24h | 7d | 30d

CVE-2026-43284

Overview

Linux
Linux

08 May 2026

Published

08 May 2026

Updated

CVSS

Pending

EPSS

0.01%

MITRE

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

Statistics

24 Posts
260 Interactions

Last activity: 1 hour ago

Fediverse

mc.fly @mcfly

https://lwn.net/Articles/1071719/

#DirtyFrag is a broken embargo.

Local Privilege Escalation to root.

Public working exploit. No CVE assigned yet.

No fix in sight.
<edit> 7.0.5 was just released which has a fix </edit>
<edit 2> CVE-2026-43284 has been assigned</edit 2>

#infosec #cyber #tsunamiofvulns #CVE-2026-43284

This is the documentation & exploit of DirtyFrag:
https://github.com/V4bel/dirtyfrag/blob/master/README.md

27
18
0
23h ago

Jan Schaumann @jschauma

#DirtyFrag status/advisories:

AlmaLinux:
https://almalinux.org/blog/2026-05-07-dirty-frag/

Debian:
https://security-tracker.debian.org/tracker/CVE-2026-43500
https://security-tracker.debian.org/tracker/CVE-2026-43284

Gentoo:
https://bugs.gentoo.org/974307

RedHat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-43284
https://access.redhat.com/security/cve/cve-2026-43284
nothing yet on CVE-2026-43500

Rocky:
https://kb.ciq.com/article/rocky-linux/rl-dirty-frag-mitigation

SUSE / OpenSUSE:
https://www.suse.com/security/cve/CVE-2026-43500.html
https://www.suse.com/security/cve/CVE-2026-43284.html
https://www.suse.com/c/addressing-copy-fail2-aka-dirtyfrag-in-suse-virtualization/

Ubuntu:
https://ubuntu.com/security/CVE-2026-43284
https://ubuntu.com/security/CVE-2026-43500
https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available

AWS:
https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/
https://explore.alas.aws.amazon.com/CVE-2026-43284.html

46
33
0
3h ago

Alpine Linux :alpine: @alpinelinux

2 new vulnerabilities similar to copyfail:

- CVE-2026-43284 (Dirty Frag)
- CVE-2026-43500

https://github.com/V4bel/dirtyfrag

We're waiting for a release containing the last one before pushing new kernels to aports.

https://github.com/V4bel/dirtyfrag#mitigation mentions a mitigation in the meantime.

34
24
0
10h ago

Veronica Olsen @veronica

Just got a kernel update from Debian 13's security channel, which fixes both CVE-2026-43284 and CVE-2026-43500, aka "Dirty Frag".

Debian 12 is not yet patched.

Tracker Links:
https://security-tracker.debian.org/tracker/CVE-2026-43284
https://security-tracker.debian.org/tracker/CVE-2026-43500

#DirtyFrag #Debian #Linux #Kernel #InfoSec

16
21
0
4h ago

Larvitz :fedora: @Larvitz

CVE-2026-43284 / "Dirty Frag" .. Antoher one of those nasty local-privilege-escallations.

Quickfix for Centos/Fedora based systems:

printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf && rmmod esp4 esp6 rxrpc 2>/dev/null; true

Caution: That also effectively disables IPSEC and AFS client support. But it can easily be reverted by removing the file when a patched kernel arrives.

#dirtyfrag #cve_2026_43284 #security #centos #fedora #redhat

3
4
0
1h ago

Bearstech @bearstech

L'ensemble de notre parc infogéré est immunisé contre la faille Dirty Frag (CVE-2026-43284) depuis ce matin 08h59.

En gros, c'est l'enfant maudit de Dirty Pipe et Copy Fail qui permet une élévation locale de privilèges qui fonctionne très bien.

En savoir plus sur la faille-> https://github.com/V4bel/dirtyfrag#dirty-frag-universal-linux-lpe

3
2
0
14h ago

Kevin Decherf @kdecherf

Happy Frid^WCVE-2026-43284

#Linux #DirtyFrag #CopyFail

1
0
0
14h ago

Doug Burks @dougburks

OhMyDebn 3.7.1 now available with mitigation for Dirty Frag local privilege escalation (CVE-2026-43284)

OhMyDebn is a debonair Linux desktop for power users. It gives you the stability of the Debian distro, the ease of use of the Cinnamon desktop, and the power of AI, containers, and virtualization.

