SANS ISC: Linux process-name masquerading via prctl(PR_SET_NAME) and detection

JFrog Security Research published a full working-exploit walkthrough on 2026-06-25 for DirtyClone, the latest residual variant of the DirtyFrag family (JFrog Security Research, 2026-06-25). The flaw lives in __pskb_copy_fclone(), which fails to preserve the SKBFL_SHARED_FRAG safety flag when cloning a socket buffer; the cloned buffer, still referencing shared file-backed page-cache memory, is then passed through the XFRM/IPsec in-place decryption path, letting attacker-controlled bytes land in the cached image of a setuid binary such as /usr/bin/su (Red Hat, 2026-06-23). Earlier DirtyFrag fixes (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) do not close this code path; the fix is mainline commit 48f6a5356a33 (Linux v7.1-rc5, merged 2026-05-21), and most distributions had not yet shipped patched kernels at disclosure. The attack leaves no kernel-log or audit-trail artefacts.

A separate page-cache-corruption LPE, pedit COW, drew a public weaponised PoC (packet_edit_meme) within a day of CVE assignment on 2026-06-16 (Red Hat Product Security, 2026-06-19). The bug is a missing bounds check in tcf_pedit_act() in net/sched/act_pedit.c: the function computes the copy-on-write range once before iterating the key list, so writes from later typed keys (whose runtime header offsets are not accounted for) fall outside the private copy and into read-only file-backed page-cache memory — a partial COW. An unprivileged user with tc rule-write access (again, obtainable through user namespaces) overwrites the cached /bin/su to spawn a root shell (The Hacker News, 2026-06-26). Red Hat confirms RHEL 8/9/10, RHCOS (OpenShift) and RHOSP affected; the flaw is exposed since kernel v5.18 and fixed upstream in v7.1-rc7. Interim mitigation where tc pedit is unused: blacklist the act_pedit module, or set kernel.unprivileged_userns_clone=0.

A SANS Internet Storm Center diary (2026-06-24) documents how Linux malware masquerades its process name via prctl(PR_SET_NAME, …), which writes the 15-character comm field in /proc/<pid>/comm — letting a process running ./ps-masquerade appear in ps/top/pgrep as a kernel worker thread such as [kworker/0:1-events] (SANS ISC, 2026-06-24). The detection key is the divergence between /proc/<pid>/comm (mutable) and /proc/<pid>/cmdline (the original argv, which the kernel will not grow beyond its fixed allocation): a genuine kernel thread has an empty cmdline, so any process whose comm resembles [kworker/*]/[kthreadd] but whose cmdline is non-empty is a high-fidelity hunt artefact. The diary points to eBPF-based tooling (Kunai) that captures the real command line at exec time independently of later comm mutation, and cites Operation Highland (Velvet Ant, Sygnia) as a real-world user of the technique (T1036 Masquerading). Why it matters to us: This is a free, immediately deployable hunt for any Linux fleet — and a useful complement to today's § 5 deep dive, where the same audit-blindness of in-memory tampering recurs.

SANS ISC handler Xavier Mertens documented an active phishing campaign against customers of a major Belgian bank that encodes the destination address as an IPv4-mapped IPv6 literal — the [::ffff:…] bracketed form, where the dotted-decimal IPv4 address is rewritten as its hexadecimal IPv6 representation inside square brackets (SANS ISC, 2026-06-19). Modern browsers resolve the form correctly per RFC 4291 and render the phishing page normally, but two defensive layers fail on it: regex-based URL extractors in email gateways and proxies typically match the dotted-decimal IPv4 pattern (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) and never see the hexadecimal IPv6 form as an address at all, and because no DNS record is involved, domain-reputation lookups return nothing to score. The technique is delivery-agnostic — any link-based vector (spearphishing link, HTML attachment, QR redirect) inherits the same inspection blind spot. The RFC-level notation is old; the operational novelty is its appearance as a live evasion in commodity banking phishing (T1598.003 Spearphishing Link; T1027 Obfuscated Files or Information). [SINGLE-SOURCE] — SANS ISC is the disclosing party (PD-5 national-CERT-equivalent carve-out); see § 7.

