Linux-Kernel on HackingPassion.com : root@HackingPassion.com-[~]

One Character in nftables Hands Any Linux User Root

Tue, 09 Jun 2026 14:54:56 +0200

One extra character in the Linux kernel hands a normal user root. A single ! that does not belong inside nftables, the firewall built into Debian and Ubuntu by default, flips a check the wrong way so a local user with no special rights can become root and break out of a container. It was patched months ago, and the working exploits are now public.

The flaw carries the name CVE-2026-23111. The kernel maintainers fixed it on the fifth of February, and for four months it stayed a quiet line in a changelog. What changed is that the people who cracked it started showing exactly how. Exodus Intelligence published a full technical walkthrough on the eighth of June, and they were not the first to get there. A team at FuzzingLabs had already rebuilt the exploit on their own back in April, while preparing for Pwn2Own Berlin, a hacking competition.

ssh-keysign-pwn Lets Any Linux User Steal SSH Keys and Password Hashes Without Root

Sat, 16 May 2026 11:50:16 +0200

ssh-keysign-pwn is a newly disclosed Linux kernel vulnerability that gives any unprivileged local user direct access to the SSH host private keys of a server and every password hash stored on the system. It was reported on May 14, 2026, and a working exploit was on GitHub within hours of the patch landing.

The bug lives in a piece of kernel code called __ptrace_may_access(). This is the security check the kernel runs every time one program wants to look inside another program: reading its memory, accessing its open files. The kernel runs this check and asks: is this target process marked as safe to inspect, and does the caller have the right to do this? If either answer is no, access is denied. That is how it is supposed to work.

Dirty Frag Gives Root Access on Every Major Linux Distribution

Fri, 08 May 2026 10:24:54 +0200

A new Linux zero-day called Dirty Frag gives any local user full root access on every major Linux distribution, and right now no distribution has a patched kernel available. The researcher planned to give distributions until May 12 to prepare. Someone leaked the exploit five days early, and it went public before a single distribution had a fix ready.

Hyunwoo Kim (@v4bel) found both vulnerabilities and quietly reported them to the Linux kernel security team at the end of April, including working exploits and patches. The plan was to give Linux distributions until May 12 to prepare fixes before anything went public. On May 7, he told the group of distribution maintainers about it and set that five-day hold in motion. That same day, someone else published the exploit online. The agreement was clear: if that happened, everything would go public immediately. Kim released the full details within hours. Two CVEs have since been assigned: CVE-2026-43284 for the IPsec variant, which now has a patch in the kernel mainline, and CVE-2026-43500 for the RxRPC variant, which has no patch anywhere yet. How the exploit got out early is still unknown. The patch for the IPsec bug had been sitting on a public kernel mailing list since April 30, so someone paying close attention to kernel development could have spotted it there. Or someone inside the distribution group leaked it. Nobody knows.

Copy Fail CVE-2026-31431: Nine Years of Root Access Hidden in the Linux Kernel

Thu, 30 Apr 2026 13:13:08 +0200

Since 2017, every major Linux distribution has been shipping a flaw that hands root access to any local user. The exploit is a 732-byte Python script that uses only what comes built into Python by default. It works on Ubuntu, Amazon Linux, RHEL, and SUSE without a single modification, leaves nothing on disk, and bypasses almost every file integrity monitoring tool in existence, because the file it corrupts is never actually written to.