Privilege-Escalation
Copy Fail (CVE-2026-31431): A 732-Byte Python Script Roots Every Major Linux Distro Since 2017
A nine-year-old logic bug in the kernel's algif_aead crypto interface lets an unprivileged user plant four bytes anywhere in the page cache — including inside a setuid binary's cached pages. Root in seconds, no on-disk artifacts, breaks containers.
Entra Agent ID Administrator Role Could Hijack Any Service Principal — CVE-2026-35431
A built-in Entra ID role meant to manage AI agents could be used to take ownership of any service principal in the tenant — including Global Administrator-equivalent ones — and authenticate as it. Microsoft patched cloud-side on April 9; Silverfort published technical details April 27.
PhantomRPC: Five Endpoint-Spoofing Paths to SYSTEM on Every Windows Build, No Patch Coming
Kaspersky disclosed PhantomRPC at Black Hat Asia 2026 — an architectural flaw in rpcrt4.dll that lets a low-priv process register a rogue RPC endpoint and hijack SYSTEM-level callers. Microsoft declined to patch.
ASP.NET Core CVE-2026-40372: Signature-Bypass in DataProtection Forges Auth Cookies, Patching Alone Doesn't Close the Door
Microsoft's out-of-band patch fixes a CVSS 9.1 signature-verification bug in ASP.NET Core DataProtection that lets unauthenticated attackers forge cookies and decrypt protected payloads. Tokens minted during the exposure window stay valid after upgrade — you have to rotate the key ring.
Cisco Catalyst SD-WAN Manager: Three CVEs Land on CISA KEV With April 28 Federal Deadline
CISA added CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager (vManage) to the KEV catalog on April 20, 2026. Two of the three were confirmed exploited in the wild by Cisco PSIRT in March; together they let an attacker move from low-privilege API access to full vManage takeover.
RedSun and UnDefend: Two More Defender Zero-Days Dropped, All Three Now Exploited in the Wild
The same disgruntled researcher who dropped BlueHammer has now released RedSun and UnDefend. Huntress confirms all three Windows Defender zero-days are now being weaponized in hands-on-keyboard intrusions. Two remain unpatched.
CVE-2026-31414: Linux Kernel Netfilter Conntrack Flaw Enables Container Escape Privilege Escalation
A use-after-free in Linux kernel netfilter connection tracking allows local privilege escalation from container workloads — patch your nodes now.
GPUBreach: GDDR6 Rowhammer Attack Achieves Root Shell, Bypasses IOMMU
University of Toronto researchers demonstrate full CPU privilege escalation from an unprivileged CUDA kernel via GDDR6 bit-flips, bypassing IOMMU — no patch exists yet.
CVE-2026-39860: Nix Package Manager Symlink Bug Gives Any User Root on Multi-User Installs
A critical symlink-following flaw in the Nix daemon lets unprivileged users overwrite arbitrary files as root during fixed-output derivation builds.
CVE-2026-32922: OpenClaw Privilege Escalation Lets Any Paired Device Achieve Full RCE
A missing scope validation in OpenClaw's device.token.rotate endpoint lets any device with operator.pairing scope mint admin tokens and execute arbitrary code on connected nodes.
BlueHammer: Unpatched Windows Defender Zero-Day Turns Definition Updates Into SYSTEM Shells
A disgruntled researcher leaked BlueHammer, a Windows Defender LPE zero-day that chains TOCTOU race conditions with Cloud Files oplocks to dump SAM hives and escalate to SYSTEM. No patch available.
Docker AuthZ Bypass Returns: CVE-2026-34040 Lets Attackers Create Privileged Containers With a Single Padded Request
An incomplete fix for a 2024 Docker AuthZ bypass has resurfaced as CVE-2026-34040, allowing unauthenticated container creation with host filesystem access via oversized HTTP requests.
Three High-Severity Command Injection Flaws in AWS Research and Engineering Studio Give Authenticated Users Root RCE
AWS patches three CVSS 8.8 command injection and privilege escalation bugs in Research and Engineering Studio (RES) — any authenticated user could get root on virtual desktop hosts or the cluster manager.
CVE-2026-33105: Azure Kubernetes Service RBAC Bypass Scores Perfect 10.0 CVSS
Critical AKS vulnerability allows privilege escalation to cluster admin via RBAC bypass. CVSS 10.0. Patch now.
CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited for Three Years Before Disclosure
UAT-8616 abused a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller and Manager since 2023, inserting rogue control-plane peers and escalating to root via a deliberate version-downgrade chain. Cisco disclosed in late February.