Why it matters to us: Swiss cantonal banks, PostFinance, and any organisation running URL-rewriting or reputation-based mail/web inspection should test their stack against a controlled [::ffff:<ipv4>]-style URL and confirm the extractor normalises IPv4-mapped IPv6 to its IPv4 form before the reputation lookup, not after. Hunting: update SIEM/proxy URL-extraction patterns to capture the \[::ffff:[0-9a-fA-F:]+\] shape, and treat bracketed-IPv6 URLs in inbound mail as high-suspicion regardless of reputation verdict.

The supply-chain-worm family the W23 weekly consolidated under the Miasma/IronWorm banner spent this week proliferating across ecosystems and operators. On 9 June a SANS ISC handler tracked TeamPCP open-sourcing its Mini Shai-Hulud framework, immediately spawning a "Phantom Gyp" derivative (SANS ISC; daily 06-09). On 10 June the lineage opened a PyPI front dubbed "Hades" — 37 malicious wheels across 19 packages (The Hacker News; daily 06-10).

The week's largest wave hit the Arch User Repository. "Atomic Arch" began with roughly 400 orphaned AUR packages adopted and re-pointed to a Rust credential-stealer plus eBPF rootkit (The Hacker News; Sonatype; daily 06-13); a second wave around 12 June expanded the count further (tracker estimates range from the 400+ in primary reporting to ~1,500) and swapped some PKGBUILD delivery from npm dependency injection to bun install js-digest — active operator iteration against detection. The npm delivery mechanism has been linked by SANS ISC and subsequent reporting to the broader Shai-Hulud supply-chain family. Official Arch core/extra repositories were not affected; only adopted AUR packages. For defenders the through-line is constant: install-time script execution is the kill chain, and npm/bun/AUR build steps need to be treated as untrusted code execution in CI/CD.

key: campaign:velvet-ant-operation-highland-2026. Sygnia's "Operation Highland" report, relayed in detail by The Hacker News on 12 June and deep-dived in the 06-13 daily, documents a China-nexus intrusion set that held covert access to an air-gapped network for nearly a decade (earliest traces ~2016) by subverting the Linux authentication stack: nine distinct backdoored pam_unix.so variants and credential-logging sshd/ssh binaries that suppress their own logging during operator sessions (The Hacker News; Sygnia — Operation Highland). The horizon framing the dailies could not give: this is the same tradecraft class as VerdantBamboo's edge-appliance persistence — long-dwell, identity/auth-layer implants on systems outside EDR coverage. The two together describe a sustained China-nexus investment in living below the endpoint-detection line. Defender watch-item: integrity-monitor PAM modules and sshd/ssh binaries against package checksums (rpm -V / dpkg --verify, AIDE/Tripwire), and treat air-gap as a latency control, not an isolation guarantee.

Microsoft's June 2026 Patch Tuesday addressed 198 CVEs (32 Critical), the largest in program history (Rapid7, 2026-06-09). The headline is CVE-2026-47291 in HTTP.sys (CWE-190 integer overflow into a CWE-122 heap write): an unauthenticated attacker sends a crafted request to any Windows service built on the HTTP Protocol Stack (IIS, WinRM, WMI-over-HTTP) to achieve RCE, rated "Exploitation More Likely" (Microsoft MSRC, 2026-06-09). Microsoft notes systems at the default MaxRequestBytes of 16384 bytes are not impacted — only deployments that raised it above ~65 KB are exposed, so resetting that registry value is a stopgap. Three publicly-disclosed (not-yet-exploited) zero-days also shipped: CVE-2026-49160 (HTTP.sys HTTP/2 compression-bomb DoS, the IIS analogue of the earlier nginx/Apache CVE-2026-49975, now mitigated with MaxHeadersCount), CVE-2026-50507 (BitLocker physical-access bypass), and CVE-2026-45586 (CTFMON EoP); the release also includes the DHCP Client RCE CVE-2026-44815 (CVSS 9.8, "Less Likely") and VSCode EoP CVE-2026-47281 (CVSS 9.6) (Tenable, 2026-06-09; SANS ISC, 2026-06-09). Prioritise the HTTP.sys patch on any Windows host exposing IIS/WinRM.

