New Linux "CIFSwitch" Vulnerability Grants Root Access via Kernel Flaw A recently disclosed Linux local privilege escalation (LPE) vulnerability, dubbed "CIFSwitch," allows low-privileged users to gain root access by exploiting a logic flaw between the Linux kernel’s CIFS client and the cifs-utils package. The issue arises from improper validation of key descriptions in the CIFs.Spnego key type, enabling attackers to impersonate trusted kernel requests and execute privileged operations. Discovered using an AI-assisted, multihop reasoning approach, the vulnerability was identified by mapping semantic graphs of security-relevant objects and chaining subtle logic flaws into a functional exploit. This method represents a shift in vulnerability research, leveraging AI to uncover complex flaws that may have remained hidden for years. The CIFSwitch bug highlights the growing frequency of kernel-level vulnerabilities, with many likely existing undetected for extended periods. While AI has accelerated discovery, the sheer volume of potential flaws across major operating systems Linux, Windows, and macOS suggests a challenging landscape for cybersecurity in the coming years. The vulnerability underscores the risks of local privilege escalation flaws, which can rapidly escalate limited access into full system compromise. No patches or mitigations have been publicly detailed at this time.

PinTheft: New Linux LPE Exploit Grants Root Access via RDS Zerocopy Bug A newly disclosed Linux Local Privilege Escalation (LPE) vulnerability, dubbed PinTheft, allows local attackers to gain root access by exploiting a double-free flaw in the Reliable Datagram Sockets (RDS) zerocopy send path. Discovered by Aaron Esau of the V12 security team, the vulnerability (CVE pending) was made public alongside a proof-of-concept (PoC) exploit after a kernel patch was released. The flaw resides in the `rds_message_zcopy_from_user()` function, which pins user pages during execution. If a page fault occurs, the error path drops already-pinned pages but a cleanup oversight causes these pages to be freed a second time, creating a double-free condition. Attackers can weaponize this by systematically stealing references from a pinned page using `io_uring`, ultimately hijacking a page cache entry to overwrite a SUID-root binary (e.g., `/usr/bin/su` or `/usr/bin/passwd`) with a malicious payload. The PoC exploit follows a precise sequence: mapping pages, registering a fixed buffer with `io_uring`, and executing 1,024 failing RDS zerocopy sends to drain references. Once the target page is reallocated, the exploit uses `IORING_OP_READ_FIXED` to inject an ELF payload, granting root access upon execution. While the primitive is architecture-agnostic, the provided PoC targets x86_64 systems. Exploitation requires specific kernel configurations: `CONFIG_RDS`, `CONFIG_RDS_TCP`, and `CONFIG_IO_URING` must be enabled, with `io_uring_disabled=0`. Module autoloading for TCP transport is also necessary. Among major distributions, only Arch Linux enables the RDS module by default, though other systems may be vulnerable if manually configured. Administrators can mitigate the risk by applying kernel patches or blacklisting the vulnerable modules (`rds` and `rds_tcp`) via: ```bash printf 'install rds /bin/false\ninstall rds_tcp /bin/false\n' > /etc/modprobe.d/pintheft.conf ``` Active modules should be removed with `rmmod rds_tcp rds`. Researchers caution that running the exploit alters in-memory page caches of SUID binaries, requiring a reboot or cache drop to clear modifications. PinTheft joins a recent wave of Linux kernel LPE disclosures, including DirtyDecrypt and DirtyCBC, reflecting ongoing challenges in securing complex networking and asynchronous I/O subsystems. The trend mirrors past high-profile flaws like Dirty Frag and Copy Fail, underscoring persistent memory-corruption risks in core Linux components.

DirtyDecrypt Linux Kernel Exploit Grants Root Access via RxGK Subsystem Flaw A new proof-of-concept (PoC) exploit, dubbed DirtyDecrypt (or DirtyCBC), has been released for a high-severity Linux kernel local privilege escalation (LPE) vulnerability, allowing attackers with local access to gain full root privileges on affected systems. The flaw resides in the `rxgk_decrypt_skb()` function within the Linux kernel’s RxGK subsystem, a GSS-API-based security layer for RxRPC, the network transport used by the Andrew File System (AFS) client. DirtyDecrypt is the fourth LPE vulnerability discovered in the same XFRM/ESP/rxgk attack surface in the past three weeks, sharing similarities with the actively exploited Copy Fail family of exploits. The PoC’s release raises concerns about potential exploitation, particularly as it targets a critical kernel component. Systems running vulnerable Linux kernel versions with the RxGK subsystem enabled are at risk. No patches have been confirmed at this time, though administrators are advised to monitor updates from Linux distributions and kernel maintainers.

