New Ivanti EPMM Zero-Day CVE-2026-6973 Actively Exploited — Patch Immediately
#CyberSecurity
https://securebulletin.com/new-ivanti-epmm-zero-day-cve-2026-6973-actively-exploited-patch-immediately/

🚨 Ivanti Endpoint Manager Mobile flaw (CVE-2026-6973) is being exploited in limited attacks, enabling remote code execution with admin access.

CISA has added it to its KEV catalog, with federal agencies ordered to patch by May 10, 2026.

Read: https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html

The U.S. CISA has added a zero-day vulnerability (CVE-2026-6973) in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch by May 10, 2026. This flaw, requiring admin privileges, allows for arbitrary code execution and is already being exploited.
https://securityaffairs.com/191822/security/u-s-cisa-adds-a-flaw-in-ivanti-endpoint-manager-mobile-epmm-to-its-known-exploited-vulnerabilities-catalog.html

CISA KEV update May 7: CVE-2026-6973 Ivanti EPMM added. Actively exploited input validation flaw. Federal deadline applies, everyone else should patch. - https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog

Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier. https://www.bleepingcomputer.com/news/security/cisa-gives-feds-four-days-to-patch-ivanti-flaw-exploited-as-zero-day/

https://lwn.net/Articles/1071719/

#DirtyFrag is a broken embargo.

Local Privilege Escalation to root.

Public working exploit. No CVE assigned yet.

No fix in sight.
<edit> 7.0.5 was just released which has a fix </edit>
<edit 2> CVE-2026-43284 has been assigned</edit 2>

#infosec #cyber #tsunamiofvulns #CVE-2026-43284

This is the documentation & exploit of DirtyFrag:
https://github.com/V4bel/dirtyfrag/blob/master/README.md

2 new vulnerabilities similar to copyfail:

- CVE-2026-43284 (Dirty Frag)
- CVE-2026-43500

https://github.com/V4bel/dirtyfrag

We're waiting for a release containing the last one before pushing new kernels to aports.

https://github.com/V4bel/dirtyfrag#mitigation mentions a mitigation in the meantime.

L'ensemble de notre parc infogéré est immunisé contre la faille Dirty Frag (CVE-2026-43284) depuis ce matin 08h59.

En gros, c'est l'enfant maudit de Dirty Pipe et Copy Fail qui permet une élévation locale de privilèges qui fonctionne très bien.

En savoir plus sur la faille-> https://github.com/V4bel/dirtyfrag#dirty-frag-universal-linux-lpe

OhMyDebn 3.7.1 now available with mitigation for Dirty Frag local privilege escalation (CVE-2026-43284)

OhMyDebn is a debonair Linux desktop for power users. It gives you the stability of the Debian distro, the ease of use of the Cinnamon desktop, and the power of AI, containers, and virtualization.

@bortzmeyer

CVE-2026-43284 selon almalinux.org
https://almalinux.org/blog/2026-05-07-dirty-frag/
⬇️
https://vulnerability.circl.lu/vuln/CVE-2026-43284

[related]
chez AlmaLinux

"Dirty Frag (CVE-2026-43284) vulnerability fix is ready for testing"
👇
https://almalinux.org/blog/2026-05-07-dirty-frag/

Nouveaux kernels stables : 7.0.5 / 6.18.28 / 6.12.87 / 6.6.138

Ils embarquent un fix partiel pour #DirtyFrag (CVE-2026-43284) et Copy Fail 2.

Partiel, car Greg Kroah-Hartman a confirmé qu'un second patch est encore en développement et n'a pas encore été mergé.

La mitigation par blacklist des modules reste donc recommandée en attendant.
👇
https://lwn.net/Articles/1071775/

#Linux #Kernel #CyberVeille

Apparently there's yet another #LinuxKernel Local Privilege Escalation #vulnerability. There's a mitigation that disables esp4, esp6 and rxrpc modules.

https://www.openwall.com/lists/oss-security/2026/05/07/8

https://github.com/V4bel/dirtyfrag

EDIT: The related vulnerabilities are now tracked as CVE-2026-43284 and CVE-2026-43500. https://nvd.nist.gov/vuln/detail/CVE-2026-43284 https://nvd.nist.gov/vuln/detail/CVE-2026-43500

#infosec #cybersecurity #CVE_2026_43284 #CVE_2026_43500

Ok Ive been working through the mitigations for the string of kernel vulnerabilities. I think this is all of them. I had Claude spit out a summary.