0
1
0
10h ago

:mastodon: decio @decio

@bortzmeyer

CVE-2026-43284 selon almalinux.org
https://almalinux.org/blog/2026-05-07-dirty-frag/
⬇️
https://vulnerability.circl.lu/vuln/CVE-2026-43284

0
0
0
12h ago

:mastodon: decio @decio

[related]
chez AlmaLinux

"Dirty Frag (CVE-2026-43284) vulnerability fix is ready for testing"
👇
https://almalinux.org/blog/2026-05-07-dirty-frag/

0
0
0
12h ago

:mastodon: decio @decio

Nouveaux kernels stables : 7.0.5 / 6.18.28 / 6.12.87 / 6.6.138

Ils embarquent un fix partiel pour #DirtyFrag (CVE-2026-43284) et Copy Fail 2.

Partiel, car Greg Kroah-Hartman a confirmé qu'un second patch est encore en développement et n'a pas encore été mergé.

La mitigation par blacklist des modules reste donc recommandée en attendant.
👇
https://lwn.net/Articles/1071775/

#Linux #Kernel #CyberVeille

0
0
0
12h ago

CyberNetsecIO @netsecio

📰 Critical Unpatched 'Dirty Frag' Linux Zero-Day Allows Instant Root Access

🚨 CRITICAL ZERO-DAY: 'Dirty Frag' (CVE-2026-43284) vulnerability in Linux kernel disclosed with NO PATCH. Allows immediate root privilege escalation. Flaw has existed for 9 years. Admins must seek mitigations now! 🐧🔥 #Linux #ZeroDay #CyberSecurity

🔗 https://cyber.netsecops.io

0
0
0
3h ago

[nate@social0 ~]$ :idle: @gangrif

Ok Ive been working through the mitigations for the string of kernel vulnerabilities. I think this is all of them. I had Claude spit out a summary.

Hope this helps others.

NOTE: I have edited this post to better outline the fixes and improve terminology. Plus we've got a CVE designation for dirty frag now.

## Linux Kernel LPE Roundup — May 8, 2026

Four local privilege escalation vulnerabilities in the same bug class (page-cache writes) are actively circulating. Here's what you need to know:

### 1. Copy Fail (CVE-2026-31431)

Original page-cache write via algif_aead in the crypto subsystem. Patched upstream, distro patches available.

Mitigation: Apply your distro's kernel update, or prevent the module from loading:

echo 'install algif_aead /bin/false' > /etc/modprobe.d/copyfail.conf

https://copy.fail/

### 2. Dirty Frag (CVE-2026-43284)

Chains xfrm-ESP + RxRPC page-cache writes for a universal unprivileged LPE across all major distros. Published after a third party broke the embargo — no patches exist yet.

Mitigation: Prevent the modules from loading:

printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf

Then unload them if currently loaded:

rmmod esp4 esp6 rxrpc 2>/dev/null

https://github.com/V4bel/dirtyfrag/

### 3. Copy Fail 2: Electric Boogaloo (no CVE yet)

xfrm ESP-in-UDP variant using MSG_SPLICE_PAGES. Same class as Copy Fail, different subsystem. Autoloads esp4/xfrm modules via userns netlink. Upstream fix committed but not yet in stable branches.

Mitigation: Same esp4 modprobe override as Dirty Frag covers this.

https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

### 4. io_uring ZCRX Freelist LPE (no CVE yet)

Out-of-bounds write in io_uring's zero-copy receive freelist. Narrower scope — requires kernel 6.15+, CONFIG_IO_URING_ZCRX=y, a supported NIC (mlx5/ice/nfp), and CAP_NET_ADMIN. Fix committed but not in stable yet.

