Critical Linux Kernel Vulnerability (CVE-2026-46316) Exposes KVM/ARM64 Hosts to Guest-to-Host Escape A proof-of-concept (PoC) exploit has been publicly released for CVE-2026-46316, a severe Linux kernel vulnerability dubbed "ITScape" that enables guest-to-host escape in KVM/ARM64 virtualization environments. Discovered by security researcher Hyunwoo Kim (V4bel), the flaw allows a malicious guest virtual machine (VM) to execute arbitrary commands on the host system with root-level kernel privileges. The vulnerability resides in the vGIC-ITS (Virtual Generic Interrupt Controller – Interrupt Translation Service) emulation logic within the Linux kernel’s KVM implementation. A race condition in the code leads to a "double-put" scenario, enabling host kernel code execution without requiring interaction with user-space components like QEMU. Unlike traditional VM escape flaws, ITScape operates entirely within the kernel, making it particularly dangerous successful exploitation grants direct kernel access rather than just user-space compromise. The PoC, released on GitHub, demonstrates how a crafted guest VM performing specific GIC/ITS memory-mapped I/O (MMIO) operations can trigger the race condition, escape the virtualized environment, and execute code on the host. Exploitation is confirmed by the creation of a root-owned file (`/ITScape`) on the host system. The PoC is designed for controlled testing using QEMU TCG to emulate ARM64 systems and is built atop Linux KVM self-tests. The flaw affects Linux kernel versions between commits `8201d1028caa` (April 2024) and `13031fb6b835` (June 5, 2026), prior to the patch. While the PoC is not fully weaponized for real-world cloud attacks, the researcher notes that adapting it for production environments would be feasible with adjustments to kernel configurations and memory layouts. The vulnerability poses a major risk to multi-tenant cloud environments, particularly those running ARM64 infrastructure, as it undermines virtualization isolation. Successful exploitation could enable lateral movement, data exfiltration, or full infrastructure compromise. The disclosure followed a coordinated embargo via the Linux-distros security mailing list, and patches have since been released to mitigate the issue. Organizations are urged to update affected kernels and audit virtualization environments for exposure.

New "PinTheft" Linux LPE Vulnerability Exposes Systems to Root Access Exploits A proof-of-concept (PoC) exploit has been released for PinTheft, a newly disclosed Linux Local Privilege Escalation (LPE) vulnerability that allows attackers to gain root-level control of affected systems. The flaw resides in the Reliable Datagram Sockets (RDS) zerocopy send path, specifically within the `rds_message_zcopy_from_user()` function, which improperly pins user pages during execution. This vulnerability highlights persistent security risks in Linux kernel networking and asynchronous I/O subsystems, where flaws can enable attackers to escalate limited local access to full administrative privileges. The release of public exploit code increases the urgency for patching, as LPE vulnerabilities are particularly dangerous once weaponized. PinTheft joins a recent surge of Linux kernel vulnerabilities, underscoring the ongoing challenges in securing complex kernel-level components. Organizations running affected Linux systems should prioritize updates to mitigate potential exploitation.

Critical Linux "Dirty Frag" Vulnerability Grants Root Access Across Major Distributions A newly disclosed Linux vulnerability, dubbed Dirty Frag, allows attackers to escalate privileges to root on nearly all major distributions, with a public proof-of-concept (PoC) exploit already circulating. The flaw, part of the same class as Dirty Pipe and Copy Fail (CVE-2026-31431), targets the `frag` member of the kernel’s `struct sk_buff`, enabling stable exploitation without race conditions. The attack leverages the zero-copy send path, where `splice()` inserts a reference to a read-only page cache page (e.g., `/etc/passwd` or `/usr/bin/su`) into the `frag` slot of a sender-side socket buffer (skb). Unlike previous vulnerabilities, Dirty Frag does not rely on timing-based conditions, making it highly reliable for achieving root access. Immediate mitigation steps include blacklisting the `esp4`, `esp6`, and `rxrpc` kernel modules and clearing page caches (`echo 3 > /proc/sys/vm/drop_caches`) to purge potentially compromised binaries from memory. While upstream patches are pending, organizations are advised to apply these workarounds to reduce exposure. The vulnerability affects a broad range of Linux systems, underscoring the urgency of addressing kernel-level flaws in enterprise and cloud environments. The public availability of the PoC increases the risk of widespread exploitation.

Linux Kernel Vulnerability "Copy Fail" Exploited in the Wild, CISA Warns The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about active exploitation of CVE-2026-31431, a critical Linux kernel vulnerability dubbed Copy Fail. The flaw, present in all Linux distributions since 2017, allows authenticated attackers with code execution privileges to escalate to root access by manipulating the kernel’s AEAD template. Disclosed on April 29, the bug was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Friday, with federal agencies directed to patch within two weeks. While exploitation remains limited primarily involving proof-of-concept (PoC) testing Microsoft warns of its broad applicability and the release of a working exploit, heightening risks for defenders. The vulnerability enables full root privilege escalation, posing severe threats to confidentiality, integrity, and availability. Attackers can leverage it for container breakout, multi-tenant compromise, and lateral movement in shared environments. Its stealthy in-memory exploitation and cross-platform compatibility make it particularly dangerous in cloud, CI/CD, and Kubernetes setups, where untrusted code execution is common. Exploitation requires only local, unprivileged access and can be chained with SSH, malicious CI jobs, or container access to achieve root shell. An attack typically begins with reconnaissance to identify vulnerable kernels, followed by a script to overwrite in-memory data and escalate privileges. Microsoft advises organizations to prioritize patching, isolate vulnerable systems, enforce access controls, and monitor logs for signs of compromise. The flaw’s decade-long presence underscores the ongoing risks of long-undetected kernel vulnerabilities in critical infrastructure.

Critical Linux Kernel Vulnerability (CVE-2026-23111) Enables Local Privilege Escalation A use-after-free vulnerability in the Linux kernel’s nftables subsystem has been disclosed, allowing unprivileged local attackers to escalate privileges to root on widely used distributions, including Debian Bookworm, Debian Trixie, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. Tracked as CVE-2026-23111, the flaw was discovered in early 2025 and patched upstream on February 5, 2026, via a kernel commit. The bug resides in the nft_map_catchall_activate() function within nftables, a packet filtering framework built on Linux’s Netfilter hooks. Testing in a controlled lab environment revealed that Rocky Linux exhibited lower vulnerability exposure post-update compared to Ubuntu and Red Hat systems. However, kernel backports and system configurations influence risk, meaning version numbers alone may not fully indicate exposure. The vulnerability appears to affect Linux kernels 5.15 and later, while default kernels in AlmaLinux and Rocky Linux (5.14) remain unaffected. The flaw underscores the ongoing risks of privilege escalation in Linux environments, particularly in systems relying on nftables for network filtering.