// #linux
22 articles
Over 400 Arch Linux AUR Packages Poisoned with eBPF Rootkit in Coordinated Maintainer Compromise
More than 400 packages in the Arch Linux User Repository were compromised by an attacker who spoofed trusted maintainer identities to push malicious preinstall scripts. The scripts deploy an ELF infostealer harvesting developer credentials and an optional eBPF rootkit that persists across package removal attempts.
VerdantBamboo Deploys BSD Variant of BRICKSTORM Backdoor Against Linux and BSD Network Appliances
China-nexus threat cluster VerdantBamboo has deployed a BSD-compatible variant of the BRICKSTORM backdoor, extending its implant capability beyond Linux ESXi hosts to commercial network appliances running FreeBSD-derived operating systems. The implant uses HTTPS command and control via legitimate TLS certificates, survives reboots, and operates below enterprise EDR visibility.
China-Nexus Threat Groups and the Shift to Linux and BSD Appliance Targeting
A pattern documented across multiple China-nexus threat actors in 2025–2026 shows a deliberate move from Windows endpoint compromise toward Linux-based network appliances and BSD-running security devices. Network devices running proprietary Linux/BSD derivatives sit at the network edge with high-privilege routing access — and typically outside the enterprise's EDR coverage.
CVE-2026-46243 and the CIFS Attack Surface: Network-Layer Hardening for Linux SMB Environments
CVE-2026-46243 exploits a flaw in the Linux kernel CIFS client subsystem reachable from local shell access. But the broader CIFS/SMB attack surface extends beyond this single CVE — SMB signing enforcement, unauthenticated share access, and uncontrolled NTLM relay paths are network-level risks that compound the impact of any CIFS kernel vulnerability. This article covers network hardening for Linux environments that use SMB/CIFS mounts.
CVE-2026-46243: Identifying Affected Systems and Detecting Exploitation Attempts
With a public proof-of-concept available and patched kernels in distribution repositories, security teams need a systematic approach to identify which Linux systems in their environment are exposed to CVE-2026-46243 and whether any exploitation activity has occurred. This guide covers detection queries, affected system identification, and temporary mitigation steps for environments that cannot patch immediately.
CVE-2026-46243: 19-Year-Old Linux CIFS Kernel Flaw Grants Unprivileged Local Root Across Major Distributions
A long-latent vulnerability in the Linux kernel's CIFS filesystem subsystem allows any unprivileged local user to forge a upcall key and escalate directly to root. Patched kernels reached distribution repositories on 2–3 June; Red Hat, AlmaLinux, Rocky Linux, and CloudLinux all issued security advisories on 3 June. A public proof-of-concept exists.
Linux Kernel Patch Management as Asset Security: Why CVE-2026-46243 Exposes the Kernel Update Gap
The CVE-2026-46243 disclosure — a 19-year-old kernel flaw with a public root exploit and distribution patches already available — is a useful lens for examining how enterprises manage Linux kernel versions as security-relevant assets. Many organisations have robust patch management for applications but inconsistent processes for kernel updates, particularly on specialised infrastructure like database hosts and container nodes.
CVE-2026-46333 Detection and Mitigation: Security Assessment Guide for Linux Environments
CVE-2026-46333, the Linux kernel ptrace race condition with four known exploit chains, requires both patching and verification that compromise has not already occurred. This guide covers the detection queries, audit configuration, and post-patch verification steps security teams need to assess exposure and confirm remediation.
Linux Kernel CVE-2026-46333: Nine-Year-Old ptrace Race Condition Leaks SSH Private Keys and Grants Root
Qualys Threat Research Unit has disclosed CVE-2026-46333, a race condition in the Linux kernel ptrace subsystem affecting all major distributions since kernel 4.8 (2016). Four working privilege escalation exploits exist using SUID binaries; successful exploitation also discloses /etc/shadow and SSH host private keys. Patch immediately.
Linux Kernel CVE-2026-43503: Networking skbuff Frag-Transfer Bug Causes Memory Corruption — CVSS 8.8
Linux kernel stable branch patches published 23 May address CVE-2026-43503, a CVSS 8.8 memory corruption vulnerability in two networking helper functions that incorrectly handle the SKBFL_SHARED_FRAG flag during fragment transfers. The bug affects the skb_shift and __pskb_copy_fclone functions across multiple kernel versions and can be triggered by crafted network traffic on affected configurations.
Red Hat Enterprise Linux LPE at Pwn2Own: What the Results Mean for Enterprise Linux Patch Strategy
Red Hat Enterprise Linux was successfully exploited twice at Pwn2Own Berlin 2026 via local privilege escalation vulnerabilities. For enterprise security teams running RHEL, and the broader family of RHEL-derived distributions including CentOS Stream, Rocky Linux, and AlmaLinux, the results inform how Linux patching SLAs should be evaluated against the demonstrated threat model.
Linux 'Fragnesia' Kernel Privilege Escalation CVE-2026-46300 — New Dirty Frag Class Bug Exploits XFRM ESP-in-TCP for Unprivileged Root
Security researchers disclosed 'Fragnesia,' a Linux kernel privilege escalation vulnerability (CVE-2026-46300) in the XFRM framework's ESP-in-TCP fragmentation handling. The flaw follows the Dirty Frag class of fragmentation-layer bugs and enables an unprivileged local user to gain root on any affected kernel version. A proof-of-concept exploit is available. Kernel patches are being distributed through Linux distribution channels.
