Privilege-Escalation
DirtyClone: Linux Kernel LPE via Cloned sk_buff Gives Any Local User Root (CVE-2026-43503)
JFrog releases a working exploit for DirtyClone, a Linux kernel socket-buffer cloning flaw that silently rewrites in-memory setuid binaries and grants rootβwith container escape potential on cloud and Kubernetes hosts.
Linux Kernel CVE-2026-46331: Pedit COW Traffic-Control Bug Delivers Root Shell, Ubuntu Still Unpatched
A weaponized PoC for CVE-2026-46331 (Pedit COW) corrupts the kernel page cache via act_pedit to drop a root shell; Ubuntu 18.04β26.04 remain unpatched.
LiteSpeed cPanel Plugin CVE-2026-54420: A Symlink Trick That Escapes CageFS for Root
An actively-exploited symlink flaw in LiteSpeed's user-end cPanel plugin lets any tenant with FTP or web-shell access break out of CageFS and become root. CISA's federal patch deadline is today.
RoguePlanet Gets a CVE: Microsoft Confirms Patch in Progress for Defender SYSTEM Race Condition (CVE-2026-50656)
One week after a public PoC dropped during Patch Tuesday, Microsoft has assigned CVE-2026-50656 to RoguePlanet β a Defender Malware Protection Engine race condition that hands SYSTEM on fully patched Windows 10 and 11 β and confirmed a fix is in flight. No patch yet.
Cisco Unified CM CVE-2026-20230: Public PoC Turns an SSRF Into Root
An unauthenticated SSRF in Cisco Unified Communications Manager (CVE-2026-20230) lets attackers write files to the OS and climb to root. PoC code is public, the 15-train fix is months out, and there's no workaround beyond disabling WebDialer.
Android Framework Zero-Day CVE-2025-48595: Silent Privilege Escalation Under Active Attack
CVE-2025-48595 is a high-severity integer overflow in the Android Framework that escalates privilege with no user interaction and no special permissions. Google confirms limited, targeted exploitation; CISA added it to KEV on June 2 with a June 5 federal deadline. Affects Android 14, 15, 16, and 16 QPR2.
DirtyDecrypt (CVE-2026-31635): Public PoC Roots Fedora, Arch, and openSUSE via the Kernel's RxGK Path
A released proof-of-concept weaponizes CVE-2026-31635, a missing copy-on-write guard in the Linux kernel's RxGK receive path, for local root on Fedora, Arch, and openSUSE Tumbleweed β and pod escape on affected worker nodes.
LiteSpeed cPanel Plugin CVE-2026-48172: Any User Can Run Scripts as Root
A CVSS 10.0 flaw in the LiteSpeed User-End cPanel Plugin lets any logged-in cPanel user execute scripts as root. It is being exploited in the wild β patch or uninstall now.
Two More Defender Zero-Days in the Wild: CVE-2026-41091 Link-Resolution Bug Lands SYSTEM, Added to CISA KEV
Microsoft confirms two Defender flaws β an LPE to SYSTEM and a DoS β are publicly disclosed and exploited in the wild. A third RCE ships in the same engine update. CISA gives federal agencies until June 3.
MiniPlasma: Public PoC Hands SYSTEM on Fully Patched Windows 11 via cldflt.sys
Chaotic Eclipse published a working PoC for MiniPlasma, a Cloud Filter driver LPE that abuses CfAbortHydration to forge .DEFAULT-hive registry keys β the same bug Microsoft was told about in 2020 and claimed to have fixed.
CloudNativePG CVE-2026-44477: Metrics Exporter Escalates Any DB User to Postgres Superuser and Host RCE
A residual session_user=postgres in CloudNativePG's metrics exporter lets any low-privileged database user RESET ROLE back to superuser and reach OS-level command execution via COPY TO PROGRAM. CVSS 9.4. Patched in 1.28.3 and 1.29.1.
YellowKey and GreenPlasma: Same Researcher Drops Two More Windows Zero-Days, BitLocker Bypass via WinRE USB
The anonymous researcher behind BlueHammer is back with YellowKey, a BitLocker bypass that drops a CMD shell on protected drives via crafted FsTx files in WinRE, plus GreenPlasma, a CTFMON privilege escalation. No CVE, no patch.
Copy Fail (CVE-2026-31431): A 732-Byte Python Script Roots Every Major Linux Distro Since 2017
A nine-year-old logic bug in the kernel's algif_aead crypto interface lets an unprivileged user plant four bytes anywhere in the page cache β including inside a setuid binary's cached pages. Root in seconds, no on-disk artifacts, breaks containers.
Entra Agent ID Administrator Role Could Hijack Any Service Principal β CVE-2026-35431
A built-in Entra ID role meant to manage AI agents could be used to take ownership of any service principal in the tenant β including Global Administrator-equivalent ones β and authenticate as it. Microsoft patched cloud-side on April 9; Silverfort published technical details April 27.
PhantomRPC: Five Endpoint-Spoofing Paths to SYSTEM on Every Windows Build, No Patch Coming
Kaspersky disclosed PhantomRPC at Black Hat Asia 2026 β an architectural flaw in rpcrt4.dll that lets a low-priv process register a rogue RPC endpoint and hijack SYSTEM-level callers. Microsoft declined to patch.
ASP.NET Core CVE-2026-40372: Signature-Bypass in DataProtection Forges Auth Cookies, Patching Alone Doesn't Close the Door
Microsoft's out-of-band patch fixes a CVSS 9.1 signature-verification bug in ASP.NET Core DataProtection that lets unauthenticated attackers forge cookies and decrypt protected payloads. Tokens minted during the exposure window stay valid after upgrade β you have to rotate the key ring.
Cisco Catalyst SD-WAN Manager: Three CVEs Land on CISA KEV With April 28 Federal Deadline
CISA added CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager (vManage) to the KEV catalog on April 20, 2026. Two of the three were confirmed exploited in the wild by Cisco PSIRT in March; together they let an attacker move from low-privilege API access to full vManage takeover.
RedSun and UnDefend: Two More Defender Zero-Days Dropped, All Three Now Exploited in the Wild
The same disgruntled researcher who dropped BlueHammer has now released RedSun and UnDefend. Huntress confirms all three Windows Defender zero-days are now being weaponized in hands-on-keyboard intrusions. Two remain unpatched.
CVE-2026-31414: Linux Kernel Netfilter Conntrack Flaw Enables Container Escape Privilege Escalation
A use-after-free in Linux kernel netfilter connection tracking allows local privilege escalation from container workloads β patch your nodes now.
GPUBreach: GDDR6 Rowhammer Attack Achieves Root Shell, Bypasses IOMMU
University of Toronto researchers demonstrate full CPU privilege escalation from an unprivileged CUDA kernel via GDDR6 bit-flips, bypassing IOMMU β no patch exists yet.