Mitigation: Check if you're affected:

grep CONFIG_IO_URING_ZCRX /lib/modules/$(uname -r)/config

No output or "is not set" means you're not vulnerable.

https://ze3tar.github.io/post-zcrx.html

### Note

If any of these modules are built into your kernel (=y rather than =m), the modprobe approach won't work — you'll need initcall_blacklist= on the kernel command line instead. Check with:

grep -E 'CONFIG_INET_ESP=|CONFIG_INET6_ESP=|CONFIG_AF_RXRPC=|CONFIG_CRYPTO_USER_API_AEAD=' /lib/modules/$(uname -r)/config

#linux #kernel #cve #vulnerability #copyfail #copyfail2 #dirtyfrag #security #infosec #sysadmin

5
2
0
20h ago

Stéphane Bortzmeyer @bortzmeyer

@jschauma About https://istheinternetonfire.com/ DirtyFrag now has one CVE (two, actually) CVE-2026-43284 and CVE-2026-43500

2
2
0
9h ago

Daniel Gibson @Doomed_Daniel

As I haven't seen this in my timeline yet:
There is another #Linux #zeroday privilege escalation #vulnerability.
No, not copy_fail, a new one, called DirtyFrag, combining CVE-2026-43284 and CVE-2026-43500

Apparently the finder was gonna disclose this responsibly, but they claim the embargo was broken by a third party.

Most probably not patched yet in distros, but fix (at least for one of the CVEs) is in mainline.

https://github.com/V4bel/dirtyfrag

A workaround/mitigation exists: https://github.com/V4bel/dirtyfrag#mitigation

1
3
0
7h ago

:mastodon: decio @decio

Les deux vulnérabilités composant #DirtyFrag ont reçu leurs numéros CVE :

🔴 CVE-2026-43284 — xfrm-ESP Page-Cache Write (patché en mainline : f4c50a4034e6)
🟡 CVE-2026-43500 — RxRPC Page-Cache Write

Si ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.
👇
https://vulnerability.circl.lu/vuln/CVE-2026-43284

1
0
0
12h ago

aqz/tamaina @aqz

[ Linux KernelのLPE(Local Privilege Escalation)脆弱性(Dirty Frag: CVE-2026-43284, CVE-2026-43500) - SIOS SECURITY BLOG ]
https://security.sios.jp/vulnerability/kernel-security-vulnerability-20260508/

0
0
0
9h ago

Nicolás Alvarez @nicolas17

Did you update your Linux kernel again to protect against the last privilege escalation bug?

No, not CopyFail (CVE-2026-31431), the new DirtyFrag (CVE-2026-43284, CVE-2026-43500).

1
2
0
2h ago

Bluesky

OMO @omo.bsky.social

CVE-2026-43284がアサインされた模様です。 www.cve.org/CVERecord?id...

0
0
0
14h ago

Microsoft Threat Intelligence @threatintel.microsoft.com

A newly disclosed Linux local privilege escalation vulnerability known as “Dirty Frag” enables escalation from an unprivileged user to root through vulnerable kernel networking & memory-fragment handling components, including esp4, esp6 (CVE-2026-43284), and rxrpc (CVE-2026-43500). msft.it/6015v3WNc

3
5
0
4h ago

CyberVeille @cyberveille-ch.bsky.social

📢 Dirty Frag : deux vulnérabilités Linux permettent l'élévation de privilèges root (CVE-2026-43284 / CVE-2026-43500) 📝 #… https://cyberveille.ch/posts/2026-05-08-dirty-frag-deux-vulnerabilites-linux-permettent-l-elevation-de-privileges-root-cve-2026-43284-cve-2026-43500/ #CVE_2026_43284 #Cyberveille

0
0
0
7h ago

Eyal Estrin ☁️ @eyalestrin.bsky.social

"Dirty Frag" Linux Kernel LPE Zero-Day (CVE-2026-43284, CVE-2026-43500) #patchmanagement

0
0
0
3h ago

piggo @pigondrugs.bsky.social

~Cybergcca~ Alert on unpatched Linux LPE flaws (Dirty Frag) with active PoCs, plus Edge & cPanel updates. - IOCs: CVE-2026-43284, CVE-2026-43500 - #Linux #ThreatIntel #Vulnerability

0
0
0
2h ago

Cybersecurity News Everyday @hendryadrian.bsky.social

DirtyFrag exploits two Linux kernel bugs, CVE-2026-43284 and CVE-2026-43500, enabling local root access on major distros including Ubuntu, RHEL, Fedora, CentOS Stream, AlmaLinux, and openSUSE. #LinuxRoot #KernelExploit #USA

0
0
0
1h ago

CVE-2026-43500

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

16 Posts
203 Interactions

Last activity: 1 hour ago

Fediverse

Jan Schaumann @jschauma

#DirtyFrag status/advisories:

