Patch management

New CIFSwitch Vulnerability in Linux Enables Full Root Compromise

Key points :

The CIFSwitch vulnerability allows any local user without administrator privileges to gain full root access on Linux systems running cifs-utils 6.14 or later with CIFS enabled.
The vulnerability remained hidden in the Linux ecosystem since 2007 and was discovered using AI-based semantic graph analysis instead of traditional manual code review methods.
Security researchers confirmed successful exploitation on multiple Linux distributions, including Linux Mint, Kali Linux, Rocky Linux, AlmaLinux, CentOS Stream 9, and several SUSE Enterprise versions, with a public proof-of-concept (PoC) exploit now available.

CIFSwitch Vulnerability Details:

The newly discovered local privilege escalation (LPE) vulnerability, dubbed CIFSwitch, exposes a critical design flaw in the Linux kernel’s CIFS (Common Internet File System) client that has been latent since 2007.

The bug allows any low-privileged local user to elevate themselves to full root access by exploiting a missing validation check between the kernel CIFS subsystem and the userspace `cifs-utils` helper.

This vulnerability is especially concerning given that it is the fourth major Linux kernel privilege escalation requiring immediate action in just a matter of weeks, following recent flaws like “Copy Fail,” “Dirty Frag,” and “Fragnesia”. With a public Proof-of-Concept (PoC) already released, system administrators must act immediately to prevent unauthorized root access.

The root cause

The kernel lacks a `.vet_description` hook for the cifs_spnego_key_type. This omission means the kernel does not verify whether a request for a `cifs.spnego` key originated from the trusted CIFS subsystem or from a malicious user process.

An attacker can exploit this by calling `request_key()` or `add_key()` directly, forging the key description to include malicious parameters like `pid` and upcall_target.

How the Exploit Works

For exploitation requires a vulnerable kernel, a compatible cifs-utils version, and unprivileged user namespace creation. Many mainstream Linux distributions have been found vulnerable out-of-the-box when cifs-utils is present, while others require adjustments to Linux Security Module (LSM) policies.

Fake Request Creation:
An attacker with basic local access creates a fake cifs.spnego request and sends it to the Linux kernel.
Root Privilege Abuse:
The kernel automatically launches the cifs.upcall helper tool with root privileges, trusting the request as legitimate.
- Namespace Hijacking:
  By abusing Linux namespace settings, the attacker tricks the root process into operating inside an attacker-controlled environment.
Malicious Code Execution:
The attacker places a fake nsswitch.conf file and a malicious shared library inside this environment. When the root process performs a system lookup, it unknowingly loads and executes the attacker’s malicious code as root.
Full Root Access:
The public proof-of-concept exploit ultimately adds a NOPASSWD: ALL entry to the sudoers configuration, allowing the attacker to gain unrestricted root access to the Linux system.

Asim Manizada has published the full technical write-up (“CIFSwitch”) and the PoC exploit on GitHub to support defenders, maintainers, and incident responders in verifying mitigations and patch coverage.

Recommendation on security patches

The kernel patch introduces a vet_description hook for the CIFS.Spnego key type to verify that descriptions are requested under the CIFS client’s internal spnego_cred.

This measure prevents unprivileged userspace from posing as the kernel. Additional hardening is advised to ensure cifs-upcall does not blindly trust kernel-originated descriptions.

Administrators should urgently deploy the backported kernel patches and consider defense-in-depth measures such as disabling CIFS where unused, removing cifs-utils, and tightening request-key rules for cifs. spnego, and restricting unprivileged user namespaces.

Sources: cifs-utils – Cyber Web Spider Blog – News

Attackers May Exploit SQL Injection Vulnerability in Drupal’s Database

Key Highlights from Drupal Core SQL Injection Vulnerability: CVE-2026-9082

Severity: Highly Critical

CVSSv3: 6.5 : Medium

CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API
Can be exploited by unauthenticated attackers on sites using PostgreSQL.
No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.
Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.

Critical SQL injection Vulnerability in Drupal core Affects sites running PostgreSQL

As per Tenable, this vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations. No in-exploitation in the wild reported.