Critical Exim MTA Remote Code Execution CVE-2026-45185 — Use-After-Free in GnuTLS Shutdown Affects Millions of Linux Email Servers
A critical use-after-free vulnerability (CVE-2026-45185) in Exim's GnuTLS TLS session shutdown handler enables unauthenticated remote code execution on any Exim installation compiled with GnuTLS support. Exim is the default MTA on Debian, Ubuntu, and many Linux distributions, putting tens of millions of internet-facing mail servers at risk. Patches are available and should be applied immediately.
PamDOORa: Linux Post-Exploitation PAM Module Backdoor Sold on Dark Web for $1,600
Flare.io researchers have identified PamDOORa, a commercially sold Linux backdoor sold for $1,600 on a Russian-language underground forum. PamDOORa installs as a malicious PAM (Pluggable Authentication Module) on compromised Linux systems, creating a persistent hidden SSH access mechanism that activates via a magic password and a TCP port — while also harvesting the credentials of all legitimate users who authenticate to the system.
QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI
Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.
ProFTPD CVE-2026-42167 — Authentication Bypass Leading to Remote Code Execution
A vulnerability in ProFTPD — one of the most widely deployed open-source FTP server implementations — allows a remote unauthenticated attacker to bypass authentication controls and achieve code execution on the server. CVE-2026-42167 affects ProFTPD versions prior to 1.3.9a. FTP servers are frequently forgotten in patch management programmes; administrators should verify ProFTPD version and apply the update.
Linux 'Dirty Frag' Zero-Day Chains Two Kernel Flaws for Deterministic Root — PoC Published, No Patch
Security researchers have published a proof-of-concept exploit for a new Linux kernel local privilege escalation vulnerability chain nicknamed Dirty Frag, which combines flaws in the xfrm-ESP and RxRPC page-cache subsystems to reliably achieve root access from an unprivileged user process. Unlike its predecessor CopyFail, Dirty Frag is deterministic — it does not rely on race conditions and succeeds reliably across Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, and Fedora. No CVE ID or kernel patch has been issued at time of disclosure.
OpenSSH CVE-2026-35414 — Certificate Authentication Bypass via Comma Bug Grants Root Access
A single-character defect in OpenSSH's certificate Subject Alternative Name parsing allows an attacker with a maliciously crafted certificate to bypass host-based and user certificate authentication entirely, potentially gaining unauthorised access to systems relying on certificate-based SSH for privileged access. Researchers have named the vulnerability SplitSSHell. Operators using OpenSSH certificate authentication for root or privileged user access should review their CA trust chains immediately.
Linux 'CopyFail' Kernel Privilege Escalation — Root Access on All Major Distributions Since 2017
A newly weaponised local privilege escalation vulnerability in the Linux kernel's copy-on-write mechanism allows unprivileged local users to gain root access on virtually all major Linux distributions running kernels from 2017 onwards. A working public exploit has been released. Kernel patches are available; organisations running Linux servers, containers, and cloud instances should patch immediately.
OpenSSH 10.3 Patches CVE-2026-35385 — SCP Privilege Escalation via Setuid Bit Preservation
OpenSSH 10.3 fixes CVE-2026-35385 (CVSS 7.5), a privilege escalation flaw in the legacy SCP protocol where files downloaded as root without the -p flag may retain their setuid or setgid bits. Any Linux or macOS system with OpenSSH prior to 10.3 and a workflow involving scp downloads as root is affected.
Linux Kernel Netfilter Vulnerability Batch: CVE-2026-31414 and Cluster Require Prompt Patching
A cluster of Linux kernel vulnerabilities in the netfilter subsystem — led by CVE-2026-31414 — has been patched across stable kernel branches, affecting versions 6.1 through 6.10. The flaws span NULL pointer dereferences and connection tracking weaknesses that can cause privilege escalation or denial of service. Enterprise Linux distributions are releasing updates; unmanaged servers and container hosts running custom kernel builds require manual attention.
Linux Kernel AP VLAN Flaw CVE-2026-31394 Allows Privilege Escalation in Virtualised and Cloud Environments
CVE-2026-31394 is a privilege escalation vulnerability in the Linux kernel's AP VLAN (access point virtual LAN) network driver. Highlighted in Microsoft's Windows Update security reference guide and tracked by multiple Linux distributions, the flaw allows a local user with network namespace access to escalate privileges. Virtual machine hosts, Kubernetes nodes, and container infrastructure are the highest-risk deployment contexts.
Commentary tagged #linux
CVE-2026-46243 and the Enterprise Linux Kernel Patch Lag Problem
The 19-year latency of CVE-2026-46243 makes headlines. What is less discussed is the operational lag between 'patch available' and 'patch applied' across enterprise Linux fleets. Distribution advisories are published. Patched kernels hit repositories. And then organisations schedule the reboots — often weeks later. CVE-2026-46243 is not unusual in its severity; it is unusual in making the patch lag visible.
CipherWatch Editorial
Security Intelligence Platform
2026's Linux Kernel LPE Cluster Is Not Bad Luck — It Is a Research Dividend
Four significant Linux kernel local privilege escalation vulnerabilities in three months is a pattern worth examining. The kernel is not suddenly getting worse. Security research intensity is increasing, and the backlog of unaudited kernel subsystems is being worked through.
CipherWatch Editorial
Security Intelligence Platform