{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kernel/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Amazon Linux 2023","Red Hat Enterprise Linux (RHEL 10.1)","SUSE 16","Ubuntu 24.04 LTS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","kernel"],"_cs_type":"advisory","_cs_vendors":["Red Hat","SUSE","Ubuntu","AWS","Debian","Fedora"],"content_html":"\u003cp\u003eCVE-2026-31431, known as \u0026ldquo;Copy Fail,\u0026rdquo; is a high-severity local privilege escalation vulnerability affecting the Linux kernel\u0026rsquo;s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Execution:\u003c/strong\u003e The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAF_ALG Abuse:\u003c/strong\u003e The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel Page Cache Corruption:\u003c/strong\u003e This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBoundary Breach:\u003c/strong\u003e The system\u0026rsquo;s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Container Escape:\u003c/strong\u003e The attacker can now use the root privileges gained to perform lateral movement or escape the container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability\u0026rsquo;s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T03:06:08Z","date_published":"2026-05-02T03:06:08Z","id":"/briefs/2026-05-copy-fail/","summary":"The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.","title":"CVE-2026-31431 'Copy Fail' Linux Kernel Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-copy-fail/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2025-68741"},{"cvss":7.8,"id":"CVE-2025-38024"},{"cvss":7.8,"id":"CVE-2025-38180"},{"cvss":7.8,"id":"CVE-2026-23111"},{"cvss":7.1,"id":"CVE-2026-23204"}],"_cs_exploited":false,"_cs_products":["Red Hat CodeReady Linux Builder","Red Hat Enterprise Linux"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","kernel","redhat","execution","privilege-escalation","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eOn April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities in the Red Hat Linux kernel. These vulnerabilities, detailed in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313, can lead to significant security risks including arbitrary code execution, privilege escalation, and remote denial of service. The affected systems include various versions and architectures of Red Hat CodeReady Linux Builder and Red Hat Enterprise Linux. Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access, control systems, or disrupt services, impacting the confidentiality, integrity, and availability of affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (via unconfirmed vector):\u003c/strong\u003e An attacker identifies a vulnerable Red Hat Linux system running an affected kernel version. While the exact exploit vector isn\u0026rsquo;t specified in the advisory, it involves a vulnerability in the kernel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Trigger:\u003c/strong\u003e The attacker triggers a specific kernel vulnerability, such as those identified as CVE-2026-23001 or CVE-2026-31402, by sending a crafted input to a vulnerable kernel component. The specific method depends on the nature of each CVE.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e Upon successful exploitation, the attacker achieves arbitrary code execution within the kernel context. This allows the attacker to run malicious code directly on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Leveraging the code execution capability, the attacker exploits another vulnerability (e.g., CVE-2025-68741) to escalate privileges to root or SYSTEM. This may involve exploiting race conditions, memory corruption bugs, or other privilege escalation flaws within the kernel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Control:\u003c/strong\u003e With elevated privileges, the attacker gains full control over the compromised system. They can now access sensitive data, modify system configurations, install backdoors, or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised system as a launching point to attack other systems on the network, potentially exploiting other vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker establishes persistence on the compromised system to maintain access even after reboots. This may involve installing rootkits, modifying system startup scripts, or creating rogue user accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service/Data Exfiltration/etc.:\u003c/strong\u003e Depending on their objectives, the attacker may use the compromised system to launch denial-of-service attacks against other targets, exfiltrate sensitive data, or cause other damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these kernel vulnerabilities can lead to complete system compromise, allowing attackers to execute arbitrary code, escalate privileges, and cause denial of service. The wide range of affected Red Hat Enterprise Linux and CodeReady Linux Builder versions implies a potentially large number of vulnerable systems. This can result in significant data breaches, system downtime, financial losses, and reputational damage for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches provided in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313 to remediate the vulnerabilities.\u003c/li\u003e\n\u003cli\u003ePrioritize patching systems based on their criticality and exposure to external networks.\u003c/li\u003e\n\u003cli\u003eMonitor systems for suspicious activity that may indicate exploitation attempts, focusing on unexpected kernel module loads or privilege escalations using process_creation logging.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious kernel module loading to identify potential rootkit installation attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the deployed Sigma rules to determine the scope and impact of potential compromises.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-redhat-kernel-vulns/","summary":"Multiple vulnerabilities in the Red Hat Linux kernel allow for arbitrary code execution, privilege escalation, and remote denial of service.","title":"Multiple Vulnerabilities in Red Hat Linux Kernel","url":"https://feed.craftedsignal.io/briefs/2026-04-redhat-kernel-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-26179"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","kernel","double-free"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26179 is a critical security vulnerability residing within the Windows Kernel. This double-free vulnerability allows an attacker with local access to elevate their privileges. Successful exploitation grants the attacker higher-level permissions on the compromised system. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 score of 7.8, indicating a high severity. The vulnerability lies within the core operating system components, making it a significant threat to Windows-based environments. Exploitation of this vulnerability requires an attacker to have valid local credentials on the target system. The vulnerability was published on 2026-04-14.