{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/red-hat/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Quarkus Vertx HTTP (\u003c 3.20.6.1)","Quarkus Vertx HTTP (\u003e= 3.21.0, \u003c 3.27.3.1)","Quarkus Vertx HTTP (\u003e= 3.30.0, \u003c 3.33.1.1)","Quarkus Vertx HTTP (\u003e= 3.34.0, \u003c 3.35.1.1)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA vulnerability exists in Quarkus Vertx HTTP versions \u0026lt; 3.20.6.1, \u0026gt;= 3.21.0 and \u0026lt; 3.27.3.1, \u0026gt;= 3.30.0 and \u0026lt; 3.33.1.1, and \u0026gt;= 3.34.0 and \u0026lt; 3.35.1.1. The vulnerability, designated as CVE-2026-39852, allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. By appending a semicolon (\u003ccode\u003e;\u003c/code\u003e) and arbitrary text to the request URL, attackers can gain unauthorized access to protected resources. This vulnerability stems from an inconsistency in path normalization: Quarkus\u0026rsquo;s security layer checks the raw URL path, while RESTEasy Reactive\u0026rsquo;s routing layer strips matrix parameters before matching endpoints. This means a request like \u003ccode\u003e/api/admin;anything\u003c/code\u003e can bypass authorization for \u003ccode\u003e/api/admin\u003c/code\u003e while still routing to the protected endpoint. This issue was discovered and verified by the GitHub Security Lab.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a protected endpoint, such as \u003ccode\u003e/api/admin\u003c/code\u003e, that requires authentication or specific privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the protected endpoint but appends a semicolon and arbitrary text, such as \u003ccode\u003e/api/admin;anything\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Quarkus Vertx HTTP server.\u003c/li\u003e\n\u003cli\u003eQuarkus\u0026rsquo;s security layer performs an authorization check on the raw URL path \u003ccode\u003e/api/admin;anything\u003c/code\u003e, which may not match the intended authorization rules for \u003ccode\u003e/api/admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRESTEasy Reactive\u0026rsquo;s routing layer strips the matrix parameters (\u003ccode\u003e;anything\u003c/code\u003e) from the URL, resulting in the endpoint \u003ccode\u003e/api/admin\u003c/code\u003e being matched.\u003c/li\u003e\n\u003cli\u003eThe request is routed to the protected endpoint \u003ccode\u003e/api/admin\u003c/code\u003e, bypassing the intended authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the protected resource or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions they would not normally be authorized to perform, such as accessing sensitive data or modifying system configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. The vulnerability affects Quarkus Vertx HTTP applications that rely on path-based authorization policies. The number of affected applications is currently unknown, but any application using the vulnerable versions of Quarkus Vertx HTTP is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Quarkus Vertx HTTP to a patched version (\u0026gt;= 3.20.6.1, \u0026gt;= 3.27.3.1, \u0026gt;= 3.33.1.1, \u0026gt;= 3.35.1.1) to remediate CVE-2026-39852.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Quarkus Authorization Bypass Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing semicolons in the URL path to detect potential exploitation attempts using the \u003ccode\u003eMonitor Semicolons in URL Path\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:20:20Z","date_published":"2026-05-04T17:20:20Z","id":"/briefs/2026-05-quarkus-auth-bypass/","summary":"Quarkus Vertx HTTP versions \u003c 3.20.6.1, \u003e= 3.21.0 and \u003c 3.27.3.1, \u003e= 3.30.0 and \u003c 3.33.1.1, and \u003e= 3.34.0 and \u003c 3.35.1.1 are vulnerable to an authorization bypass where appending a semicolon and arbitrary text to the request URL allows unauthorized access to protected resources.","title":"Quarkus Vertx HTTP Authorization Bypass via Matrix Parameters","url":"https://feed.craftedsignal.io/briefs/2026-05-quarkus-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6266"}],"_cs_exploited":false,"_cs_products":["AAP"],"_cs_severities":["high"],"_cs_tags":["cve-2026-6266","account-hijacking","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA vulnerability, tracked as CVE-2026-6266, exists in the AAP gateway. Specifically, the user auto-link strategy introduced in AAP 2.6 automatically links external Identity Provider (IDP) identities to existing AAP user accounts based on email matching without verifying email ownership. This vulnerability enables a remote attacker to potentially hijack a victim\u0026rsquo;s account and gain unauthorized access to other accounts, including administrative accounts. The attacker achieves this by manipulating the email address provided by the IDP during the auto-linking process. This poses a significant risk to organizations using AAP for identity management, potentially leading to data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target user account within the AAP gateway.\u003c/li\u003e\n\u003cli\u003eAttacker creates an account on a configured external Identity Provider (IDP).\u003c/li\u003e\n\u003cli\u003eAttacker configures the IDP account with the same email address as the target user in the AAP gateway.