AlmaLinux:
https://almalinux.org/blog/2026-05-07-dirty-frag/

Debian:
https://security-tracker.debian.org/tracker/CVE-2026-43500
https://security-tracker.debian.org/tracker/CVE-2026-43284

Gentoo:
https://bugs.gentoo.org/974307

RedHat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-43284
https://access.redhat.com/security/cve/cve-2026-43284
nothing yet on CVE-2026-43500

Rocky:
https://kb.ciq.com/article/rocky-linux/rl-dirty-frag-mitigation

Ubuntu:
https://ubuntu.com/security/CVE-2026-43284
https://ubuntu.com/security/CVE-2026-43500
https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available

AWS:
https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/
https://explore.alas.aws.amazon.com/CVE-2026-43284.html

46
33
0
3h ago

Alpine Linux :alpine: @alpinelinux

2 new vulnerabilities similar to copyfail:

- CVE-2026-43284 (Dirty Frag)
- CVE-2026-43500

https://github.com/V4bel/dirtyfrag

We're waiting for a release containing the last one before pushing new kernels to aports.

https://github.com/V4bel/dirtyfrag#mitigation mentions a mitigation in the meantime.

34
24
0
10h ago

mc.fly @mcfly

and we have another one. This one with CVE.

#dirtyfrag #CVE-2026-43500

5
4
0
7h ago

Veronica Olsen @veronica

Just got a kernel update from Debian 13's security channel, which fixes both CVE-2026-43284 and CVE-2026-43500, aka "Dirty Frag".

Debian 12 is not yet patched.

Tracker Links:
https://security-tracker.debian.org/tracker/CVE-2026-43284
https://security-tracker.debian.org/tracker/CVE-2026-43500

#DirtyFrag #Debian #Linux #Kernel #InfoSec

16
21
0
4h ago

Marcel @wrmsr

Why wait for the slow UEFI when you can just `systemctl kexec` to remediate Dirty Frag with (almost) sub- 1 Minute downtime (2nd reboot for CVE-2026-43500 follows)
(all VMs except the pinned ones have been migrated off before)

0
0
0
8h ago

Stéphane Bortzmeyer @bortzmeyer

@jschauma About https://istheinternetonfire.com/ DirtyFrag now has one CVE (two, actually) CVE-2026-43284 and CVE-2026-43500

2
2
0
9h ago

Daniel Gibson @Doomed_Daniel

Apparently the finder was gonna disclose this responsibly, but they claim the embargo was broken by a third party.

Most probably not patched yet in distros, but fix (at least for one of the CVEs) is in mainline.

https://github.com/V4bel/dirtyfrag

A workaround/mitigation exists: https://github.com/V4bel/dirtyfrag#mitigation

1
3
0
7h ago

:mastodon: decio @decio

Les deux vulnérabilités composant #DirtyFrag ont reçu leurs numéros CVE :

🔴 CVE-2026-43284 — xfrm-ESP Page-Cache Write (patché en mainline : f4c50a4034e6)
🟡 CVE-2026-43500 — RxRPC Page-Cache Write

Si ce n'est pas encore fait, la mitigation reste de blacklister esp4, esp6 et rxrpc.
👇
https://vulnerability.circl.lu/vuln/CVE-2026-43284

1
0
0
12h ago

aqz/tamaina @aqz

0
0
0
9h ago

Nicolás Alvarez @nicolas17

Did you update your Linux kernel again to protect against the last privilege escalation bug?

No, not CopyFail (CVE-2026-31431), the new DirtyFrag (CVE-2026-43284, CVE-2026-43500).

1
2
0
2h ago

Bluesky

OMO @omo.bsky.social

CVE-2026-43500も追加でアサインされるそうです（まだCVE自体は公開されていません）

0
0
0
12h ago

Microsoft Threat Intelligence @threatintel.microsoft.com

3
5
0
4h ago

CyberVeille @cyberveille-ch.bsky.social

0
0
0
7h ago

Eyal Estrin ☁️ @eyalestrin.bsky.social

"Dirty Frag" Linux Kernel LPE Zero-Day (CVE-2026-43284, CVE-2026-43500) #patchmanagement

0
0
0
3h ago

piggo @pigondrugs.bsky.social

~Cybergcca~ Alert on unpatched Linux LPE flaws (Dirty Frag) with active PoCs, plus Edge & cPanel updates. - IOCs: CVE-2026-43284, CVE-2026-43500 - #Linux #ThreatIntel #Vulnerability