Hope this helps others.

NOTE: I have edited this post to better outline the fixes and improve terminology. Plus we've got a CVE designation for dirty frag now.

## Linux Kernel LPE Roundup — May 8, 2026

Four local privilege escalation vulnerabilities in the same bug class (page-cache writes) are actively circulating. Here's what you need to know:

### 1. Copy Fail (CVE-2026-31431)

Original page-cache write via algif_aead in the crypto subsystem. Patched upstream, distro patches available.

Mitigation: Apply your distro's kernel update, or prevent the module from loading:

echo 'install algif_aead /bin/false' > /etc/modprobe.d/copyfail.conf

https://copy.fail/

### 2. Dirty Frag (CVE-2026-43284)

Chains xfrm-ESP + RxRPC page-cache writes for a universal unprivileged LPE across all major distros. Published after a third party broke the embargo — no patches exist yet.

Mitigation: Prevent the modules from loading:

printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf

Then unload them if currently loaded:

rmmod esp4 esp6 rxrpc 2>/dev/null

https://github.com/V4bel/dirtyfrag/

### 3. Copy Fail 2: Electric Boogaloo (no CVE yet)

xfrm ESP-in-UDP variant using MSG_SPLICE_PAGES. Same class as Copy Fail, different subsystem. Autoloads esp4/xfrm modules via userns netlink. Upstream fix committed but not yet in stable branches.

Mitigation: Same esp4 modprobe override as Dirty Frag covers this.

https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

### 4. io_uring ZCRX Freelist LPE (no CVE yet)

Out-of-bounds write in io_uring's zero-copy receive freelist. Narrower scope — requires kernel 6.15+, CONFIG_IO_URING_ZCRX=y, a supported NIC (mlx5/ice/nfp), and CAP_NET_ADMIN. Fix committed but not in stable yet.

Mitigation: Check if you're affected:

grep CONFIG_IO_URING_ZCRX /lib/modules/$(uname -r)/config

No output or "is not set" means you're not vulnerable.

https://ze3tar.github.io/post-zcrx.html

### Note

If any of these modules are built into your kernel (=y rather than =m), the modprobe approach won't work — you'll need initcall_blacklist= on the kernel command line instead. Check with:

grep -E 'CONFIG_INET_ESP=|CONFIG_INET6_ESP=|CONFIG_AF_RXRPC=|CONFIG_CRYPTO_USER_API_AEAD=' /lib/modules/$(uname -r)/config

#linux #kernel #cve #vulnerability #copyfail #copyfail2 #dirtyfrag #security #infosec #sysadmin

@jschauma About https://istheinternetonfire.com/ DirtyFrag now has one CVE (two, actually) CVE-2026-43284 and CVE-2026-43500

As I haven't seen this in my timeline yet:
There is another #Linux #zeroday privilege escalation #vulnerability.
No, not copy_fail, a new one, called DirtyFrag, combining CVE-2026-43284 and CVE-2026-43500

Apparently the finder was gonna disclose this responsibly, but they claim the embargo was broken by a third party.

Most probably not patched yet in distros, but fix (at least for one of the CVEs) is in mainline.

https://github.com/V4bel/dirtyfrag

A workaround/mitigation exists: https://github.com/V4bel/dirtyfrag#mitigation

Les deux vulnérabilités composant #DirtyFrag ont reçu leurs numéros CVE :

🔴 CVE-2026-43284 — xfrm-ESP Page-Cache Write (patché en mainline : f4c50a4034e6)
🟡 CVE-2026-43500 — RxRPC Page-Cache Write

Si ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.
👇
https://vulnerability.circl.lu/vuln/CVE-2026-43284