Threat Mitigation: Drupal Core SQL Injection Vulnerability

This means older versions of Drupal — specifically Drupal 8.9 and 9.5 — are no longer officially supported and will not receive normal security update packages anymore because they have reached end-of-life (EOL).

Drupal has still released special emergency “hotfix” files for:
- Drupal 9.5.11
- Drupal 8.9.20

These hotfixes help protect vulnerable websites from the reported security issue. The update also includes security fixes from third-party components used inside Drupal, including:

Symfony
Twig

Even if organizations are not using PostgreSQL databases, Drupal still recommends updating because other security vulnerabilities are also fixed in these releases.

Affected Environments by CVE-2026-9082

The vulnerability only affects certain versions of Drupal when the website uses a PostgreSQL database.

In simple terms:

Vulnerable versions:
- Drupal 8.9.0 to 11.3.9
Affected only if:
- The site uses PostgreSQL as its database backend

The issue exists in the PostgreSQL-specific code used by Drupal to process database queries.

Websites using: MySQL, MariaDB and SQLite are not affected by this particular vulnerability because they use different database handling code.

Additionally: Drupal 7 is completely unaffected by this issue.

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Drupal estimates that under 5% of installations run on PostgreSQL. Across the hundreds of thousands of public Drupal sites, that still leaves thousands of internet-reachable targets, concentrated in the segments where Drupal adoption is strongest.

Drupal Patches:

Drupal released fixes across all six supported branches on May 20: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, and 11.3.10. The security team also published exceptional patches for the end-of-life 8.9 and 9.5 branches, given the severity and the volume of legacy installations.

The advisory recommends upgrading to the patched release matching the current branch (11.3.x to 11.3.10, 11.2.x to 11.2.12, 11.1.x or 11.0.x to 11.1.10, 10.6.x to 10.6.9, 10.5.x to 10.5.10, 10.4.x or earlier to 10.4.10). Drupal 8 and 9 sites should treat the exceptional patches as a stopgap rather than a long-term position, because other unpatched issues remain in those branches.

Defenders should verify patch status directly with their hosting provider rather than assume any specific platform-level fix is in place.

CISA Adds CVE-2026-9082 in its KEV Catalogue

The vulnerability was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 22, 2026, indicating confirmed exploitation activity.

Federal agencies and organizations are required to remediate the issue by May 27, 2026, under Binding Operational Directive (BOD) 22-01.

Conclusion: Because of improper input validation, attackers can insert harmful SQL commands into input fields such a application. If unchecked or not sanitized on time, user input before sending it to the database, attackers may manipulate backend database operations potentially bypassing authentication controls. This may lead to accessing sensitive database information and modify or delete data.

If patching is not applicable or not matching with application, organizations should consider temporarily turning off affected services until mitigation measures are in place. The active exploitation of CVE-2026-9082 underscores the ongoing risk posed by SQL injection vulnerabilities in widely used platforms such as Drupal.

PinTheft Linux allows unprivileged local users to gain full root access; PoC Released

Overview: PinTheft vulnerability originates from improper memory reference handling inside the Linux kernel’s RDS zerocopy implementation

A newly disclosed Linux privilege escalation vulnerability named PinTheft allows local unprivileged users to gain full root access on vulnerable systems. Modern Linux systems use “zerocopy” operations to improve performance by avoiding unnecessary memory duplication during network transfers. In this case, failed RDS zerocopy operations improperly release memory references multiple times.

The flaw combines a long-standing issue in the Linux kernel’s RDS (Reliable Datagram Sockets) zerocopy functionality with io_uring to overwrite SUID-root binaries directly in memory and spawn a root shell.

Impact of PinTheft Vulnerability:

The issue primarily impacts systems where RDS modules are enabled and loadable, along with io_uring support. Researchers confirmed default exposure on Arch Linux, while several enterprise Linux distributions mitigate the risk by disabling or blocking RDS modules by default.

What makes PinTheft particularly dangerous is that the exploit modifies SUID-root binaries only in memory, leaving the original files on disk untouched.

PinTheft demonstrates how older kernel flaws can become highly exploitable when combined with newer Linux subsystems such as io_uring.