Exodus Intelligence released a full technical write-up and working exploit for CVE-2026-23111, a use-after-free in the Linux kernel nf_tables subsystem caused by a single misplaced ! operator in nft_map_catchall_activate() that inverts the genmask check and skips inactive catchall elements during the abort path (Exodus Intelligence, 2026-06-08). Exodus reports >99% reliability on idle Debian Bookworm/Trixie and Ubuntu 22.04/24.04 LTS, yielding unprivileged-local-user to root escalation and container escape (T1068, T1611) (The Hacker News, 2026-06-08). The flaw was patched upstream on 5 February 2026; distro packages are shipping the fix (Ubuntu Security, rated 7.8). No network-reachable path exists — exploitation requires local access or code execution inside a container, making this high-value post-exploitation tooling for shared compute (Kubernetes nodes, CI/CD runners, multi-tenant VMs).

Why it matters to us: With a reliable public exploit now available, the patch gap is the exposure. Apply vendor kernel updates containing the 5 February upstream fix; in container environments enforce seccomp and AppArmor/SELinux profiles that restrict nf_tables syscalls for untrusted workloads. Detection concepts: anomalous UID transitions to 0 from non-root parents (Linux audit execve/setuid records); unexpected privileged process spawns inside containers.

UPDATE (originally covered 2026-06-06): A SANS ISC handler diary tracking the TeamPCP supply-chain campaign through 7 June reports the operators have open-sourced their Mini Shai-Hulud framework on GitHub, triggering a second wave of derivative campaigns (SANS ISC, 2026-06-08). Beyond the previously-covered Miasma worm — which compromised npm packages including Red Hat's @redhat-cloud-services scope (Wiz, 2026-06-01) — the diary names a newly-tracked Phantom Gyp campaign that abuses node-gyp / binding.gyp install-time script execution in compromised npm packages; both inject malicious CI/CD hooks (SANS ISC, 2026-06-08).

The diary's load-bearing detection-engineering point: valid SLSA provenance attestations do not protect against supply-chain injection when the build environment itself is subverted from the inside. The recommended shift is from attestation-verification to build-pipeline integrity — monitor GitHub Actions runner process trees for unexpected outbound network from within a build, alert on actions/upload-artifact shipping signed-but-anomalous binaries, and cross-check published package checksums against CI logs via independent transparency ledgers (e.g. Sigstore Rekor). EU/Swiss public-sector teams running npm-based automation or Red Hat tooling should audit CI/CD pipeline definitions for unexpected workflow-step insertions.

SANS ISC handler Xavier Mertens documented a resurgence of an image-steganography delivery chain (SANS ISC, 2026-06-05). A >2 MB JavaScript file ("Remittance Advice.js"), distributed via a legitimate WeTransfer link and padded with do-nothing junk loops, hides functional code that: decodes a ROT13-obfuscated payload into an environment variable; fetches an MSI-installer background image (a JPEG) from a Cloudflare Workers (*.workers.dev) subdomain that carries the next stage via steganography (Base64 with A→# substitution to evade naive scanners, delimited by IN-/-in1); loads a decoded .NET DLL that is a trojanised fork of the open-source Microsoft.Win32.TaskScheduler library to establish Scheduled Task persistence at logon; then pulls a further payload from a Cloudflare R2 (*.r2.dev) bucket. The final payload was still under analysis at publication. The infrastructure choice — Cloudflare Workers + R2 — leans on Cloudflare's reputation to bypass category-based web filtering. This is a single-source SANS ISC diary [SINGLE-SOURCE]; the chain (not a specific actor) is the takeaway. Maps to T1027.003 (Steganography), T1059.007 (JavaScript), T1059.001 (PowerShell) and T1053.005 (Scheduled Task). Why it matters to us: Detection concepts: alert on wscript.exe/cscript.exe spawning PowerShell with environment-variable-expanded or Base64 payloads (Sysmon EID 1); flag first-seen *.workers.dev and *.r2.dev connections immediately following a WeTransfer download in proxy logs; hunt for scheduled tasks created by wscript/mshta parents; and EDR-rule on .NET assembly loads from a TaskScheduler-derived DLL outside the genuine Windows Task Scheduler path.

