// CVE Tracker

A use-after-free vulnerability in the Linux kernel network stack's socket buffer (SKB) memory management subsystem allows an unprivileged local attacker to escalate privileges to root. The flaw arises from improper reference counting in the SKB clone operation path under concurrent network I/O conditions, resulting in a freed memory region being accessible to attacker-controlled data. Successful exploitation requires local code execution on an affected system. Affects Linux kernel versions 5.15 through 6.12-rc; a patch has been merged into kernel mainline.

A race condition in the Linux kernel's copy-on-write (CoW) page fault handling path allows an unprivileged local user to obtain a writable reference to a page marked read-only, enabling overwrite of kernel memory structures and privilege escalation to root. Affects kernel versions 4.15 through the unfixed 6.18 and 6.19 series. All major Linux distributions have issued patched kernel updates. CISA added this vulnerability to the Known Exploited Vulnerabilities catalogue on 1 May 2026 following confirmation of active exploitation in post-initial-access privilege escalation chains.

A privilege escalation vulnerability in the Tenable Nessus Agent component allows a locally authenticated user to elevate their privileges to the account under which the Nessus service runs. The flaw exists in the agent's inter-process communication handling, which fails to enforce adequate access controls on local service operations. In enterprise deployments where the Nessus service account holds elevated domain or local administrator privileges for scanning purposes, this vulnerability enables an attacker with local access to escalate to those privileged credentials.

A local privilege escalation vulnerability in the Windows Defender antimalware signature-update mechanism allows any authenticated local user to gain SYSTEM-level code execution. The flaw combines a time-of-check to time-of-use (TOCTOU) race condition with a path-confusion issue in the Defender update staging path, enabling an attacker to substitute a temporary update file with a malicious DLL loaded under the SYSTEM-privileged Defender service context. A working public exploit was available and active exploitation was observed in post-compromise scenarios preceding ransomware deployment. Patched in Microsoft's April 2026 Patch Tuesday.

A heap buffer overflow vulnerability in Hashcat's binary hash file parser allows a specially crafted hash input file or .hcmask wordlist to trigger an out-of-bounds write to heap memory, potentially enabling code execution in the context of the Hashcat process. The vulnerability affects all Hashcat versions prior to 7.2.0 and is triggered at parse time without requiring the cracking session to complete. Fixed in Hashcat 7.2.0.

A stack buffer overflow in Hashcat's rule engine parser is triggered by rule files containing specially crafted function chain sequences. The overflow allows an attacker who can supply a malicious rule file to a Hashcat instance to potentially achieve code execution in the Hashcat process context. Affects all versions prior to 7.2.0. Fixed in Hashcat 7.2.0.

A long-latent vulnerability in the Linux kernel CIFS client subsystem allows an unprivileged local user to forge a kernel upcall key and escalate directly to root. Public PoC completes escalation in under 10 seconds. Patched kernels available across all major distributions as of 2–3 June 2026.

A memory corruption race condition in the Linux kernel's XFRM IPsec framework during ESP-in-TCP packet fragment reassembly allows an unprivileged local user to corrupt kernel memory and achieve arbitrary kernel code execution, escalating to root privileges. Named 'Fragnesia' by researchers, the flaw follows the Dirty Frag class of fragmentation-layer bugs. A public proof-of-concept exploit achieves root in under 30 seconds on tested configurations running kernels 5.12 through 6.11. Distribution vendors are shipping patched kernels.

A heap buffer overflow in Wireshark's PCAP and PCAPNG file parser can be triggered by a specially crafted capture file, leading to arbitrary code execution on the analyst's workstation. The vulnerability resides in the per-packet dissector state processing during file load. Affects all Wireshark versions prior to 4.4.6 on Windows, macOS, and Linux; TShark is equally affected. Fixed in Wireshark 4.4.6.

A NoSQL injection vulnerability in the Ubiquiti UniFi Network Application allows authenticated attackers to escalate their privileges to administrative level within the controller. While requiring authentication, this vulnerability is primarily exploited as the second step in a two-stage attack chain with CVE-2026-22557: the unauthenticated path traversal flaw provides initial access, and this injection flaw converts that access to full administrator rights. Both vulnerabilities were disclosed together in Ubiquiti's security advisory on 18 March 2026.

A race condition vulnerability in Citrix NetScaler ADC and NetScaler Gateway affects appliances configured as a gateway (ICA Proxy, RDP Proxy, SSL VPN, or CVPN) or as an AAA virtual server. The flaw is present in version 14.1-66.54 specifically. No exploitation in the wild has been confirmed at time of disclosure; the vulnerability was patched in the same advisory release as CVE-2026-3055.

Unauthenticated RCE in Oracle WebLogic Server via Java deserialization over the T3 and IIOP protocols. Added to CISA KEV June 2026 after confirmed exploitation in ransomware campaigns.

A credential storage flaw in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager allows a sufficiently positioned attacker to retrieve DCA credential files stored on disk and use them to authenticate within the SD-WAN management environment. Confirmed exploited in the wild by Cisco PSIRT in March 2026 and added to CISA KEV on 20 April 2026.