The vulnerability also highlights:

The increasing complexity of Linux kernel attack surfaces
Risks associated with performance-oriented kernel optimizations
The importance of minimizing unnecessary kernel modules in production environments

For enterprise security teams, systems allowing untrusted local workloads should be prioritized for immediate mitigation and monitoring.

The vulnerability impacts Linux kernels dating back to version 4.17, first released in 2018, highlighting how long-standing kernel flaws can remain dormant until newer features enable reliable exploitation techniques

Affected environments:

Researchers confirmed that:

Arch Linux systems were vulnerable by default
Some distributions ship RDS modules disabled or blacklisted
Certain enterprise Linux distributions are not affected because RDS is absent or io_uring is disabled by default

PoC Released

The release of a public proof-of-concept significantly increases operational risk for organizations running affected Linux environments.

Unlike remote vulnerabilities, PinTheft requires local access. However, once an attacker gains even limited user-level execution, the exploit provides a reliable path to full root compromise.

The vulnerability also highlights increasing complexity of Linux kernel attack surfaces and risks associated with performance-oriented kernel optimizations, importance of minimizing unnecessary kernel modules in production environments.

RakshaOne from Intrucept

RakshaOne can play a significant role in detecting and responding to the PinTheft Linux privilege escalation vulnerability. Since the exploit abuses kernel-level behavior and enables local users to gain root access while leaving minimal traces on disk, traditional security tools may struggle to identify the attack. RakshaOne helps security analysts and SOC teams gain centralized visibility across Linux servers, workloads, and enterprise infrastructure, allowing them to quickly understand the scope and context of suspicious activity.

By combining threat intelligence, behavioral analytics, and automated alert correlation, RakshaOne can detect abnormal privilege escalation attempts, suspicious SUID binary execution, unusual kernel activity, and unauthorized module loading associated with PinTheft exploitation.

The platform also simplifies incident response by automatically prioritizing high-risk alerts and correlating related events, helping organizations identify both known and unknown threats faster.

This becomes especially important for multi-tenant Linux environments, CI/CD runners, container hosts, and shared infrastructure where local privilege escalation vulnerabilities can rapidly lead to full system compromise.

References: PinTheft Linux Vulnerability Let Attackers Gain Root Access – PoC Released

Claude Code network sandbox; Now Attackers can Exfiltrate Data, Bypass Flaw

Claude Code’s Network Sandbox Flaw Enable Data Exfiltration

Security Vulnerabilities in NGINX Causing DoS in RCE

NGINX rewrite module, is used to redirect or modify web requests.

The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.

This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.

The attack can be leveraged & Potential Impact

Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well.

Crash or restart the NGINX server remotely
Cause websites or applications to become unavailable
Launch Denial-of-Service (DoS) attacks

In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:

Attackers may be able to run malicious code on the server
This could potentially lead to full server compromise

Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
Exploitation is already happening in real-world attacks
The vulnerable code has reportedly existed for nearly 18 years

Vulnerability	Details
CVE ID	CVE-2026-42945
Severity	High / Critical
Affected Product	NGINX OSS & NGINX Plus
Impact	DoS / Possible Remote Code Execution
Attack Requirement	Specially crafted web requests
Authentication Needed	No

Researchers also found additional medium-severity vulnerabilities affecting:

HTTP/3 QUIC module
HTTP/2 proxy mode
SSL module
SCGI and uWSGI modules
Charset handling module

These may cause:

Memory exhaustion
Data leakage
Spoofing attacks
Service instability

This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.

Immediate Patching Recommendation

Upgrade to the latest patched NGINX versions immediately.

Review and modify vulnerable rewrite rules.
Restrict unnecessary internet exposure of NGINX servers.
Monitor for unexpected NGINX crashes or restarts.
Ensure ASLR and other OS-level security protections remain enabled.

The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.

How GaarudNode Helps Secure Against This Vulnerability

GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.

