linux

9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

A nine-year-old Linux kernel vulnerability (CVE-2026-46333) allows unprivileged users to execute commands as root on major distributions like Debian, Fedora, and Ubuntu. The flaw, discovered by Qualys, is rooted in the kernel’s __ptrace_may_access() function and can be exploited through various methods. It’s recommended to apply the latest kernel updates or use temporary workarounds to mitigate the risk.

https://thehackernews.com/2026/05/9-year-old-linux-kernel-flaw-enables.html

New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

Cybersecurity researchers have revealed a new Linux backdoor called PamDOORa, sold on a Russian cybercrime forum, which exploits Pluggable Authentication Modules (PAM) to steal SSH credentials and enable persistent access through a magic password and specific TCP port. Designed as a sophisticated post-exploitation tool with anti-forensic features, PamDOORa runs with root privileges to capture user credentials and tamper with authentication logs, representing an evolution in Linux PAM-based backdoors.

https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html

Copy.Fail Linux Vulnerability – Schneier on Security

The Copy.Fail vulnerability is a significant local privilege escalation flaw in the Linux kernel disclosed in April 2026, allowing attackers with limited access to escalate privileges to root by exploiting the kernel crypto API and splice() without modifying files on disk, thus evading detection. Affecting major distributions and shared infrastructure environments like Kubernetes, this vulnerability undermines isolation between users and containers, prompting urgent patch rollouts and discussions about new mitigation strategies such as emergency kernel “killswitches.”

https://www.schneier.com/blog/archives/2026/05/copy-fail-linux-vulnerability.html

Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions

A new local privilege escalation vulnerability called Dirty Frag has been discovered in the Linux kernel, enabling unprivileged users to gain root access across major Linux distributions by exploiting flaws in the xfrm-ESP and RxRPC subsystems. This deterministic and highly reliable exploit, which builds on vulnerabilities like Copy Fail and Dirty Pipe, affects systems including Ubuntu 24.04.4, RHEL 10.1, and Fedora 44, prompting advisories from multiple vendors and recommendations to block affected kernel modules until patches are fully available.

https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html

Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released

Dirty Frag is a newly disclosed Linux kernel local privilege escalation vulnerability that chains two separate page-cache write flaws, allowing attackers to gain root privileges on virtually all major Linux distributions. Discovered by security researcher Hyunwoo Kim, the exploit modifies page cache in RAM deterministically without requiring timing windows or crashing the kernel, with a public proof-of-concept released following an embargo breach on May 7, 2026. Immediate mitigation involves disabling affected kernel modules until distribution-level patches, which are partially merged upstream, become available.

https://cybersecuritynews.com/dirty-frag-linux-vulnerability/

Some Ubuntu Services Are Still Down Following Outages After DDoS Attack

Some Ubuntu services experienced outages for nearly a full day following a sustained Distributed Denial of Service (DDoS) attack that disrupted installs, updates, and Canonical’s web infrastructure. The attack was claimed by an Iraqi hacktivist group called The Islamic Cyber Resistance in Iraq 313 Team, which reportedly used a booter service named Beamed to launch the attack.

https://www.techradar.com/pro/security/some-ubuntu-services-are-still-down-following-outages-after-ddos-attack

Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks

The Apache Software Foundation released version 2.4.67 of Apache HTTP Server to patch five vulnerabilities, including a critical double-free flaw (CVE-2026-23918) in version 2.4.66 that enables remote code execution via HTTP/2. Users are strongly urged to upgrade immediately to mitigate this high-severity risk affecting millions of servers worldwide.

https://cybersecuritynews.com/apache-http-server-rce/

The Most Severe Linux Threat to Surface in Years Catches the World Flat-Footed

A critical local privilege escalation vulnerability in the Linux kernel, named CopyFail (CVE-2026-31431), has been publicly disclosed with exploit code that easily grants root access across virtually all Linux distributions. The flaw affects multi-tenant servers, Kubernetes containers, and CI/CD workflows, posing a severe threat as attackers can escalate privileges quickly on vulnerable systems before widespread patches are applied. Security experts warn this is one of the most serious Linux vulnerabilities in years, urging immediate investigation and mitigation by Linux users and vendors.

https://arstechnica.com/security/2026/04/as-the-most-severe-linux-threat-in-years-surfaces-the-world-scrambles/

Linux Kernel 0-Day “Copy Fail” Roots Every Major Distribution Since 2017

A critical zero-day vulnerability named “Copy Fail” (CVE-2026-31431) in the Linux kernel, affecting every major distribution since 2017, allows any unprivileged local user to gain root access by exploiting a flaw in the kernel's cryptographic template via the AF_ALG socket and splice() system call. The vulnerability, discovered by Theori and exploited by Xint Code Research Team, enables file page cache corruption undetectable by integrity tools, and also facilitates Kubernetes container escapes; a patch has been released and administrators are urged to update immediately.

https://cybersecuritynews.com/linux-kernel-0-day-copy-fail/

Claude Code Found a Linux Vulnerability Hidden for 23 Years

Nicholas Carlini, a research scientist at Anthropic, used the AI tool Claude Code to discover multiple remotely exploitable security vulnerabilities in the Linux kernel, including a particularly significant bug in the NFS driver that had remained unnoticed for 23 years. This breakthrough highlights the remarkable capabilities of advanced language models to identify complex security flaws, potentially leading to a surge in vulnerability discoveries as such AI tools continue to improve.

https://mtlynch.io/claude-code-found-linux-vulnerability/

Linux Ransomware Pay2Key Attacking Servers, Virtualization Platforms, and Cloud Environments

The Pay2Key ransomware group, linked to Iranian threat actors, has developed a Linux-targeted ransomware variant that actively attacks organizational servers, virtualization hosts, and cloud environments. This Linux-specific malware requires root privileges, disables key Linux security frameworks, and uses the ChaCha20 encryption algorithm to cause significant disruption to critical infrastructure, signaling a major shift in ransomware targeting strategy.

https://cybersecuritynews.com/linux-ransomware-pay2key-attacking-organizations-ervers/

WSL in the Malware Ecosystem

WSL (Windows Subsystem for Linux) enables running a Linux environment on Windows, allowing developers and cybersecurity workflows to leverage Linux tools. It poses security risks, as malware can exploit WSL by checking for its presence and executing commands. An infostealer trojan, “ottercookie-socketScript-module-3.js,” utilizes WSL to access the Windows filesystem and obtain user information.

https://isc.sans.edu/diary/rss/32704

VoidLink: The Cloud-Native Malware Framework

Extreme TLDR: VoidLink is a modular, cloud-native Linux malware framework designed for stealth and long-term access, featuring over 30 plugins, adaptable OPSEC techniques, and developed by possibly Chinese affiliates for commercial use. It targets cloud environments, adapts behavior based on detected security measures, and includes capabilities for credential harvesting and persistence.

https://research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/

Hackers Can Now Bypass Linux Security Thanks to Terrifying New Curing Rootkit

New Curing rootkit exploits io_uring in Linux, bypassing traditional security tools by avoiding monitored system calls. This vulnerability poses significant risks, especially for cloud-native businesses. ARMO's solution can mitigate this threat by managing system calls. Users relying solely on classic monitoring may be vulnerable.

https://betanews.com/2025/04/24/hackers-bypass-linux-security-with-armo-curing-rootkit/

Scroll to Top