Overview
Description
Statistics
- 24 Posts
- 6 Interactions
Fediverse
New Ivanti EPMM Zero-Day CVE-2026-6973 Actively Exploited — Patch Immediately
#CyberSecurity
https://securebulletin.com/new-ivanti-epmm-zero-day-cve-2026-6973-actively-exploited-patch-immediately/
🚨 Ivanti Endpoint Manager Mobile flaw (CVE-2026-6973) is being exploited in limited attacks, enabling remote code execution with admin access.
CISA has added it to its KEV catalog, with federal agencies ordered to patch by May 10, 2026.
Read: https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html
The U.S. CISA has added a zero-day vulnerability (CVE-2026-6973) in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch by May 10, 2026. This flaw, requiring admin privileges, allows for arbitrary code execution and is already being exploited.
https://securityaffairs.com/191822/security/u-s-cisa-adds-a-flaw-in-ivanti-endpoint-manager-mobile-epmm-to-its-known-exploited-vulnerabilities-catalog.html
CISA KEV update May 7: CVE-2026-6973 Ivanti EPMM added. Actively exploited input validation flaw. Federal deadline applies, everyone else should patch. - https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog
Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier. https://www.bleepingcomputer.com/news/security/cisa-gives-feds-four-days-to-patch-ivanti-flaw-exploited-as-zero-day/
Bluesky
Overview
Description
Statistics
- 16 Posts
- 130 Interactions
Fediverse
https://lwn.net/Articles/1071719/
#DirtyFrag is a broken embargo.
Local Privilege Escalation to root.
Public working exploit. No CVE assigned yet.
No fix in sight.
<edit> 7.0.5 was just released which has a fix </edit>
<edit 2> CVE-2026-43284 has been assigned</edit 2>
#infosec #cyber #tsunamiofvulns #CVE-2026-43284
This is the documentation & exploit of DirtyFrag:
https://github.com/V4bel/dirtyfrag/blob/master/README.md
2 new vulnerabilities similar to copyfail:
- CVE-2026-43284 (Dirty Frag)
- CVE-2026-43500
https://github.com/V4bel/dirtyfrag
We're waiting for a release containing the last one before pushing new kernels to aports.
https://github.com/V4bel/dirtyfrag#mitigation mentions a mitigation in the meantime.
L'ensemble de notre parc infogéré est immunisé contre la faille Dirty Frag (CVE-2026-43284) depuis ce matin 08h59.
En gros, c'est l'enfant maudit de Dirty Pipe et Copy Fail qui permet une élévation locale de privilèges qui fonctionne très bien.
En savoir plus sur la faille-> https://github.com/V4bel/dirtyfrag#dirty-frag-universal-linux-lpe
OhMyDebn 3.7.1 now available with mitigation for Dirty Frag local privilege escalation (CVE-2026-43284)
OhMyDebn is a debonair Linux desktop for power users. It gives you the stability of the Debian distro, the ease of use of the Cinnamon desktop, and the power of AI, containers, and virtualization.
CVE-2026-43284 selon almalinux.org
https://almalinux.org/blog/2026-05-07-dirty-frag/
⬇️
https://vulnerability.circl.lu/vuln/CVE-2026-43284
[related]
chez AlmaLinux
"Dirty Frag (CVE-2026-43284) vulnerability fix is ready for testing"
👇
https://almalinux.org/blog/2026-05-07-dirty-frag/
Nouveaux kernels stables : 7.0.5 / 6.18.28 / 6.12.87 / 6.6.138
Ils embarquent un fix partiel pour #DirtyFrag (CVE-2026-43284) et Copy Fail 2.
Partiel, car Greg Kroah-Hartman a confirmé qu'un second patch est encore en développement et n'a pas encore été mergé.
La mitigation par blacklist des modules reste donc recommandée en attendant.