SANS ISC handler Xavier Mertens documented a fresh wave of phishing emails carrying SVG attachments whose embedded JavaScript is obfuscated with combined Base64 + XOR encoding and, on decode, redirects the victim via window.location.href to a credential-harvesting page (SANS ISC, 2026-06-02). The notable evasion is the use of <script type="application/ecmascript"> instead of the standard text/javascript — browsers execute both identically, but email-security and WAF products that pattern-match specifically on text/javascript can miss the non-standard declaration. Because SVGs open natively in Windows browsers, the redirect fires on file open with no extra click. [SINGLE-SOURCE] (SANS Internet Storm Center). Detection: flag email attachments of Content-Type: image/svg+xml that contain embedded <script> elements; treat the application/ecmascript/application/javascript MIME variants as equivalent to text/javascript in inspection rules; sandbox SVG attachments before delivery and watch newly-registered low-cost TLDs (the campaign used a .cfd domain) at the proxy.

SANS ISC handler Brad Duncan published a same-day forensic diary (2026-06-01) reconstructing an infection observed on 2026-05-27 that began with the SmartApeSG ClickFix campaign — fake browser-verification / "press Win+R" lures served from compromised pages — and ended in a full NetSupport Manager RAT deployment (SANS ISC, 2026-06-01). The ClickFix execution (T1204.001) drops a ZIP carrying an unnamed staging RAT that, per Duncan, has been beaconing a custom encoded — not TLS protocol over TCP/443 to its C2 since at least April 2026; that staging RAT then fetched the NetSupport payload as a ~17 MB Microsoft Cabinet (setup.cab). The install chain is processor.vbs (a 109-byte VBScript launcher in C:\ProgramData\, T1059.005) → token.bat (extracts the CAB into C:\ProgramData\UpdateInstaller\, sets persistence, then self-deletes all three dropper components, T1070.004) → NetSupport RAT C2 over port 443 (T1219 Remote Access Tools). Because NetSupport is legitimate commercial software, its presence and traffic blend with benign remote-support telemetry.

This is a single-source handler diary (HIGH-reliability source, single-day observation) and carries no independent corroboration of the identical chain in-window — treat the specifics as one analyst's forensic account. Detection concepts a SOC can apply without IOCs: browser process (chrome.exe/msedge.exe/firefox.exe) spawning wscript.exe/mshta.exe/cmd.exe (Sysmon EID 1 with browser parent-image); short-lived .vbs/.bat file-creates in C:\ProgramData\ (Sysmon EID 11); CAB expansion via expand.exe/wusa.exe from ProgramData; and registry Run-key persistence pointing at a non-standard NetSupport path (C:\ProgramData\UpdateInstaller\ rather than the legitimate C:\Program Files\NetSupport\). Where TLS inspection is in place, unencrypted payload on port 443 from a NetSupport process is anomalous.

Veeam shipped KB4852 / Backup & Replication patch version 13.0.2.29 on 2026-05-27. CVE-2026-32996 (CVSS 7.3) is a local privilege escalation in the Veeam Agent for Microsoft Windows component — an attacker with limited system access can elevate to enable arbitrary command execution, security-control disablement or lateral movement; reporter Alibaba via HackerOne. CVE-2026-32997 (CVSS 8.6) is an arbitrary file write in the Veeam Software Appliance (Linux) constrained to authenticated users with the Backup Administrator role; depending on the target path (cron, authorized_keys, library hijack), this is a stepping stone to RCE or persistence. Both affect all version-13 builds before fixed version 13.0.2.29. CERT-FR / ANSSI advisory CERTFR-2026-AVI-0652 corroborates. No exploitation reported; Veeam notes patch-reverse-engineering risk after disclosure. Veeam is the dominant backup platform in EU public-sector on-premise environments — patch the appliance and Windows agent fleet in tandem with backup-administrator least-privilege review.