\u003c/li\u003e\n\u003cli\u003eThe target user attempts to authenticate to the AAP gateway using the configured IDP.\u003c/li\u003e\n\u003cli\u003eThe AAP gateway, running version 2.6 or later, automatically links the attacker-controlled IDP identity to the existing AAP user account based on email matching, without verifying ownership.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates to the AAP gateway using the attacker-controlled IDP account, gaining access to the target user\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eIf the hijacked account has administrative privileges, the attacker can escalate privileges and compromise the entire AAP gateway environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6266 can lead to unauthorized access to sensitive data and systems managed by the AAP gateway. This includes the potential compromise of administrative accounts, which could allow an attacker to gain full control over the AAP environment. The vulnerability impacts organizations using AAP 2.6 and later for identity management. The potential consequences include data breaches, service disruption, and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in Red Hat Security Advisory RHSA-2026:13508 to remediate CVE-2026-6266.\u003c/li\u003e\n\u003cli\u003eMonitor AAP gateway logs for successful authentications from unexpected IDPs to detect potential account hijacking attempts. Deploy a Sigma rule to detect this behavior.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all AAP accounts to mitigate the impact of successful account hijacking, even if the IDP is compromised.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:16:35Z","date_published":"2026-05-04T14:16:35Z","id":"/briefs/2026-05-aap-account-hijacking/","summary":"CVE-2026-6266 allows a remote attacker to hijack user accounts in AAP gateway by manipulating the IDP-provided email during the user auto-linking process, potentially gaining unauthorized access, including administrative privileges.","title":"AAP Gateway Account Hijacking Vulnerability (CVE-2026-6266)","url":"https://feed.craftedsignal.io/briefs/2026-05-aap-account-hijacking/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Amazon Linux 2023","Red Hat Enterprise Linux (RHEL 10.1)","SUSE 16","Ubuntu 24.04 LTS"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","kernel"],"_cs_type":"advisory","_cs_vendors":["Red Hat","SUSE","Ubuntu","AWS","Debian","Fedora"],"content_html":"\u003cp\u003eCVE-2026-31431, known as \u0026ldquo;Copy Fail,\u0026rdquo; is a high-severity local privilege escalation vulnerability affecting the Linux kernel\u0026rsquo;s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eScript Execution:\u003c/strong\u003e The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAF_ALG Abuse:\u003c/strong\u003e The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel Page Cache Corruption:\u003c/strong\u003e This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBoundary Breach:\u003c/strong\u003e The system\u0026rsquo;s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Container Escape:\u003c/strong\u003e The attacker can now use the root privileges gained to perform lateral movement or escape the container.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability\u0026rsquo;s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T03:06:08Z","date_published":"2026-05-02T03:06:08Z","id":"/briefs/2026-05-copy-fail/","summary":"The 'Copy Fail' vulnerability (CVE-2026-31431) in the Linux kernel allows a local attacker to escalate privileges to root, potentially leading to container breakout and lateral movement in cloud environments.","title":"CVE-2026-31431 'Copy Fail' Linux Kernel Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-copy-fail/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33845"}],"_cs_exploited":false,"_cs_products":["GnuTLS"],"_cs_severities":["high"],"_cs_tags":["cve","denial-of-service","information-disclosure","gnutls"],"_cs_type":"advisory","_cs_vendors":["Red Hat","GnuTLS"],"content_html":"\u003cp\u003eCVE-2026-33845 describes a vulnerability in the GnuTLS library related to the parsing of DTLS handshake fragments. The vulnerability stems from improper handling of malformed fragments that have a zero length but a non-zero offset. This leads to an integer underflow during the reassembly process, which then triggers an out-of-bounds read. The vulnerability is remotely exploitable, meaning an attacker could potentially trigger it without needing local access. Successful exploitation can lead to information disclosure or a denial-of-service condition. The affected component is the GnuTLS library, which is used by various applications for secure communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious DTLS handshake fragment with a zero length and non-zero offset.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malformed DTLS handshake fragment to a vulnerable GnuTLS server.\u003c/li\u003e\n\u003cli\u003eThe GnuTLS library receives the fragment and begins the reassembly process.\u003c/li\u003e\n\u003cli\u003eThe integer underflow occurs when calculating the correct offset for the fragment reassembly.\u003c/li\u003e\n\u003cli\u003eThe integer underflow leads to an out-of-bounds memory read operation.