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial local access to a Windows system through legitimate credentials or by exploiting another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious program designed to trigger the double-free condition in the Windows Kernel.\u003c/li\u003e\n\u003cli\u003eThe malicious program interacts with a vulnerable kernel function, likely through a specific system call (Nt*).\u003c/li\u003e\n\u003cli\u003eThe vulnerable kernel function attempts to free the same memory region twice due to a logical error.\u003c/li\u003e\n\u003cli\u003eThe double-free corrupts the kernel\u0026rsquo;s memory management structures, such as the heap metadata.\u003c/li\u003e\n\u003cli\u003eThe memory corruption allows the attacker to overwrite critical kernel data structures, such as process tokens or privilege attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the process token of their own process, elevating their privileges to SYSTEM or another highly privileged account.\u003c/li\u003e\n\u003cli\u003eThe attacker now executes privileged commands and gains full control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26179 allows a local attacker to elevate privileges to SYSTEM, the highest level of privilege on a Windows system. This grants the attacker complete control over the compromised machine, allowing them to install software, modify data, create new accounts, and access sensitive information. A successful privilege escalation can lead to a complete compromise of the confidentiality, integrity, and availability of the system. This vulnerability affects all Windows systems where the patch has not been applied.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-26179 as soon as possible.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual process creation events originating from user accounts, as this could be an indicator of exploit activity. Deploy the provided Sigma rule \u003ccode\u003eDetect Suspicious Process Token Modifications\u003c/code\u003e to identify potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process auditing and monitor for unusual system calls using tools like Sysmon to catch the initial exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRegularly review and enforce the principle of least privilege to limit the impact of successful local exploits.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Double Free Vulnerability Exploitation\u003c/code\u003e to identify exploitation of double free vulnerabilities by monitoring process creation and memory allocation patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-cve-2026-26179-privesc/","summary":"CVE-2026-26179 is a double free vulnerability in the Windows Kernel, allowing a locally authenticated attacker to elevate privileges on the system.","title":"CVE-2026-26179 Windows Kernel Double Free Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2026-26179-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["linux","kernel","vulnerability","workqueue"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026lsquo;Out-of-Cancel\u0026rsquo; vulnerability class, discovered and detailed in March 2026, highlights a category of security flaws residing within the workqueue cancellation APIs in the Linux kernel. This vulnerability arises when work items are improperly handled during cancellation, potentially leading to use-after-free conditions, race conditions, and other memory corruption issues. The initial report and analysis were published on March 23, 2026. While specific exploits are not detailed in the source material, the nature of kernel vulnerabilities makes them critical for defenders to address. The impact can range from denial of service to privilege escalation and potentially arbitrary code execution within the kernel context. This vulnerability class affects a broad range of Linux systems, making it a widespread concern.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user-space program triggers a specific kernel function that queues a work item to a workqueue.\u003c/li\u003e\n\u003cli\u003eThe work item is scheduled for execution, but before it begins, the user-space program requests cancellation of the work item via a workqueue cancellation API.\u003c/li\u003e\n\u003cli\u003eDue to a race condition or improper synchronization, the work item is canceled but not fully removed from the workqueue\u0026rsquo;s internal data structures.\u003c/li\u003e\n\u003cli\u003eThe kernel attempts to access the work item after it has been freed, resulting in a use-after-free vulnerability.\u003c/li\u003e\n\u003cli\u003eAn attacker manipulates memory layout to place controlled data at the memory location of the freed work item.\u003c/li\u003e\n\u003cli\u003eThe kernel code now operates on the attacker-controlled data, leading to memory corruption or information leakage.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical kernel data structures, such as function pointers or security credentials.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to privilege escalation, allowing the attacker to execute arbitrary code with kernel-level privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe \u0026lsquo;Out-of-Cancel\u0026rsquo; vulnerability class can lead to severe consequences, including kernel crashes (denial of service), privilege escalation, and potentially arbitrary code execution within the kernel. A successful exploit could allow an attacker to gain complete control over the affected system. Due to the ubiquitous nature of the Linux kernel, a wide range of systems are potentially vulnerable, impacting servers, desktops, embedded systems, and mobile devices. While the exact number of vulnerable systems is unknown, the widespread use of affected kernel versions implies a significant potential impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor kernel logs for errors related to workqueue cancellations to detect potential exploitation attempts. Enable auditd to log kernel function calls related to workqueue management (audit.rules).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Potential Use-After-Free in Workqueue Cancellation\u003c/code\u003e to identify suspicious kernel events related to workqueue operations.\u003c/li\u003e\n\u003cli\u003eInvestigate any reported kernel panics or crashes, focusing on stack traces that involve workqueue-related functions.\u003c/li\u003e\n\u003cli\u003eStay informed about kernel patches and security advisories related to workqueue vulnerabilities and apply them promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T07:30:12Z","date_published":"2026-03-25T07:30:12Z","id":"/briefs/2026-03-out-of-cancel/","summary":"The 'Out-of-Cancel' vulnerability class stems from flaws in Linux workqueue cancellation APIs, potentially leading to exploitable conditions within the kernel.","title":"Out-of-Cancel Vulnerability Class in Linux Workqueue Cancellation APIs","url":"https://feed.craftedsignal.io/briefs/2026-03-out-of-cancel/"}],"language":"en","title":"CraftedSignal Threat Feed — Kernel","version":"https://jsonfeed.org/version/1.1"}