0
0
0
2h ago

Cybersecurity News Everyday @hendryadrian.bsky.social

0
0
0
1h ago

CVE-2026-6973

Overview

Ivanti
Endpoint Manager Mobile

07 May 2026

Published

08 May 2026

Updated

CVSS v3.1

HIGH (7.2)

EPSS

5.01%

MITRE

KEV

Description

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

Statistics

19 Posts
6 Interactions

Last activity: 7 hours ago

Fediverse

N_{Dario Fadda} @nuke

New Ivanti EPMM Zero-Day CVE-2026-6973 Actively Exploited — Patch Immediately
#CyberSecurity
https://securebulletin.com/new-ivanti-epmm-zero-day-cve-2026-6973-actively-exploited-patch-immediately/

4
0
0
13h ago

tomcat @tomcat

🚨 Ivanti Endpoint Manager Mobile flaw (CVE-2026-6973) is being exploited in limited attacks, enabling remote code execution with admin access.

CISA has added it to its KEV catalog, with federal agencies ordered to patch by May 10, 2026.

Read: https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html

0
1
0
14h ago

Vito Botta @vitobotta

CISA KEV update May 7: CVE-2026-6973 Ivanti EPMM added. Actively exploited input validation flaw. Federal deadline applies, everyone else should patch. - https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog

0
0
0
10h ago

Jeff Hall - PCIGuru :verified: @jbhall56

Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier. https://www.bleepingcomputer.com/news/security/cisa-gives-feds-four-days-to-patch-ivanti-flaw-exploited-as-zero-day/

0
0
1
9h ago

Bluesky

Rene Robichaud @neroqc.bsky.social

Ivanti EPMM vulnerability exploited in zero-day attacks (CVE-2026-6973) www.helpnetsecurity.com/2026/05/08/i...

0
1
0
8h ago

Bitnewsbot @bitnewsbot.bsky.social

A new, actively exploited flaw (CVE-2026-6973) in Ivanti Endpoint Manager Mobile allows authenticated admins remote code execution. The U.S. Cybersecurity […]

0
0
1
23h ago

キタきつね @kitafox.bsky.social

Ivanti EPMMのCVE-2026-6973 RCE脆弱性が実際に悪用され、管理者レベルのアクセス権が付与される Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access #HackerNews (May 7) thehackernews.com/2026/05/ivan...

0
0
0
22h ago

キタきつね @kitafox.bsky.social

CISAが既知の悪用された脆弱性を1件カタログに追加 CISA Adds One Known Exploited Vulnerability to Catalog #CISA (May 7) CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) の不適切な入力検証の脆弱性 www.cisa.gov/news-events/...

0
0
0
22h ago

ohhara @shiojiri.com

CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability

0
0
0
17h ago

Ninja Owl @ninjaowl.ai

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...

0
0
0
17h ago

Cybersecurity News Everyday @hendryadrian.bsky.social

Ivanti reveals CVE-2026-6973, a critical remote code execution flaw in Endpoint Manager Mobile 12.8.0.0 and earlier, exploited in limited zero-day attacks. Additional patches released, admins urged to review credentials. #Ivanti #ZeroDay #USA

0
0
0
15h ago

ReconBee @reconbee.bsky.social

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access reconbee.com/ivanti-epmm-... #Ivanti #EPMM #adminlevelaccess #cybersecurity #cyberattack

0
0
0
15h ago

Cybersecurity News Everyday @hendryadrian.bsky.social

Ivanti released patches for five vulnerabilities in Endpoint Manager Mobile, including CVE-2026-6973, a zero-day exploited in targeted attacks allowing remote code execution by authenticated admins. #IvantiPatch #ZeroDay #USA

0
0
1
14h ago

Help Net Security @helpnetsecurity.com

Ivanti EPMM vulnerability exploited in zero-day attacks (CVE-2026-6973) 📖 Read more: www.helpnetsecurity.com/2026/05/08/i... #cybersecurity #cybersecuritynews #0day #endpointmanagement #vulnerability

0
0
0
11h ago

r/blueteamsec bot @r-blueteamsec.bsky.social

Ivanti: We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication.