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read allows the attacker to potentially read sensitive information from the server\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eAlternatively, the out-of-bounds read may cause the server to crash, resulting in a denial-of-service.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves either information disclosure or denial-of-service based on the server\u0026rsquo;s response to the out-of-bounds read.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33845 can lead to a denial-of-service condition, impacting the availability of services relying on the vulnerable GnuTLS library. The out-of-bounds read can also potentially expose sensitive information from the server\u0026rsquo;s memory, leading to data breaches. Given the widespread use of GnuTLS in various applications, a successful widespread attack could affect numerous organizations and users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches for GnuTLS provided by Red Hat or other vendors to address CVE-2026-33845.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for malformed DTLS handshake fragments with zero length and non-zero offset that may indicate exploitation attempts targeting CVE-2026-33845.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectGnuTLSDTLSMalformedFragment\u003c/code\u003e to identify suspicious network connections associated with the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T18:16:28Z","date_published":"2026-04-30T18:16:28Z","id":"/briefs/2026-04-gnutls-dtls-flaw/","summary":"A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read, potentially causing information disclosure or denial of service.","title":"GnuTLS DTLS Handshake Parsing Flaw (CVE-2026-33845)","url":"https://feed.craftedsignal.io/briefs/2026-04-gnutls-dtls-flaw/"},{"_cs_actors":["Theori"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-31431"}],"_cs_exploited":false,"_cs_products":["Linux kernel","Ubuntu 24.04 LTS","Amazon Linux 2023","RHEL 10.1","SUSE 16"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","linux","vulnerability"],"_cs_type":"threat","_cs_vendors":["Theori","Ubuntu","Amazon","Red Hat","SUSE","Linux"],"content_html":"\u003cp\u003eA local privilege escalation vulnerability, \u0026ldquo;Copy Fail\u0026rdquo; (CVE-2026-31431), impacts Linux kernels released since 2017. Discovered by Theori\u0026rsquo;s AI-driven pentesting platform Xint Code, the vulnerability allows an unprivileged local attacker to gain root permissions. Theori reported the finding to the Linux kernel security team on March 23, 2026, and patches became available within a week. A proof-of-concept exploit was published, demonstrating a 732-byte script that can root every Linux distribution shipped since 2017. This vulnerability stems from a logic bug in the Linux kernel\u0026rsquo;s authencesn cryptographic template. Theori demonstrated successful exploits on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged local attacker gains access to a vulnerable Linux system.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the \u003ccode\u003eAF_ALG\u003c/code\u003e socket-based interface to access Linux kernel crypto functions from user space.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003esplice()\u003c/code\u003e system call to perform a controlled 4-byte write in the page cache of a readable file, instead of a normal buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker targets a setuid-root binary file for modification.\u003c/li\u003e\n\u003cli\u003eThe 4-byte write alters the behavior of the setuid-root binary.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the modified setuid-root binary.\u003c/li\u003e\n\u003cli\u003eDue to the altered behavior, the binary grants the attacker elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root privileges on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the Copy Fail vulnerability (CVE-2026-31431) allows an unprivileged local attacker to gain root privileges on a vulnerable Linux system. Theori demonstrated and confirmed the exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16, highlighting the widespread impact. Multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS environments running user code are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available kernel patches for CVE-2026-31431 on affected Linux distributions, prioritizing multi-tenant environments (e.g., Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16).\u003c/li\u003e\n\u003cli\u003eAs an interim mitigation, disable the vulnerable crypto interface by blocking \u003ccode\u003eAF_ALG\u003c/code\u003e socket creation or disabling the \u003ccode\u003ealgif_aead\u003c/code\u003e module, as described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of unusual processes after the modification of binaries in \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/var/tmp\u003c/code\u003e using the Sigma rule \u0026ldquo;Detect Suspicious Splice Usage for Privilege Escalation\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect algif_aead module removal\u0026rdquo; to detect attempts to disable the vulnerable module.