👇
https://lwn.net/Articles/1071775/
Apparently there's yet another #LinuxKernel Local Privilege Escalation #vulnerability. There's a mitigation that disables esp4, esp6 and rxrpc modules.
https://www.openwall.com/lists/oss-security/2026/05/07/8
https://github.com/V4bel/dirtyfrag
EDIT: The related vulnerabilities are now tracked as CVE-2026-43284 and CVE-2026-43500. https://nvd.nist.gov/vuln/detail/CVE-2026-43284 https://nvd.nist.gov/vuln/detail/CVE-2026-43500
Ok Ive been working through the mitigations for the string of kernel vulnerabilities. I think this is all of them. I had Claude spit out a summary.
Hope this helps others.
NOTE: I have edited this post to better outline the fixes and improve terminology. Plus we've got a CVE designation for dirty frag now.
## Linux Kernel LPE Roundup — May 8, 2026
Four local privilege escalation vulnerabilities in the same bug class (page-cache writes) are actively circulating. Here's what you need to know:
### 1. Copy Fail (CVE-2026-31431)
Original page-cache write via algif_aead in the crypto subsystem. Patched upstream, distro patches available.
Mitigation: Apply your distro's kernel update, or prevent the module from loading:
echo 'install algif_aead /bin/false' > /etc/modprobe.d/copyfail.conf
### 2. Dirty Frag (CVE-2026-43284)
Chains xfrm-ESP + RxRPC page-cache writes for a universal unprivileged LPE across all major distros. Published after a third party broke the embargo — no patches exist yet.
Mitigation: Prevent the modules from loading:
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf
Then unload them if currently loaded:
rmmod esp4 esp6 rxrpc 2>/dev/null
https://github.com/V4bel/dirtyfrag/
### 3. Copy Fail 2: Electric Boogaloo (no CVE yet)
xfrm ESP-in-UDP variant using MSG_SPLICE_PAGES. Same class as Copy Fail, different subsystem. Autoloads esp4/xfrm modules via userns netlink. Upstream fix committed but not yet in stable branches.
Mitigation: Same esp4 modprobe override as Dirty Frag covers this.
https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
### 4. io_uring ZCRX Freelist LPE (no CVE yet)
Out-of-bounds write in io_uring's zero-copy receive freelist. Narrower scope — requires kernel 6.15+, CONFIG_IO_URING_ZCRX=y, a supported NIC (mlx5/ice/nfp), and CAP_NET_ADMIN. Fix committed but not in stable yet.
Mitigation: Check if you're affected:
grep CONFIG_IO_URING_ZCRX /lib/modules/$(uname -r)/config
No output or "is not set" means you're not vulnerable.
https://ze3tar.github.io/post-zcrx.html
### Note
If any of these modules are built into your kernel (=y rather than =m), the modprobe approach won't work — you'll need initcall_blacklist= on the kernel command line instead. Check with:
grep -E 'CONFIG_INET_ESP=|CONFIG_INET6_ESP=|CONFIG_AF_RXRPC=|CONFIG_CRYPTO_USER_API_AEAD=' /lib/modules/$(uname -r)/config
#linux #kernel #cve #vulnerability #copyfail #copyfail2 #dirtyfrag #security #infosec #sysadmin
@jschauma About https://istheinternetonfire.com/ DirtyFrag now has one CVE (two, actually) CVE-2026-43284 and CVE-2026-43500
As I haven't seen this in my timeline yet:
There is another #Linux #zeroday privilege escalation #vulnerability.
No, not copy_fail, a new one, called DirtyFrag, combining CVE-2026-43284 and CVE-2026-43500
Apparently the finder was gonna disclose this responsibly, but they claim the embargo was broken by a third party.
Most probably not patched yet in distros, but fix (at least for one of the CVEs) is in mainline.
https://github.com/V4bel/dirtyfrag
A workaround/mitigation exists: https://github.com/V4bel/dirtyfrag#mitigation
Les deux vulnérabilités composant #DirtyFrag ont reçu leurs numéros CVE :
🔴 CVE-2026-43284 — xfrm-ESP Page-Cache Write (patché en mainline : f4c50a4034e6)
🟡 CVE-2026-43500 — RxRPC Page-Cache Write
Si ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.