Dirty Frag: New Linux Kernel LPE Vulnerability Grants Root Access Across Major Distros A newly disclosed Linux kernel vulnerability, dubbed Dirty Frag, enables local privilege escalation (LPE) by chaining two page-cache write flaws xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write to achieve root access on nearly all major Linux distributions. The exploit, publicly released on May 7, 2026, following an embargo break, leverages a deterministic logic flaw rather than race conditions, ensuring a high success rate without kernel panics. Discovered by security researcher Hyunwoo Kim (@v4bel), Dirty Frag exploits the kernel’s zero-copy send path, where `splice()` inserts a reference to a read-only page cache (e.g., `/etc/passwd` or `/usr/bin/su`) into the `frag` slot of a sender-side `sk_buff`. Receiver-side cryptographic operations then modify the page cache in-place, corrupting files even for unprivileged users. ### Exploit Mechanics 1. xfrm-ESP Variant: - Targets `esp_input()` in the IPsec ESP receive path, skipping buffer allocation checks (`skb_cow_data()`) for non-linear `skb`s. - Attackers use `XFRMA_REPLAY_ESN_VAL` to overwrite arbitrary bytes (e.g., `/usr/bin/su`) with a root-shell ELF, requiring user namespace creation (`unshare(CLONE_NEWUSER)`), which is blocked on some Ubuntu systems via AppArmor. 2. RxRPC Variant: - Exploits `rxkad_verify_packet_1()` to perform in-place decryption on the first 8 bytes of an RxRPC payload. - Attackers brute-force a session key to manipulate plaintext (e.g., emptying `/etc/passwd`’s password field), bypassing PAM authentication. This variant does not require namespace privileges but relies on the `rxrpc.ko` module, absent by default on RHEL but present on Ubuntu. Chaining both exploits ensures root access across distributions, with the PoC first attempting the ESP path before falling back to RxRPC if `unshare` fails. ### Affected Systems The vulnerabilities span nine years, with the ESP flaw introduced in January 2017 (commit `cac2661c53f3`) and the RxRPC flaw in June 2023 (commit `2dc334f1a63a`). Confirmed affected distributions include: - Ubuntu 24.04.4 (kernel 6.17.0-23) - RHEL 10.1 (kernel 6.12.0-124.49.1) - openSUSE Tumbleweed (kernel 7.0.2-1) - CentOS Stream 10, AlmaLinux 10, Fedora 44 ### Patches & Mitigation - The ESP patch, using `SKBFL_SHARED_FRAG` to enforce buffer isolation, was merged into the netdev tree on May 7, 2026. - The RxRPC patch remains unmerged upstream. - No CVEs have been assigned due to the premature embargo break. - Temporary mitigation involves blacklisting the affected modules (`esp4`, `esp6`, `rxrpc`) via: ```bash sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" ``` This disrupts IPsec and RxRPC functionality, requiring careful evaluation for systems reliant on VPNs. The full technical write-up and PoC are available on the researcher’s GitHub repository.

CISA Warns of Critical Linux Kernel Zero-Day Vulnerability Exploitable to Root Access The Cybersecurity and Infrastructure Security Agency (CISA) has added a severe Linux kernel zero-day vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies and organizations to patch immediately or discontinue use of affected systems. The flaw, tracked in the algif_aead module of the Linux kernel’s AF_ALG cryptographic subsystem, stems from a logic error in authentication handling that leads to improper memory management during in-place operations. Its exploitability is particularly concerning: a 732-byte Python script is all an unprivileged local user needs to reliably escalate privileges to root, bypassing critical security boundaries. This vulnerability underscores systemic risks in kernel-level security, where a single flaw can grant full control over a system. While patching remains essential, the incident highlights broader concerns about containment failures where systems lack safeguards to limit the impact of vulnerabilities, even when they exist. The issue was publicly disclosed by CISA, reinforcing the urgency for organizations to assess exposure and apply mitigations. No active exploitation in the wild has been confirmed at this time, but the ease of exploitation heightens the risk of future attacks.

CISA Warns of Actively Exploited Linux Kernel Vulnerability (CVE-2026-31431) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert for CVE-2026-31431, a critical Linux kernel vulnerability under active exploitation. The flaw, classified as an "incorrect resource transfer between spheres" (CWE-699), allows local attackers to escalate privileges, potentially leading to full system compromise. Exploitation of this vulnerability enables attackers to execute arbitrary code with elevated permissions, bypass security controls, and establish persistence. While specific threat actors and techniques remain undisclosed, such flaws are commonly chained with initial access vectors like phishing or exposed services. Once exploited, attackers could disable security tools, access sensitive data, or deploy additional payloads particularly dangerous in environments where Linux dominates, including enterprise servers, cloud workloads, containerized systems, and embedded devices. CISA has added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to remediate the issue by May 15, 2026. The agency advises organizations to apply patches from Linux vendors immediately, monitor for unusual privilege escalation activity, and follow Binding Operational Directive (BOD) 22-01 for cloud-based assets. Systems without available mitigations should be taken offline. The vulnerability underscores the persistent risks in core operating system components, where kernel-level flaws can undermine foundational security. With Linux’s widespread use in critical infrastructure, the potential impact is significant, making rapid response essential.

