Aggregator

A vulnerability identified as very critical has been detected in Progress MOVEit Automation up to 2024.1.7/2025.0.8. Affected by this vulnerability is an unknown functionality. Performing a manipulation results in authentication bypass by primary weakness. This vulnerability is reported as CVE-2026-4670. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

A vulnerability categorized as problematic has been discovered in RTI Connext Professional. Affected is an unknown function. Such manipulation leads to xml external entity reference. This vulnerability is documented as CVE-2025-14543. The attack needs to be performed locally. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in RafyMrX TOKO-ONLINE-ROTI 1.0. It has been rated as problematic. This impacts an unknown function of the file detail_produk.php. This manipulation causes cross site scripting. This vulnerability is registered as CVE-2026-38940. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in andrewtch88 mvc-ecommerce 1.0. It has been declared as problematic. This affects an unknown function of the file product_catalogue.php. The manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2026-38939. The attack may be launched remotely. There is no exploit available.

Qilin ransomware is one of the most active and damaging threats in the cyber landscape today. The group has steadily evolved its tactics since it first appeared in 2022, and its latest technique of enumerating Remote Desktop Protocol (RDP) authentication history on compromised servers gives it a fast, quiet way to map out a network […]

The post Qilin Ransomware Enumerates RDP Authentication History on a Compromised Server appeared first on Cyber Security News.

Думали, дарвиновский отбор работает только на живых существ? Зря.

Suspects accused of distributing malware and selling access to stolen Roblox accounts on Russian marketplaces

今日暂未更新资讯~
更多最新文章，请访问SecWiki

小0day；CodeParser.parse_callable_details() 方法在解析函数的返回类型注解时，将注解字符串通过 ast.unparse() 提取后直接传递给 eval() 执行。

2026 年 4 月 30 日下午 8 点 50，墨菲安全研发的通用安全AI Agent 墨思监测发现，月下载量超1000万的 AI 训练框架 Lightning / PyTorch Lightning 的 PyPI 包遭遇供应链投毒，且截至发现时投毒版本仍未下架。

A large-scale phishing campaign is actively targeting organizations across the United States, using fake event invitations to deceive employees into handing over their corporate login credentials. The operation is wide in reach and strikes some of the most sensitive sectors in the country, including banking, government, technology, and healthcare, pointing to a deliberate effort to […]

The post Targeted Large-Scale Campaign Attacking U.S. Organizations with Fake Event Invitations appeared first on Cyber Security News.

A flaw in the Linux kernel present since 2017 allows a local user to gain root access on virtually every major Linux distribution. A public exploit is available and reported to work reliably.

Key Takeaways

1. CVE-2026-31431 is a high severity local privilege escalation vulnerability in the Linux kernel reportedly affecting virtually every major distribution released since 2017.
    
2. A public exploit is available and reported to be reliable, drawing comparisons to previous high-profile Linux kernel privilege escalation flaws.
    
3. Patched kernel versions are available, though some major distributions have not yet shipped updates.

Background

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2026-31431, a Linux kernel local privilege escalation vulnerability dubbed "Copy Fail."

FAQ

When was Copy Fail first disclosed?

On March 23, researcher Taeyang Lee of Theori reported the vulnerability to the Linux kernel security team. The flaw was discovered in part using Theori's AI-assisted security scanning tool, Xint Code. A mainline patch was committed on April 1, CVE-2026-31431 was assigned on April 22 and public disclosure occurred on April 29.

What is CVE-2026-31431?

CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem. It was assigned a CVSSv3 score of 7.8.

CVEDescriptionCVSSv3CVE-2026-31431Linux Kernel Local Privilege Escalation Vulnerability7.8

The flaw allows a local user to modify the kernel's cached copy of a file in memory without changing the file on disk. By targeting a privileged binary, an attacker can gain root access. Because the modification exists only in the page cache, the underlying file on disk remains unchanged. Standard disk forensics would not detect the alteration, and clearing memory through a reboot or resource pressure causes the cache to reload from the original file. For a detailed technical breakdown, refer to the Xint Code blog post.

Everyone focuses on memory corruption bugs in the Linux kernel, but we shouldn’t overlook logical bugs. https://t.co/PrSI435i35

— 5unkn0wn (@5unKn0wn) April 30, 2026

 

How does Copy Fail compare to Dirty Cow and Dirty Pipe?

Copy Fail has drawn comparisons to two other well-known Linux kernel privilege escalation vulnerabilities: Dirty Cow (CVE-2016-5195) and Dirty Pipe (CVE-2022-0847). Both are in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.

Dirty Cow relied on a race condition, which meant exploitation could fail or require multiple attempts. Dirty Pipe had constraints around how data could be written and where in a file it could be modified. Copy Fail reportedly works consistently across distributions without relying on a race condition or write-position constraints.

How severe is CVE-2026-31431?

Any local user on a system running a vulnerable kernel can exploit this flaw to gain root access. The exploit uses kernel features that are enabled by default on most distributions and does not require special privileges or configuration.

The highest risk environments are those where multiple users or workloads share a Linux kernel: cloud and multi-tenant systems, container clusters and CI/CD pipelines that run untrusted code. Because the exploit targets the kernel's shared file cache, it can also cross container boundaries. On single-user systems, the risk is lower since an attacker would already need local access.

Which Linux distributions are affected?