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:54:47Z","date_published":"2026-04-30T13:54:47Z","id":"/briefs/2026-04-copy-fail/","summary":"A local privilege escalation vulnerability, dubbed 'Copy Fail' (CVE-2026-31431), affects Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions by exploiting a logic bug in the authencesn cryptographic template.","title":"Local Privilege Escalation Vulnerability 'Copy Fail' in Linux Kernel","url":"https://feed.craftedsignal.io/briefs/2026-04-copy-fail/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Fast Datapath"],"_cs_severities":["high"],"_cs_tags":["redhat","vulnerability","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eMultiple vulnerabilities exist within the Fast Datapath component of Red Hat Enterprise Linux (RHEL). These vulnerabilities can be exploited by a remote, anonymous attacker without requiring authentication. Successful exploitation could lead to a denial-of-service (DoS) condition, rendering affected systems unavailable, or the unauthorized disclosure of sensitive information. While the specific nature of the vulnerabilities is not detailed, the broad impact necessitates immediate attention from security teams responsible for RHEL environments utilizing Fast Datapath. Defenders should focus on identifying and mitigating potential exploitation attempts targeting this component.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable RHEL system running Fast Datapath exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network packet designed to exploit a memory corruption vulnerability within Fast Datapath.\u003c/li\u003e\n\u003cli\u003eThe malicious packet is sent to the target system over the network.\u003c/li\u003e\n\u003cli\u003eFast Datapath processes the packet, triggering a buffer overflow or other memory corruption error.\u003c/li\u003e\n\u003cli\u003eThe memory corruption causes the Fast Datapath process to crash, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003e(Alternative) The attacker exploits a separate vulnerability to read sensitive information from Fast Datapath\u0026rsquo;s memory.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the disclosed information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could result in a denial of service, disrupting critical services and impacting business operations. The disclosure of sensitive information could also lead to further compromise, including unauthorized access to systems or data. The number of affected systems will depend on the prevalence of Fast Datapath deployments within RHEL environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Network Traffic to Fast Datapath\u003c/code\u003e to identify potential exploitation attempts (see below).\u003c/li\u003e\n\u003cli\u003eInvestigate and patch systems running Red Hat Enterprise Linux with Fast Datapath enabled as soon as patches are available from Red Hat.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for anomalous patterns that may indicate attempts to exploit these vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T09:57:14Z","date_published":"2026-04-30T09:57:14Z","id":"/briefs/2026-05-redhat-fast-datapath-vulns/","summary":"A remote, anonymous attacker can exploit multiple vulnerabilities in Fast Datapath for Red Hat Enterprise Linux to perform a denial-of-service attack or disclose sensitive information.","title":"Multiple Vulnerabilities in Red Hat Enterprise Linux Fast Datapath","url":"https://feed.craftedsignal.io/briefs/2026-05-redhat-fast-datapath-vulns/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2025-68741"},{"cvss":7.8,"id":"CVE-2025-38024"},{"cvss":7.8,"id":"CVE-2025-38180"},{"cvss":7.8,"id":"CVE-2026-23111"},{"cvss":7.1,"id":"CVE-2026-23204"}],"_cs_exploited":false,"_cs_products":["Red Hat CodeReady Linux Builder","Red Hat Enterprise Linux"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","kernel","redhat","execution","privilege-escalation","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eOn April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities in the Red Hat Linux kernel. These vulnerabilities, detailed in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313, can lead to significant security risks including arbitrary code execution, privilege escalation, and remote denial of service. The affected systems include various versions and architectures of Red Hat CodeReady Linux Builder and Red Hat Enterprise Linux. Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access, control systems, or disrupt services, impacting the confidentiality, integrity, and availability of affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (via unconfirmed vector):\u003c/strong\u003e An attacker identifies a vulnerable Red Hat Linux system running an affected kernel version. While the exact exploit vector isn\u0026rsquo;t specified in the advisory, it involves a vulnerability in the kernel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Trigger:\u003c/strong\u003e The attacker triggers a specific kernel vulnerability, such as those identified as CVE-2026-23001 or CVE-2026-31402, by sending a crafted input to a vulnerable kernel component. The specific method depends on the nature of each CVE.