A critical local privilege escalation vulnerability (CVE-2025-32463) in the Sudo binary (versions 1.9.14–1.9.17) exposes enterprises to severe risk. The publicly released proof-of-concept (PoC) exploit allows attackers with non-privileged accounts to gain full root access, enabling lateral movement across networks. Unpatched systems face unfettered system compromise, jeopardizing data integrity, network security, and enterprise operations. While no direct data breach is confirmed yet, the flaw’s exploitation could lead to full system takeover, data exfiltration, or disruption of critical services. Immediate patching to Sudo 1.9.17p1+ and enforcement of AppArmor/SELinux are mandatory to mitigate risks. Delayed action increases exposure to advanced persistent threats (APTs) or ransomware deployment by adversaries leveraging root privileges.

Cybersecurity Roundup: Critical Flaws, Espionage Campaigns, and Major Breaches Recent weeks have seen a surge in high-profile cybersecurity incidents, from long-standing vulnerabilities to sophisticated espionage operations and large-scale data breaches. Critical Vulnerabilities Exploited The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple flaws to its Known Exploited Vulnerabilities (KEV) catalog, including: - A Mirasvit Full Page Cache Warmer flaw, now actively exploited. - Android and Linux Kernel vulnerabilities, posing risks to mobile and enterprise systems. - A SolarWinds Serv-U flaw, adding to the company’s history of supply chain attacks. - A Cisco Unified Communications Manager (CM) bug, with public exploit code now available, heightening urgency for patches. In a separate discovery, researchers identified a four-year-old vulnerability in Zcash’s privacy layer, raising concerns about potential undetected exploitation. Meanwhile, a new VS Code zero-day was publicly disclosed after a researcher lost confidence in Microsoft’s vulnerability handling process. Espionage and Targeted Attacks - Gamaredon, a Russian-linked threat group, exploited a WinRAR vulnerability in a modular spy campaign targeting Ukrainian entities. - A cyber espionage operation breached a stock exchange executive’s Outlook account, underscoring the risks of high-value phishing. - Russia’s FSB reported that foreign intelligence services infected officials’ phones with malware, highlighting state-sponsored surveillance threats. - The Silent Ransom Group (SRG) shifted to DNS fast flux infrastructure, complicating detection and attribution. Data Breaches and Botnet Threats - ShinyHunters leaked data from DentaQuest, exposing 2.6 million individuals after a breach. - A Meta AI recovery tool flaw compromised over 20,000 Instagram accounts, demonstrating risks in authentication systems. - The IoT botnet C0XMO evolved to include competitor-killing capabilities, enabling attacks on rival botnets. Law Enforcement Actions Authorities dismantled nine crime groups linked to illegal streaming, resulting in 29 arrests and disrupting a major piracy ecosystem. Separately, researchers uncovered PCPJack, a 230-node cloud email relay network used for malicious campaigns. These developments reflect the escalating complexity of cyber threats, from zero-days and state-backed espionage to large-scale data leaks and botnet warfare.

Linux Kernel Flaw "Copy Fail" Grants Root Access via Memory Manipulation Security researchers at Theori uncovered a critical vulnerability in the Linux kernel, present since 2017, that allows unprivileged users to gain full system control. Tracked as CVE-2026-31431 (dubbed Copy Fail), the flaw was discovered using Theori’s AI-powered code auditing tool, following an initial lead by researcher Taeyang Lee. The bug resides in the algif_aead module, part of Linux’s cryptographic subsystem, which handles AEAD (Authenticated Encryption with Associated Data) operations. A miscalculation in the authencesn tool causes it to incorrectly write four bytes of data into the page cache a memory region storing frequently accessed file fragments. Due to a 2017 performance optimization, these bytes can overwrite critical system files in memory, such as /usr/bin/su, without altering the disk-based version. Attackers can exploit this with a 732-byte Python script, modifying memory-resident files to escalate privileges to root access. The flaw is highly reliable, working consistently across multiple Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, and SUSE 16. Its in-memory nature leaves minimal forensic traces, evading traditional file integrity checks. Linux has released a patch (commit a664bf3d603d) that prevents the issue by forcing safe data copying, replacing the vulnerable in-place method. For systems unable to update immediately, disabling the algif_aead module mitigates the risk without disrupting common applications like web browsers or SSH. Security experts, including David Brumley of Bugcrowd, emphasize the flaw’s severity, noting its broker-market value and cross-distribution reliability. Brumley warned that the shared page cache in containerized environments could allow a single compromised tenant to affect the entire host, underscoring the need for urgent patching. The discovery also signals a shift in exploit discovery, as AI-driven tools lower the cost of uncovering deep logic flaws in critical systems.