👇
https://vulnerability.circl.lu/vuln/CVE-2026-43284
https://security.sios.jp/vulnerability/kernel-security-vulnerability-20260508/
Bluesky
Overview
Description
Statistics
- 13 Posts
- 6 Interactions
Fediverse
Critical Palo Alto PAN-OS Zero-Day CVE-2026-0300 Actively Exploited — Root Access Granted on 5,800+ Exposed Firewalls
#CyberSecurity
https://securebulletin.com/critical-palo-alto-pan-os-zero-day-cve-2026-0300-actively-exploited-root-access-granted-on-5800-exposed-firewalls/
The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html
Bluesky
Overview
Description
Statistics
- 10 Posts
- 81 Interactions
Fediverse
2 new vulnerabilities similar to copyfail:
- CVE-2026-43284 (Dirty Frag)
- CVE-2026-43500
https://github.com/V4bel/dirtyfrag
We're waiting for a release containing the last one before pushing new kernels to aports.
https://github.com/V4bel/dirtyfrag#mitigation mentions a mitigation in the meantime.
Why wait for the slow UEFI when you can just `systemctl kexec` to remediate Dirty Frag with (almost) sub- 1 Minute downtime (2nd reboot for CVE-2026-43500 follows)
(all VMs except the pinned ones have been migrated off before)
Apparently there's yet another #LinuxKernel Local Privilege Escalation #vulnerability. There's a mitigation that disables esp4, esp6 and rxrpc modules.
https://www.openwall.com/lists/oss-security/2026/05/07/8
https://github.com/V4bel/dirtyfrag
EDIT: The related vulnerabilities are now tracked as CVE-2026-43284 and CVE-2026-43500. https://nvd.nist.gov/vuln/detail/CVE-2026-43284 https://nvd.nist.gov/vuln/detail/CVE-2026-43500
@jschauma About https://istheinternetonfire.com/ DirtyFrag now has one CVE (two, actually) CVE-2026-43284 and CVE-2026-43500
As I haven't seen this in my timeline yet:
There is another #Linux #zeroday privilege escalation #vulnerability.
No, not copy_fail, a new one, called DirtyFrag, combining CVE-2026-43284 and CVE-2026-43500
Apparently the finder was gonna disclose this responsibly, but they claim the embargo was broken by a third party.
Most probably not patched yet in distros, but fix (at least for one of the CVEs) is in mainline.
https://github.com/V4bel/dirtyfrag
A workaround/mitigation exists: https://github.com/V4bel/dirtyfrag#mitigation
Les deux vulnérabilités composant #DirtyFrag ont reçu leurs numéros CVE :
🔴 CVE-2026-43284 — xfrm-ESP Page-Cache Write (patché en mainline : f4c50a4034e6)
🟡 CVE-2026-43500 — RxRPC Page-Cache Write
Si ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.
👇
https://vulnerability.circl.lu/vuln/CVE-2026-43284
https://security.sios.jp/vulnerability/kernel-security-vulnerability-20260508/
Bluesky
Overview
Description
Statistics
- 6 Posts
- 36 Interactions
Fediverse
CopyFail (CVE-2026-31431) is a high-severity Linux kernel vulnerability -- patches are out now for Rocky Linux 8.10, 9.8, and 10.1.
Any unprivileged local user can escalate to root in seconds. Multi-tenant hosts, containers, and CI runners should prioritize this one.
Fix it with:
sudo dnf --refresh update 'kernel*'
Full write-up on the blog:
https://forums.rockylinux.org/t/copyfail-cve-2026-31431-patches-now-available-for-rocky-linux/20422
#RockyLinux #Linux #OpenSource #LinuxSecurity #CopyFail
ICYMI: CVE-2026-31431 (Copy Fail) gives any unprivileged local user a ROOT SHELL. Works every time. Leaves no trace on disk. Patch status + fixes for Proxmox, Debian, and more.
➡️➡️ Watch Here: https://youtu.be/LwqEUiuXmbg
variante peu sympa 👀
"Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path. Page-cache write into any readable file. Overwrites a nologin line in /etc/passwd with sick::0:0:...:/:/bin/bash and sus into it. Same class as Copy Fail (CVE-2026-31431), different subsystem."