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e Upon successful exploitation, the attacker achieves arbitrary code execution within the kernel context. This allows the attacker to run malicious code directly on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Leveraging the code execution capability, the attacker exploits another vulnerability (e.g., CVE-2025-68741) to escalate privileges to root or SYSTEM. This may involve exploiting race conditions, memory corruption bugs, or other privilege escalation flaws within the kernel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Control:\u003c/strong\u003e With elevated privileges, the attacker gains full control over the compromised system. They can now access sensitive data, modify system configurations, install backdoors, or move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Optional):\u003c/strong\u003e The attacker uses the compromised system as a launching point to attack other systems on the network, potentially exploiting other vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Optional):\u003c/strong\u003e The attacker establishes persistence on the compromised system to maintain access even after reboots. This may involve installing rootkits, modifying system startup scripts, or creating rogue user accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service/Data Exfiltration/etc.:\u003c/strong\u003e Depending on their objectives, the attacker may use the compromised system to launch denial-of-service attacks against other targets, exfiltrate sensitive data, or cause other damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these kernel vulnerabilities can lead to complete system compromise, allowing attackers to execute arbitrary code, escalate privileges, and cause denial of service. The wide range of affected Red Hat Enterprise Linux and CodeReady Linux Builder versions implies a potentially large number of vulnerable systems. This can result in significant data breaches, system downtime, financial losses, and reputational damage for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches provided in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313 to remediate the vulnerabilities.\u003c/li\u003e\n\u003cli\u003ePrioritize patching systems based on their criticality and exposure to external networks.\u003c/li\u003e\n\u003cli\u003eMonitor systems for suspicious activity that may indicate exploitation attempts, focusing on unexpected kernel module loads or privilege escalations using process_creation logging.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious kernel module loading to identify potential rootkit installation attempts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the deployed Sigma rules to determine the scope and impact of potential compromises.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-redhat-kernel-vulns/","summary":"Multiple vulnerabilities in the Red Hat Linux kernel allow for arbitrary code execution, privilege escalation, and remote denial of service.","title":"Multiple Vulnerabilities in Red Hat Linux Kernel","url":"https://feed.craftedsignal.io/briefs/2026-04-redhat-kernel-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Enterprise Linux"],"_cs_severities":["high"],"_cs_tags":["vulnerability","code-execution","denial-of-service","linux"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been identified within the LibRaw component of Red Hat Enterprise Linux. These vulnerabilities, if successfully exploited, could allow an attacker to achieve arbitrary code execution or trigger a denial-of-service (DoS) condition on a vulnerable system. While the specific CVEs are not detailed in the advisory, the high-level threat remains significant, potentially impacting any system relying on the affected LibRaw library for processing raw image data. Defenders should prioritize patching and monitoring systems utilizing LibRaw to mitigate the risks. This advisory serves as an early warning in advance of any detailed technical release; specific exploit methods will become clearer as details emerge.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable version of LibRaw within a Red Hat Enterprise Linux system. This may involve scanning for specific LibRaw versions or identifying services reliant on the library.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious raw image file designed to exploit a specific vulnerability in LibRaw\u0026rsquo;s parsing logic.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious file to the target system. This could involve uploading the file to a web server, emailing it as an attachment, or injecting it into a data stream processed by LibRaw.\u003c/li\u003e\n\u003cli\u003eThe vulnerable LibRaw library attempts to process the malicious image file.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability (e.g., a buffer overflow or integer overflow), LibRaw crashes, leading to a denial-of-service. Alternatively, the attacker gains control of the program counter.