Critical Palo Alto PAN-OS Zero-Day CVE-2026-0300 Actively Exploited — Root Access Granted on 5,800+ Exposed Firewalls
#CyberSecurity
https://securebulletin.com/critical-palo-alto-pan-os-zero-day-cve-2026-0300-actively-exploited-root-access-granted-on-5800-exposed-firewalls/

The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html

2 new vulnerabilities similar to copyfail:

- CVE-2026-43284 (Dirty Frag)
- CVE-2026-43500

https://github.com/V4bel/dirtyfrag

We're waiting for a release containing the last one before pushing new kernels to aports.

https://github.com/V4bel/dirtyfrag#mitigation mentions a mitigation in the meantime.

and we have another one. This one with CVE.

#dirtyfrag #CVE-2026-43500

Why wait for the slow UEFI when you can just `systemctl kexec` to remediate Dirty Frag with (almost) sub- 1 Minute downtime (2nd reboot for CVE-2026-43500 follows)
(all VMs except the pinned ones have been migrated off before)

Apparently there's yet another #LinuxKernel Local Privilege Escalation #vulnerability. There's a mitigation that disables esp4, esp6 and rxrpc modules.

https://www.openwall.com/lists/oss-security/2026/05/07/8

https://github.com/V4bel/dirtyfrag

EDIT: The related vulnerabilities are now tracked as CVE-2026-43284 and CVE-2026-43500. https://nvd.nist.gov/vuln/detail/CVE-2026-43284 https://nvd.nist.gov/vuln/detail/CVE-2026-43500

#infosec #cybersecurity #CVE_2026_43284 #CVE_2026_43500

@jschauma About https://istheinternetonfire.com/ DirtyFrag now has one CVE (two, actually) CVE-2026-43284 and CVE-2026-43500

As I haven't seen this in my timeline yet:
There is another #Linux #zeroday privilege escalation #vulnerability.
No, not copy_fail, a new one, called DirtyFrag, combining CVE-2026-43284 and CVE-2026-43500

Apparently the finder was gonna disclose this responsibly, but they claim the embargo was broken by a third party.

Most probably not patched yet in distros, but fix (at least for one of the CVEs) is in mainline.

https://github.com/V4bel/dirtyfrag

A workaround/mitigation exists: https://github.com/V4bel/dirtyfrag#mitigation

Les deux vulnérabilités composant #DirtyFrag ont reçu leurs numéros CVE :

🔴 CVE-2026-43284 — xfrm-ESP Page-Cache Write (patché en mainline : f4c50a4034e6)
🟡 CVE-2026-43500 — RxRPC Page-Cache Write

Si ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.
👇
https://vulnerability.circl.lu/vuln/CVE-2026-43284

CopyFail (CVE-2026-31431) is a high-severity Linux kernel vulnerability -- patches are out now for Rocky Linux 8.10, 9.8, and 10.1.

Any unprivileged local user can escalate to root in seconds. Multi-tenant hosts, containers, and CI runners should prioritize this one.

Fix it with:
sudo dnf --refresh update 'kernel*'

Full write-up on the blog:
https://forums.rockylinux.org/t/copyfail-cve-2026-31431-patches-now-available-for-rocky-linux/20422
#RockyLinux #Linux #OpenSource #LinuxSecurity #CopyFail

ICYMI: CVE-2026-31431 (Copy Fail) gives any unprivileged local user a ROOT SHELL. Works every time. Leaves no trace on disk. Patch status + fixes for Proxmox, Debian, and more.

➡️➡️ Watch Here: https://youtu.be/LwqEUiuXmbg

variante peu sympa 👀
"Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path. Page-cache write into any readable file. Overwrites a nologin line in /etc/passwd with sick::0:0:...:/:/bin/bash and sus into it. Same class as Copy Fail (CVE-2026-31431), different subsystem."
⬇️
https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

#CyberVeille #Linux

⚠️ PSA: patch your AlmaLinux systems.