0
0
0
7h ago

ohhara @shiojiri.com

Ivanti、ゼロデイに悪用可能な欠陥含むEPMMの脆弱性を複数修正（CVE-2026-6973、CVE-2026-7821他） | Codebook｜Security News https://codebook.machinarecord.com/threatreport/silobreaker-cyber-alert/45488/

0
0
0
17h ago

CVE-2026-0300

Overview

Palo Alto Networks
Cloud NGFW

06 May 2026

Published

07 May 2026

Updated

CVSS v4.0

CRITICAL (9.3)

EPSS

4.65%

MITRE

KEV

Description

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

Statistics

10 Posts

Last activity: 3 hours ago

Fediverse

Jeff Hall - PCIGuru :verified: @jbhall56

The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html

0
0
1
10h ago

CyberNetsecIO @netsecio

📰 Critical Palo Alto Networks Zero-Day (CVE-2026-0300) Actively Exploited for RCE

🚨 CRITICAL ZERO-DAY: Palo Alto Networks warns of an unpatched, actively exploited RCE vulnerability (CVE-2026-0300) in PAN-OS firewalls. The flaw allows root access via the User-ID portal. Mitigate immediately! #CyberSecurity #ZeroDay #PANOS

🔗 https://cyber.netsecops.io

0
0
0
3h ago

Bluesky

Undercode Testing @undercode.bsky.social

CVE-2026-0300: UNPATCHED PAN-OS ZERO-DAY UNDER ACTIVE EXPLOITATION—SECURE YOUR FIREWALLS NOW Introduction: A critical, unpatched buffer overflow vulnerability (CVE-2026-0300, CVSS 9.3) is being actively exploited in the wild against Palo Alto Networks PA-Series and VM-Series firewalls when the…

0
0
0
22h ago

OpsMatters @opsmatters.com

The latest update for #ArcticWolf includes "CVE-2026-0300 — Critical Buffer Overflow in PAN-OS User-ID Authentication Portal" and "Should Your Organization Rely on #XDR For #Cybersecurity?". #infosec #networks https://opsmtrs.com/2ZFbaTl

0
0
0
18h ago

OpsMatters @opsmatters.com

The latest update for #Foresiet includes "CVE-2026-0300: Unauthenticated Root RCE via Buffer Overflow in Palo Alto PAN-OS User-ID Authentication Portal" and "The April 2026 #AI Security Report: 6 Incidents and Detailed Attack Paths". #cybersecurity #infosec https://opsmtrs.com/3J3CMGz

0
0
0
17h ago

Calimeg @calimegai.bsky.social

⚠️ Une faille critique dans #PaloAlto PAN-OS (CVE-2026-0300) permet une exécution de code à distance sans authentification. Exploitation active détectée sur le terrain. Score CVSS : 9.3. #CyberSecurity #Automatisation

0
0
0
16h ago

Cybersecurity News Everyday @hendryadrian.bsky.social

Palo Alto Networks reveals active exploitation of zero-day CVE-2026-0300 in PA and VM firewalls, enabling unauthenticated root access. Attack linked to Chinese state group CL-STA-1132 using Earthworm and ReverseSocks5. #China #PaloAlto #ZeroDay

0
0
0
14h ago

ケイ | 副業Webライター📖 @keiwork35.bsky.social

【脆弱性】CVE-2026-0300とは？Palo Alto Networks製PAN-OSの重大脆弱性と企業が取るべき対策を解説 2026年5月、Palo Alto NetworksのファイアウォールOS「PAN-OS」に関する重大な脆弱性「CVE-2026-0300」が公表されました。この脆弱性は、条件を満たす機器に対して外部から攻撃されるおそれがあり、すでに実際の悪用も確認されています。

0
0
0
13h ago

CyberVeille @cyberveille-ch.bsky.social

📢 Exploitation active de CVE-2026-0300 : RCE critique dans PAN-OS par un acteur étatique 📝 ## 🗓️ Contexte Publié le 8 mai 2026 par Truesec, cet art… https://cyberveille.ch/posts/2026-05-08-exploitation-active-de-cve-2026-0300-rce-critique-dans-pan-os-par-un-acteur-etatique/ #CL_STA_1132 #Cyberveille

0
0
0
7h ago

CVE-2026-31431

Overview

Linux
Linux

22 Apr 2026

Published

08 May 2026

Updated

CVSS v3.1

HIGH (7.8)

EPSS

3.91%

MITRE

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Statistics

6 Posts
39 Interactions

Last activity: 2 hours ago

Fediverse

AlmaLinux @almalinux

⚠️ PSA: patch your AlmaLinux systems.

