// #lpe
12 articles
CVE-2026-46243: Identifying Affected Systems and Detecting Exploitation Attempts
With a public proof-of-concept available and patched kernels in distribution repositories, security teams need a systematic approach to identify which Linux systems in their environment are exposed to CVE-2026-46243 and whether any exploitation activity has occurred. This guide covers detection queries, affected system identification, and temporary mitigation steps for environments that cannot patch immediately.
CVE-2026-46243: 19-Year-Old Linux CIFS Kernel Flaw Grants Unprivileged Local Root Across Major Distributions
A long-latent vulnerability in the Linux kernel's CIFS filesystem subsystem allows any unprivileged local user to forge a upcall key and escalate directly to root. Patched kernels reached distribution repositories on 2–3 June; Red Hat, AlmaLinux, Rocky Linux, and CloudLinux all issued security advisories on 3 June. A public proof-of-concept exists.
MiniPlasma: PoC-Released Windows Zero-Day Exploits Cloud Files Mini Filter Driver for SYSTEM Access
A researcher published a working proof-of-concept for a Windows zero-day — dubbed MiniPlasma — that exploits the Cloud Files Mini Filter Driver to achieve SYSTEM-level access on fully-patched Windows 10, Windows 11, and Windows Server 2022/2025. Microsoft has not issued a patch or an out-of-band advisory. All unmitigated Windows systems with cloud sync enabled are affected.
Red Hat Enterprise Linux LPE at Pwn2Own: What the Results Mean for Enterprise Linux Patch Strategy
Red Hat Enterprise Linux was successfully exploited twice at Pwn2Own Berlin 2026 via local privilege escalation vulnerabilities. For enterprise security teams running RHEL, and the broader family of RHEL-derived distributions including CentOS Stream, Rocky Linux, and AlmaLinux, the results inform how Linux patching SLAs should be evaluated against the demonstrated threat model.
Windows 11 Yielded Four Independent LPE Paths at Pwn2Own Berlin — Kernel Attack Surface Analysis
By the close of Pwn2Own Berlin 2026, researchers had demonstrated four separate, independently discovered privilege escalation paths from standard user to SYSTEM on fully patched Windows 11. Each exploited a different component and vulnerability class. The results indicate the Windows kernel and user/kernel boundary remain a consistently productive attack surface for skilled researchers.
Linux 'Dirty Frag' Zero-Day Chains Two Kernel Flaws for Deterministic Root — PoC Published, No Patch
Security researchers have published a proof-of-concept exploit for a new Linux kernel local privilege escalation vulnerability chain nicknamed Dirty Frag, which combines flaws in the xfrm-ESP and RxRPC page-cache subsystems to reliably achieve root access from an unprivileged user process. Unlike its predecessor CopyFail, Dirty Frag is deterministic — it does not rely on race conditions and succeeds reliably across Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, and Fedora. No CVE ID or kernel patch has been issued at time of disclosure.
Linux CopyFail LPE Added to CISA KEV With Active Exploitation Confirmed — CVE-2026-31431
CISA has added CVE-2026-31431 — the Linux kernel copy-on-write race condition LPE disclosed last week as 'CopyFail' — to the Known Exploited Vulnerabilities catalogue following confirmed active exploitation. All major Linux distributions have patches available. Federal agencies face a May 20 remediation deadline and all enterprise organisations should treat kernel patching as urgent.
Linux 'CopyFail' Kernel Privilege Escalation — Root Access on All Major Distributions Since 2017
A newly weaponised local privilege escalation vulnerability in the Linux kernel's copy-on-write mechanism allows unprivileged local users to gain root access on virtually all major Linux distributions running kernels from 2017 onwards. A working public exploit has been released. Kernel patches are available; organisations running Linux servers, containers, and cloud instances should patch immediately.
PhantomRPC — Unpatched Windows Privilege Escalation Technique Abuses COM Server Activation
Security researchers have disclosed PhantomRPC, an unpatched local privilege escalation technique in Windows that abuses the COM server activation mechanism to elevate from standard user to SYSTEM without triggering standard EDR alerts. Microsoft has acknowledged the report but not committed to a patch timeline. Defenders should implement mitigation controls; red teams should incorporate this technique into assessments.
Two Unpatched Windows Defender Zero-Days (RedSun + UnDefend) Actively Exploited — No Fix Available
A security researcher released two additional Windows Defender zero-days — RedSun and UnDefend — after Microsoft failed to patch them. RedSun exploits Defender's cloud file rollback mechanism to achieve SYSTEM privileges on all supported Windows versions. UnDefend silently prevents Defender from updating its threat signatures. Both are confirmed exploited in the wild, and neither has a patch or assigned CVE.
CISA Confirms Active Exploitation of Windows Task Host Privilege Escalation CVE-2025-60710 — Four Public Exploits Available
A link-following flaw in the Windows Host Process for Tasks allows any local user to escalate to SYSTEM privileges. Patched in November 2025, CVE-2025-60710 has been confirmed as actively exploited — CISA added it to the Known Exploited Vulnerabilities catalogue on 13 April with a 27 April federal deadline. Four public proof-of-concept exploits are now freely available on GitHub.
BlueHammer Windows LPE Zero-Day Gives Attackers SYSTEM Access — No Patch Available
A publicly disclosed zero-day local privilege escalation vulnerability in Windows Defender's signature-update mechanism allows any authenticated user to escalate to SYSTEM. Named BlueHammer by researchers at Cyderes, the flaw has a working public exploit and no Microsoft patch as of publication. Security teams should implement interim mitigations immediately.