⬇️
https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
⚠️ PSA: patch your AlmaLinux systems.
Copy Fail lets any local user escalate to root. We shipped fixes for AL 8, 9 & 10 ahead of upstream—they're in production now. https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/
Ok Ive been working through the mitigations for the string of kernel vulnerabilities. I think this is all of them. I had Claude spit out a summary.
Hope this helps others.
NOTE: I have edited this post to better outline the fixes and improve terminology. Plus we've got a CVE designation for dirty frag now.
## Linux Kernel LPE Roundup — May 8, 2026
Four local privilege escalation vulnerabilities in the same bug class (page-cache writes) are actively circulating. Here's what you need to know:
### 1. Copy Fail (CVE-2026-31431)
Original page-cache write via algif_aead in the crypto subsystem. Patched upstream, distro patches available.
Mitigation: Apply your distro's kernel update, or prevent the module from loading:
echo 'install algif_aead /bin/false' > /etc/modprobe.d/copyfail.conf
### 2. Dirty Frag (CVE-2026-43284)
Chains xfrm-ESP + RxRPC page-cache writes for a universal unprivileged LPE across all major distros. Published after a third party broke the embargo — no patches exist yet.
Mitigation: Prevent the modules from loading:
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf
Then unload them if currently loaded:
rmmod esp4 esp6 rxrpc 2>/dev/null
https://github.com/V4bel/dirtyfrag/
### 3. Copy Fail 2: Electric Boogaloo (no CVE yet)
xfrm ESP-in-UDP variant using MSG_SPLICE_PAGES. Same class as Copy Fail, different subsystem. Autoloads esp4/xfrm modules via userns netlink. Upstream fix committed but not yet in stable branches.
Mitigation: Same esp4 modprobe override as Dirty Frag covers this.
https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
### 4. io_uring ZCRX Freelist LPE (no CVE yet)
Out-of-bounds write in io_uring's zero-copy receive freelist. Narrower scope — requires kernel 6.15+, CONFIG_IO_URING_ZCRX=y, a supported NIC (mlx5/ice/nfp), and CAP_NET_ADMIN. Fix committed but not in stable yet.
Mitigation: Check if you're affected:
grep CONFIG_IO_URING_ZCRX /lib/modules/$(uname -r)/config
No output or "is not set" means you're not vulnerable.
https://ze3tar.github.io/post-zcrx.html
### Note
If any of these modules are built into your kernel (=y rather than =m), the modprobe approach won't work — you'll need initcall_blacklist= on the kernel command line instead. Check with:
grep -E 'CONFIG_INET_ESP=|CONFIG_INET6_ESP=|CONFIG_AF_RXRPC=|CONFIG_CRYPTO_USER_API_AEAD=' /lib/modules/$(uname -r)/config
#linux #kernel #cve #vulnerability #copyfail #copyfail2 #dirtyfrag #security #infosec #sysadmin
Overview
Description
Statistics
- 3 Posts
- 2 Interactions
Bluesky
Overview
Description
Statistics
- 4 Posts
- 1 Interaction
Fediverse
https://aisle.com/blog/aisle-discovers-cve-2026-42511-a-21-year-old-freebsd-remote-command-execution-vulnerability#the-vulnerability
Overview
Description
Statistics
- 3 Posts
- 1 Interaction
Fediverse
Bluesky
Overview
Description
Statistics
- 3 Posts
- 26 Interactions
Fediverse
Bluesky
Overview
- Microsoft
- Azure DevOps
Description
Statistics
- 2 Posts
- 6 Interactions
Fediverse
🚨 CVE-2026-42826 (CRITICAL, CVSS 10.0) in Azure DevOps exposes sensitive data to unauthorized actors remotely. Microsoft has released a fix — ensure your environment is fully updated. More info: https://radar.offseq.com/threat/cve-2026-42826-cwe-200-exposure-of-sensitive-infor-a9bb0e45 #OffSeq #AzureDevOps #Vuln #InfoSec