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the LibRaw process, potentially gaining control over the entire system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the initial foothold to escalate privileges and move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is to disrupt services and/or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to arbitrary code execution, potentially granting an attacker full control over affected systems. This could result in data breaches, system compromise, and service disruption. A denial-of-service condition could also disrupt critical services reliant on the vulnerable systems. The number of affected systems depends on the prevalence of vulnerable LibRaw versions within Red Hat Enterprise Linux deployments. The specific impact will depend on the privileges of the compromised process and the system\u0026rsquo;s role within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for unexpected child processes spawned by applications utilizing LibRaw (see \u0026ldquo;Detect Suspicious Process Creation from LibRaw\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to LibRaw binaries (see \u0026ldquo;Detect LibRaw Binary Modification\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate and block any anomalous network connections originating from systems utilizing LibRaw.\u003c/li\u003e\n\u003cli\u003eConsult Red Hat security advisories for specific CVEs and patch information as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T09:54:06Z","date_published":"2026-04-29T09:54:06Z","id":"/briefs/2026-04-rhel-libraw-vulns/","summary":"Multiple vulnerabilities in Red Hat Enterprise Linux's LibRaw component allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.","title":"Red Hat Enterprise Linux LibRaw Multiple Vulnerabilities Allow Code Execution or DoS","url":"https://feed.craftedsignal.io/briefs/2026-04-rhel-libraw-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6859"}],"_cs_exploited":false,"_cs_products":["InstructLab"],"_cs_severities":["critical"],"_cs_tags":["cve","code-execution","huggingface","instructlab"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eInstructLab contains a critical vulnerability (CVE-2026-6859) in its \u003ccode\u003elinux_train.py\u003c/code\u003e script. The script unconditionally sets \u003ccode\u003etrust_remote_code=True\u003c/code\u003e when interacting with the HuggingFace model hub. This design flaw allows a remote attacker to inject arbitrary Python code into the training process. The attacker only needs to convince a user to execute the \u003ccode\u003eilab train\u003c/code\u003e, \u003ccode\u003eilab download\u003c/code\u003e, or \u003ccode\u003eilab generate\u003c/code\u003e command while specifying a malicious model hosted on HuggingFace. Successful exploitation results in arbitrary code execution within the context of the InstructLab process, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious model on the HuggingFace Hub. This model contains embedded Python code designed for malicious purposes.\u003c/li\u003e\n\u003cli\u003eAttacker social engineers a user to execute \u003ccode\u003eilab train\u003c/code\u003e, \u003ccode\u003eilab download\u003c/code\u003e, or \u003ccode\u003eilab generate\u003c/code\u003e commands.\u003c/li\u003e\n\u003cli\u003eUser executes the command, specifying the attacker\u0026rsquo;s malicious model from the HuggingFace Hub.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elinux_train.py\u003c/code\u003e script, due to the hardcoded \u003ccode\u003etrust_remote_code=True\u003c/code\u003e, downloads the malicious model.\u003c/li\u003e\n\u003cli\u003eThe script loads the model, triggering the execution of the attacker\u0026rsquo;s embedded Python code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes within the InstructLab process, allowing for arbitrary actions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by modifying system files or creating new services.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control of the compromised system, potentially exfiltrating data or causing further damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary Python code on the target system. This can lead to complete system compromise, allowing the attacker to steal sensitive data, install malware, or disrupt operations. While the number of affected systems is currently unknown, any system running a vulnerable version of InstructLab and interacting with the HuggingFace Hub is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect suspicious process creation events related to InstructLab executing code from temporary directories or with unusual network activity.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of Python scripts with \u003ccode\u003etrust_remote_code=True\u003c/code\u003e within InstructLab\u0026rsquo;s processes using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict controls and validation for models downloaded from HuggingFace, even if \u003ccode\u003etrust_remote_code=True\u003c/code\u003e is required.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates for InstructLab to address CVE-2026-6859 as provided by Red Hat.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T14:17:07Z","date_published":"2026-04-22T14:17:07Z","id":"/briefs/2026-04-instructlab-code-execution/","summary":"InstructLab is vulnerable to arbitrary code execution because the `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace, allowing remote attackers to execute code by convincing a user to load a malicious model.","title":"InstructLab Arbitrary Code Execution via Malicious HuggingFace Model","url":"https://feed.craftedsignal.io/briefs/2026-04-instructlab-code-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Red Hat","version":"https://jsonfeed.org/version/1.1"}