Copy Fail lets any local user escalate to root. We shipped fixes for AL 8, 9 & 10 ahead of upstream—they're in production now. https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/

13
11
1
6h ago

:mastodon: decio @decio

variante peu sympa 👀
"Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path. Page-cache write into any readable file. Overwrites a nologin line in /etc/passwd with sick::0:0:...:/:/bin/bash and sus into it. Same class as Copy Fail (CVE-2026-31431), different subsystem."
⬇️
https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

#CyberVeille #Linux

0
0
0
13h ago

[nate@social0 ~]$ :idle: @gangrif

Ok Ive been working through the mitigations for the string of kernel vulnerabilities. I think this is all of them. I had Claude spit out a summary.

Hope this helps others.

NOTE: I have edited this post to better outline the fixes and improve terminology. Plus we've got a CVE designation for dirty frag now.

## Linux Kernel LPE Roundup — May 8, 2026

Four local privilege escalation vulnerabilities in the same bug class (page-cache writes) are actively circulating. Here's what you need to know:

### 1. Copy Fail (CVE-2026-31431)

Original page-cache write via algif_aead in the crypto subsystem. Patched upstream, distro patches available.

Mitigation: Apply your distro's kernel update, or prevent the module from loading:

echo 'install algif_aead /bin/false' > /etc/modprobe.d/copyfail.conf

https://copy.fail/

### 2. Dirty Frag (CVE-2026-43284)

Chains xfrm-ESP + RxRPC page-cache writes for a universal unprivileged LPE across all major distros. Published after a third party broke the embargo — no patches exist yet.

Mitigation: Prevent the modules from loading:

printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf

Then unload them if currently loaded:

rmmod esp4 esp6 rxrpc 2>/dev/null

https://github.com/V4bel/dirtyfrag/

### 3. Copy Fail 2: Electric Boogaloo (no CVE yet)

xfrm ESP-in-UDP variant using MSG_SPLICE_PAGES. Same class as Copy Fail, different subsystem. Autoloads esp4/xfrm modules via userns netlink. Upstream fix committed but not yet in stable branches.

Mitigation: Same esp4 modprobe override as Dirty Frag covers this.

https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo

### 4. io_uring ZCRX Freelist LPE (no CVE yet)

Mitigation: Check if you're affected:

grep CONFIG_IO_URING_ZCRX /lib/modules/$(uname -r)/config

No output or "is not set" means you're not vulnerable.

https://ze3tar.github.io/post-zcrx.html

### Note

If any of these modules are built into your kernel (=y rather than =m), the modprobe approach won't work — you'll need initcall_blacklist= on the kernel command line instead. Check with:

grep -E 'CONFIG_INET_ESP=|CONFIG_INET6_ESP=|CONFIG_AF_RXRPC=|CONFIG_CRYPTO_USER_API_AEAD=' /lib/modules/$(uname -r)/config

#linux #kernel #cve #vulnerability #copyfail #copyfail2 #dirtyfrag #security #infosec #sysadmin

5
2
0
20h ago

Nicolás Alvarez @nicolas17

Did you update your Linux kernel again to protect against the last privilege escalation bug?

No, not CopyFail (CVE-2026-31431), the new DirtyFrag (CVE-2026-43284, CVE-2026-43500).

1
2
0
2h ago

Bluesky

Microsoft Threat Intelligence @threatintel.microsoft.com

Similar to the previously disclosed Copy Fail vulnerability (CVE-2026-31431), the exploit attempts to manipulate Linux page cache behavior to achieve privilege escalation. However, Dirty Frag introduces additional attack paths that expand exploitation opportunities and improve reliability.

0
5
0
4h ago

CVE-2024-3094

Overview

29 Mar 2024

Published

20 Nov 2025

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

85.06%

MITRE

KEV

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Statistics

3 Posts
2 Interactions

Last activity: 9 hours ago

Bluesky

Hacker News Top Stories @hackernewsbot.bsky.social

GNU IFUNC is the real culprit behind CVE-2024-3094 | Discussion

1
1
0
20h ago

Hacker News 20 @betterhn20.e-work.xyz

GNU IFUNC is the real culprit behind CVE-2024-3094 github.com/robertdfrenc... (news.ycombinator.com/item?id=4805...)

