version v4.11), affect an estimated 12.6 million enterprise systems worldwide, leaving them vulnerable to privilege escalation and container escapes. The vulnerabilities stem from a "confused deputy" attack, where a low-privileged user manipulates trusted system tools (such as Sudo or Postfix) to bypass security restrictions. By exploiting hidden pseudo-files, attackers can gain root access, disable protections, or even break out of isolated containers often without detection. The risks include denial-of-service (DoS) attacks, unauthorized system modifications, and the removal of critical security policies. The impact extends to banking, healthcare, and telecommunications, with CISA and DHS issuing emergency alerts for energy, water, and defense sectors, citing potential alignment with state-sponsored hacking tactics. Qualys CTO Dilip Bachwani emphasized that these flaws demonstrate how even default security mechanisms can be compromised without admin credentials. While no CVE identifiers have been assigned, vendors including Ubuntu, Debian, SUSE, and Sudo have collaborated with Qualys to release patches. Administrators are advised to apply the latest kernel updates immediately to mitigate exposure.