Security Capability	How It Helps
Continuous OS & Infrastructure Vulnerability Scanning	Detects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads
Missing Patch Detection	Identifies systems missing critical NGINX security updates and tracks remediation status
Misconfiguration Assessment	Detects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw
CSPM (Cloud Security Posture Management)	Identifies internet-exposed NGINX instances and insecure cloud deployments
Network Security Visibility	Detects externally exposed web services and risky attack surfaces
Runtime Monitoring (Shift Right)	Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts
Risk Prioritization	Correlates internet exposure, vulnerable configurations, and exploitability to prioritize remediation
Unified Risk Dashboard	Provides centralized visibility across applications, infrastructure, cloud, OS, and network risks

Sources: NGINX: DoS vulnerability is being attacked | heise online

ZeroDay Vulnerability ‘MiniPlasma’ Grant’s Attackers SYSTEM privileges

A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.

The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.

The exploit reportedly abuses:
- Weak access validation
- Registry interactions
- Undocumented Windows APIs
- Logic flaws in the cloud synchronization subsystem

How enterprise will address the risk

Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.

The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).

The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.

The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.

Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .

Sources: Windows MiniPlasma Zero-Day Exposes SYSTEM Access Risk

Qualcomm Chipset Vulnerability Allows RCE

Multi-Component Qualcomm Vulnerabilities

SAP npm Packages Targeted with Malware ‘Supply Chain Risk’-Patch Now

Supply chain attack

Critical Vulnerability in cPanel & WHM; Patch Now

Critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers

Network Security in Litecoin Compromised by ZeroDay Bug

Litcoin network security compromised
A zero-day bug caused a DoS attack that disrupted major mining pools.
Unpatched Litecoin Nodes Created the Vulnerability, allowed an invalid MWEB transaction allowing them to peg out coins to third party DEX’s

A sophisticated zero-day bug triggered a chain of events that included a Denial of Service (DoS) attack on Litcoin a major mining pools and a specialized exploit of the MimbleWimble Extension Blocks (MWEB). The zero-day specifically targeted MWEB, Litecoin’s privacy feature which are complex in nature and that creates attack surfaces. The specific vulnerability has been patched in version 0.21.5.4,

How is Litecoin different from Bitcoin?

Litecoin is a 2011 fork of Bitcoin with faster block times (2.5 minutes vs. 10 minutes), a larger supply cap (84 million vs. 21 million), and the Scrypt mining algorithm instead of SHA-256. The biggest functional difference today is MWEB, which gives Litecoin optional transaction privacy that Bitcoin does not offer at the base layer.

Attack Module

The attack had two components. First, the attackers used a DoS scheme to take mining nodes running the updated code offline. Then, unprotected nodes formed an alternative chain that included invalid MWEB transactions.

What caused the zero day vulnerability?

The bug or flaw led to a denial-of-service assault that temporarily interrupted operations at several prominent mining pools. The event, which occurred over the weekend, exposed a narrow window of risk but was contained efficiently through coordinated technical measures.

At the core of the disruption were mining nodes that had not yet applied the most recent security patches. Litcon said now the bug has now been fully patched, and the network continues to operate normally. A new core version was released subsequently, including important security updates.

The zero-day attack succeeded because many Litecoin nodes ran outdated software that improperly validated MWEB transactions. This created a two-tier network in which different participants operated under distinct consensus rules.

Bitcoin and Litecoin have no mandatory update mechanism so mostly Nodes can run old software indefinitely. Attackers seized this opportunity and the exact vulnerability exploited in the attack.

Litecoin developers have fixed the issue and the zeroday incident exposes how dependent decentralized networks are on coordinated node updates and careful operator behavior. The network was recovered, but it did not emerge unscathed.

Team Litcoin confirmed the bug on their official X account and stated a patch has been fully deployed, with node operators urged to update immediately. No user funds were lost, but the reorg reversed transactions across those 13 blocks, a depth that qualifies as a serious network event by any measure.

Conclusion:

As per security experts the incident exposed a vulnerability in the update mechanism in Proof-of-Work (PoW) networks and there is a level of risk in its privacy layers as threat actors took advantage by channeling funds through external platforms.

At the same time causing a Denial of Service attack (DoS) on large mining pools. The incident proved how important it is for nodes and miners to stay up to date and patch timely.

Sources: Litecoin Network Security: Zero-Day Bug Fixed

Litecoin MWEB Exploit Explained | 13-Block Reorg and What It Means | 2026