0
0
0
19h ago

Hacker News 100 @hn100.atproto.rocks

GNU IFUNC is the real culprit behind CVE-2024-3094 https://github.com/robertdfrench/ifuncd-up https://news.ycombinator.com/item?id=48056749

0
0
0
9h ago

CVE-2026-42826

Overview

Microsoft
Azure DevOps

07 May 2026

Published

08 May 2026

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

0.09%

MITRE

KEV

Description

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

Statistics

2 Posts
22 Interactions

Last activity: 6 hours ago

Fediverse

nyanbinary @nyanbinary

Oh, neat, the daily MS CVSS 10 :apartyblobcat:

https://nvd.nist.gov/vuln/detail/cve-2026-42826

8
13
0
6h ago

OffSequence @offseq

🚨 CVE-2026-42826 (CRITICAL, CVSS 10.0) in Azure DevOps exposes sensitive data to unauthorized actors remotely. Microsoft has released a fix — ensure your environment is fully updated. More info: https://radar.offseq.com/threat/cve-2026-42826-cwe-200-exposure-of-sensitive-infor-a9bb0e45 #OffSeq #AzureDevOps #Vuln #InfoSec

0
1
0
19h ago

CVE-2026-0073

Overview

Google
Android

04 May 2026

Published

05 May 2026

Updated

CVSS

Pending

EPSS

0.01%

MITRE

KEV

Description

In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation.

Statistics

3 Posts
28 Interactions

Last activity: 6 hours ago

Fediverse

GrapheneOS @GrapheneOS

CVE-2026-0073 is a Critical severity Remote Code Execution (RCE) vulnerability included as the only vulnerability fixed in the May 2026 Android Security Bulletin. GrapheneOS first shipped the patch in our 2026030501 security preview release on March 5th. It also isn't nearly as severe as it sounds.

6
22
1
21h ago

Bluesky

CyberVeille @cyberveille-ch.bsky.social

📢 CVE-2026-0073 : Bypass d'authentification critique dans ADB-over-TCP d'Android permettant une RCE 📝 ## 🔍 Contexte Publié le 5 mai 2026 par BA… https://cyberveille.ch/posts/2026-05-08-cve-2026-0073-bypass-d-authentification-critique-dans-adb-over-tcp-d-android-permettant-une-rce/ #ADB #Cyberveille

0
0
0
6h ago

CVE-2026-7270

Overview

FreeBSD
FreeBSD

30 Apr 2026

Published

01 May 2026

Updated

CVSS

Pending

EPSS

0.02%

MITRE

KEV

Description

An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug may be exploitable by an unprivileged user to obtain superuser privileges.

Statistics

1 Post
27 Interactions

Last activity: 16 hours ago

Bluesky

Emile `iMIl' Heitor @imil.net

CVE-2026-7270: root on FreeBSD with a shell script :( blog.calif.io/p/cve-2026-7...

13
14
0
16h ago

CVE-2026-42208

Overview

BerriAI
litellm

08 May 2026

Published

08 May 2026

Updated

CVSS v4.0

CRITICAL (9.3)

EPSS

0.08%

MITRE

KEV

Description

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

Statistics

2 Posts
1 Interaction

Last activity: 2 hours ago

Fediverse

OffSequence @offseq

🚨 CRITICAL: CVE-2026-42208 in BerriAI LiteLLM (v1.81.16 – 1.83.6) enables unauthenticated SQL injection via API key processing. Patch to v1.83.7 immediately to protect credentials and data. Details: https://radar.offseq.com/threat/cve-2026-42208-cwe-89-improper-neutralization-of-s-1213f296 #OffSeq #SQLInjection #Vuln #Security

1
0
0
17h ago

Bluesky

piggo @pigondrugs.bsky.social

~Cisa~ CISA added CVE-2026-42208, an actively exploited BerriAI LiteLLM SQL injection flaw, to its KEV catalog. - IOCs: CVE-2026-42208 - #CISA #CVE202642208 #ThreatIntel

0
0
0
2h ago

Showing 1 to 10 of 75 CVEs