Insufficient filesystem restrictions in the vshell subsystem of Cisco Catalyst SD-WAN Manager (formerly vManage) allow unauthenticated remote attackers to read sensitive files from the SD-WAN Manager host OS, including configuration files, authentication tokens, and WAN edge certificate material. Added to CISA Known Exploited Vulnerabilities catalogue April 2026; FCEB remediation deadline May 12, 2026. Fixed in SD-WAN Manager 20.15.1.

A use-after-free vulnerability in the Linux kernel's nf_tables netfilter subsystem arises from improper synchronisation in the nft_chain_release_hook() function during concurrent chain deletion and packet traversal. An unprivileged local attacker who can create network namespaces can exploit the race condition to corrupt kernel memory and escalate to root. A public proof-of-concept targeting Ubuntu 24.04 LTS has been published alongside the CVE disclosure.

A security feature bypass vulnerability in the Windows Kerberos authentication implementation caused by a race condition in concurrent request processing. An unauthenticated remote attacker with network access to a Kerberos-speaking service can exploit the race condition to bypass security validation checks in the authentication flow. Requires no user interaction. Patched in the March 2026 Patch Tuesday. No active exploitation confirmed at time of disclosure.

In OpenSSH before 10.3, files downloaded via scp in legacy mode (-O flag) as root without the -p (preserve modes) flag may retain setuid or setgid permission bits from the remote source. If an attacker controls the remote server, they can upload a crafted file with setuid bits set; when an administrator downloads and another user executes it, arbitrary privilege escalation becomes possible. The flaw is fixed in OpenSSH 10.3.

Out-of-bounds read in the Apache Thrift binary protocol parser when processing a container field with a size value exceeding available buffer bytes. Affects all language bindings. C++ and native bindings may expose adjacent heap memory or crash; JVM-based bindings throw an exception causing service DoS; Go returns an error without crashing. Any client that can send Thrift requests to the service can trigger this flaw. Patched in Apache Thrift 0.23.0.

A path traversal vulnerability (CWE-22) in JetBrains TeamCity's web component allows unauthenticated attackers to bypass authentication by using path segments containing '../' to reach protected endpoints. Exploitation allows limited information disclosure and limited system modification, including replacement of the HTTPS certificate served by the TeamCity instance with an attacker-supplied certificate. When chained with CVE-2024-27198 (CVSS 9.8), full authentication bypass and administrative access can be achieved. Added to CISA KEV on 20 April 2026.

Uncontrolled recursion in the Apache Thrift JavaScript/Node.js library's deserialisation path for nested Thrift structures. No depth limit is enforced on recursive calls processing nested structs or container types. A remote attacker can send a crafted request with approximately 8,000–12,000 levels of nesting to exhaust the V8 call stack, causing an unhandled RangeError that terminates the process. Affects all Apache Thrift versions prior to 0.23.0. Patched in 0.23.0 with a configurable recursion depth limit defaulting to 64 levels.

An integer overflow in Hashcat's potfile (.pot) parser can lead to a heap buffer overflow when processing large potfile entries from untrusted sources. The vulnerability is triggered when Hashcat loads a potfile containing entries crafted to exceed expected size boundaries, causing heap memory corruption. Affects all versions prior to 7.2.0. Fixed in Hashcat 7.2.0.

A remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows an attacker with administrator-level access to the management console to execute arbitrary commands on the underlying server. EPMM manages the enrolled mobile device fleet for an organisation — a compromised server provides access to the configuration, certificates, and management functions for all enrolled devices. CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalogue on 7 May 2026. Ivanti EPMM has been targeted repeatedly by nation-state actors since 2023, including the Norwegian government breach and three subsequent campaigns.

An authenticated remote attacker can exploit incorrect use of privileged APIs in Cisco Catalyst SD-WAN Manager to upload a malicious file and overwrite arbitrary files on the local filesystem, resulting in vManage user privilege acquisition. vManage access provides control over the entire SD-WAN orchestration plane. Confirmed exploited in the wild by Cisco PSIRT in March 2026 and added to CISA KEV on 20 April 2026.

CVE-2026-34256 is an authorisation bypass in SAP NetWeaver ABAP Server's Workbench object transport handling that allows an authenticated user with standard developer authorisations to overwrite compiled ABAP load objects in production systems, bypassing the transport system's write-lock. The vulnerability requires authentication but no special administrative role, enabling an attacker with inadvertently assigned developer authorisation objects to modify payroll, financial reporting, or procurement ABAP programmes.

A time-of-check to time-of-use (TOCTOU) race condition in the Linux kernel ptrace subsystem allows a local attacker to escalate privileges to root and disclose sensitive credential material including /etc/shadow hashes and SSH host private keys. The vulnerability exists in ptrace_attach(), which implements the ptrace(2) system call used by debuggers and system utilities. The race condition occurs during the privilege-level credential check when attaching to a SUID binary process. Qualys Threat Research Unit developed four working exploit chains using common SUID binaries (chage, ssh-keysign, pkexec, accounts-daemon) present on all major Linux distributions. The ssh-keysign exploit chain reads SSH daemon in-memory private keys without making any SSH connections, leaving no evidence in SSH logs. Vulnerability present in all distributions since Linux kernel 4.8 (2016). Disclosed by Qualys TRU on 20 May 2026. CVSS 7.1 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).