Any Linux distribution shipping kernel 4.14 or later is affected. The vulnerability was introduced in 2017 and persisted across nearly a decade of kernel releases. Distribution patch status as of April 30:

DistributionPatch StatusUbuntuPatchingSUSEPatchingRed HatPatchingDebianVulnerableAmazon LinuxVulnerableArch LinuxPatched

Is there a proof-of-concept (PoC) available?

Yes. A public PoC was released on GitHub alongside the disclosure. The exploit is a short Python script that modifies a privileged binary in memory and then executes it to obtain root. It is reported to work reliably without requiring multiple attempts or precise timing.

Are there other vulnerabilities related to Copy Fail?

According to Theori, the same research effort that uncovered Copy Fail found additional security flaws in the kernel, at least one of which is also a privilege escalation issue. Those findings remain under coordinated disclosure. This blog will be updated if and when additional information becomes available.

Are patches or mitigations available?

Patched kernel versions have been released:

Affected Kernel Version RangeFixed Kernel Version4.14N/A5.10.*5.10.2545.15.*5.15.2046.1.*6.1.1706.6.*6.6.1376.12.*6.12.856.18.*6.18.226.19.126.19.12>7.07.0

The fix removes the 2017 optimization that allowed the vulnerability, restoring a safer separation between read and write operations in the kernel's crypto interface.

For systems where an immediate kernel update is not feasible, two workarounds are available depending on kernel configuration.

If the module is loaded dynamically (CONFIG_CRYPTO_USER_API_AEAD=m):

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true

If the module is compiled into the kernel (CONFIG_CRYPTO_USER_API_AEAD=y), which is the case on some enterprise kernels, the above will not work. Contributors on the oss-security mailing list have reported that adding the following to the kernel boot parameters and rebooting blocks the exploit:

initcall_blacklist=algif_aead_init

Discussion on the oss-security mailing list has also identified several userspace applications that use the affected kernel interface, including but not limited to, cryptsetup and firefox-esr. In practice, initial testing by contributors on the thread has not caused these applications to fail, but the impact may vary by workload. Testing in a non-production environment before deploying either workaround is advisable.

Historical exploitation of Linux kernel vulnerabilities

The Linux kernel has a long history as a target for privilege escalation attacks. CISA's KEV catalog contains over 20 entries for Linux kernel flaws, including the two flaws most commonly compared to Copy Fail:

CVEDescriptionDate Added to KEVKnown Ransomware UseCVE-2016-5195Linux Kernel Race Condition (Dirty Cow)2022-03-03UnknownCVE-2022-0847Linux Kernel Improper Initialization (Dirty Pipe)2022-04-25Unknown

As of April 30, CVE-2026-31431 is not listed in the KEV catalog.

Has Tenable Research classified this as part of Vulnerability Watch?

Yes, we classified CVE-2026-31431 as a Vulnerability of Interest under Vulnerability Watch due to the availability of a public proof-of-concept exploit and historical exploitation of similar Linux kernel vulnerabilities like Dirty Cow and Dirty Pipe that were exploited in the wild.

Has Tenable released any product coverage for this vulnerability?

A list of Tenable plugins for this vulnerability can be found on the CVE-2026-31431 page as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• Copy Fail Advisory
• Xint Code Blog: Copy Fail Linux Distributions
• The Register: Linux Cryptographic Code Flaw
• oss-security: CVE-2026-31431 Disclosure

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

联合国反恐委员会执行局（CTED）发布的《民间社会视角：西非的恐怖主义与反恐行动》报告。

全球恐怖主义格局以萨赫勒地区灾难性的安全危机以及针对ISIS-K领导层的具有里程碑意义的司法判决为特征。

A dangerous new phishing platform called Phoenix is quietly spreading across the globe, targeting people through fake SMS messages designed to look like they come from trusted banks, telecom providers, and delivery companies. This platform works on a subscription basis, making it easy for cybercriminals with limited technical skills to launch large-scale smishing campaigns in […]

The post New PhaaS Platform Phoenix Drives Brand-Impersonation Smishing Across Finance, Telecom, and Logistics appeared first on Cyber Security News.

A vulnerability was found in UTT HiPER 1200GW up to 2.5.3-170306. It has been classified as critical. The impacted element is the function strcpy of the file /goform/formRemoteControl. The manipulation leads to buffer overflow. This vulnerability is listed as CVE-2026-7513. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability was found in UTT HiPER 1200GW up to 2.5.3-1703 and classified as critical. The affected element is the function strcpy of the file /goform/formUser. Executing a manipulation can lead to buffer overflow. This vulnerability is tracked as CVE-2026-7512. The attack can be launched remotely. Moreover, an exploit is present.

ИИ-агент оказался предприимчивее хозяина и завел себе тайную подработку.

The FBI and CISA, the Department of Energy (DOE), and defense partners published a joint intelligence document. Titled “Adapting Zero Trust Principles to Operational Technology,” this guide provides critical infrastructure operators with a strategic roadmap to secure industrial systems against modern cyber threats. Historically, operational technology (OT) networks relied heavily on strong perimeter defenses. This […]

The post FBI and CISA Released Zero Trust Principles Implementation Guide for OT Environments appeared first on Cyber Security News.

A vulnerability has been found in Dbit N300 T1 Pro Wireless Router 1.0.0 and classified as problematic. Impacted is an unknown function of the component API Endpoint. Performing a manipulation results in cross-site request forgery. This vulnerability is identified as CVE-2026-36956. The attack can be initiated remotely. There is not any exploit available.