Copy Fail lets any local user escalate to root. We shipped fixes for AL 8, 9 & 10 ahead of upstream—they're in production now. https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/

Ok Ive been working through the mitigations for the string of kernel vulnerabilities. I think this is all of them. I had Claude spit out a summary.

Hope this helps others.

NOTE: I have edited this post to better outline the fixes and improve terminology. Plus we've got a CVE designation for dirty frag now.

## Linux Kernel LPE Roundup — May 8, 2026

Four local privilege escalation vulnerabilities in the same bug class (page-cache writes) are actively circulating. Here's what you need to know:

### 1. Copy Fail (CVE-2026-31431)

Original page-cache write via algif_aead in the crypto subsystem. Patched upstream, distro patches available.

Mitigation: Apply your distro's kernel update, or prevent the module from loading:

echo 'install algif_aead /bin/false' > /etc/modprobe.d/copyfail.conf

https://copy.fail/

### 2. Dirty Frag (CVE-2026-43284)

Chains xfrm-ESP + RxRPC page-cache writes for a universal unprivileged LPE across all major distros. Published after a third party broke the embargo — no patches exist yet.

Mitigation: Prevent the modules from loading:

printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf

Then unload them if currently loaded:

rmmod esp4 esp6 rxrpc 2>/dev/null

https://github.com/V4bel/dirtyfrag/

### 3. Copy Fail 2: Electric Boogaloo (no CVE yet)

xfrm ESP-in-UDP variant using MSG_SPLICE_PAGES. Same class as Copy Fail, different subsystem. Autoloads esp4/xfrm modules via userns netlink. Upstream fix committed but not yet in stable branches.

Mitigation: Same esp4 modprobe override as Dirty Frag covers this.

https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

### 4. io_uring ZCRX Freelist LPE (no CVE yet)

Out-of-bounds write in io_uring's zero-copy receive freelist. Narrower scope — requires kernel 6.15+, CONFIG_IO_URING_ZCRX=y, a supported NIC (mlx5/ice/nfp), and CAP_NET_ADMIN. Fix committed but not in stable yet.

Mitigation: Check if you're affected:

grep CONFIG_IO_URING_ZCRX /lib/modules/$(uname -r)/config

No output or "is not set" means you're not vulnerable.

https://ze3tar.github.io/post-zcrx.html

### Note

If any of these modules are built into your kernel (=y rather than =m), the modprobe approach won't work — you'll need initcall_blacklist= on the kernel command line instead. Check with:

grep -E 'CONFIG_INET_ESP=|CONFIG_INET6_ESP=|CONFIG_AF_RXRPC=|CONFIG_CRYPTO_USER_API_AEAD=' /lib/modules/$(uname -r)/config

#linux #kernel #cve #vulnerability #copyfail #copyfail2 #dirtyfrag #security #infosec #sysadmin

CVE-2026-41940 was exploited for 64 days before a patch existed. First attack: Feb 23. Advisory: Apr 28.

After disclosure, 15,448 cPanel hosts in malicious activity on May 1 alone. Ransomware and a Mirai botnet running in parallel. CVSS 9.8. CISA KEV.

We built a free scanner. No account needed.

https://pentest-tools.com/network-vulnerability-scanning/cve-2026-41940-scanner-cpanel-authentication-bypass

#infosec #pentesting #vulnerabilitymanagement

CVE-2026-0073 is a Critical severity Remote Code Execution (RCE) vulnerability included as the only vulnerability fixed in the May 2026 Android Security Bulletin. GrapheneOS first shipped the patch in our 2026030501 security preview release on March 5th. It also isn't nearly as severe as it sounds.

Oh, neat, the daily MS CVSS 10 :apartyblobcat:

https://nvd.nist.gov/vuln/detail/cve-2026-42826

🚨 CVE-2026-42826 (CRITICAL, CVSS 10.0) in Azure DevOps exposes sensitive data to unauthorized actors remotely. Microsoft has released a fix — ensure your environment is fully updated. More info: https://radar.offseq.com/threat/cve-2026-42826-cwe-200-exposure-of-sensitive-infor-a9bb0e45 #OffSeq #AzureDevOps #Vuln #InfoSec