CVE Summary Table

SANS ISC handler Manuel Humberto Santander Pelaez published a forensic walkthrough on 2026-05-27 reconstructing an Akira ransomware intrusion using only two log sources — SSLVPN syslog and Windows EVTX exports — joined by source IP and normalised time (SANS Internet Storm Center, 2026-05-27). [SINGLE-SOURCE] — high-reliability technical primary, but no independent corroboration of the specific kill chain. Initial access (T1078.001 / T1133): non-distributed brute force from a single hosting-provider IP against a single local SSLVPN account that had been deprovisioned in Active Directory but remained provisioned as a local firewall user with no MFA. Discovery: EID 4688 captures nltest.exe /dclist:, net.exe group "Domain Admins" /domain, net.exe group "Enterprise Admins" /domain, whoami.exe /all, and a renamed AdFind.exe variant, all parented explorer.exe → cmd.exe. Credential access (T1558.003 Kerberoasting): a cluster of EID 4769 RC4-encrypted TGS requests for multiple SPNs from a single workstation within a 90-second window. Lateral movement (T1021.001): EID 4624 Logon Type 10 chain from jump host to file server, domain controllers, backup server; EID 4672 special-logon privileges on DC. Defense evasion + impact: EID 1102 security-log clear; sc.exe / net stop of endpoint-protection services (System EID 7036); vssadmin delete shadows /all /quiet.

Why it matters to us: the diary is a forensic-primer for any SOC operating without full EDR coverage — the standard scenario in smaller public-sector entities and DACH commune networks. Concrete takeaways the SANS ISC author makes directly: reconcile local SSLVPN account directories against AD source-of-truth (deprovisioned-in-AD-but-retained-in-firewall is the recurring initial-access pathway in this class); alert on > 50 failed SSLVPN auths from a single source per hour; enable EID 4688 process auditing on every Windows host, set Security log size ≥ 1 GB; alert on RC4 TGS-REP (EID 4769 EncryptionType=0x17) for multiple SPNs from one workstation in a short window; EID 1102 security-log clear is incident-grade in every case; time-sync every host including the firewall to the same NTP source so perimeter-to-endpoint joins remain reliable.

SANS ISC handler Brad Duncan documented a delivery chain that impersonates Anthropic's Claude desktop app via counterfeit "Download for Windows" pages, promoted through malicious search ads hosted on sites.google.com, ultimately dropping ACR Stealer (SANS Internet Storm Center, 2026-05-26). Clicking the download button delivers a corrupted ZIP archive containing obfuscated PowerShell; the infection chain also involves a JPEG image whose precise role the SANS ISC analyst could not characterise (no embedded data was identified in it), and ends in execution of the commodity infostealer ACR Stealer, which harvests credentials and browser data (T1566.002, T1059.001). [SINGLE-SOURCE] — reported by SANS ISC only at time of writing.

Why it matters to us: this is the demand-side mirror of the TrapDoor item above — attackers monetising trust in AI tooling, here against ordinary employees searching for an AI client rather than developers. Add Anthropic/Claude and other AI-brand impersonation to brand-abuse and malvertising monitoring; hunt for powershell.exe spawned from browser-download or archive-extraction paths (Sysmon EID 1 / Windows 4688, especially with -nop/-w hidden/-enc), PowerShell reading image files as code, and outbound connections from powershell.exe to newly-registered domains.

UPDATE (originally covered 2026-05-21, consolidated weekly update): SANS ISC handler Kenneth Hartman documents three material escalations in the TeamPCP / Mini Shai-Hulud supply-chain campaign through 2026-05-24 (SANS Internet Storm Center, 2026-05-25). First, the complete TeamPCP framework was published to a public GitHub repository on/around 2026-05-22 — Datadog Security Labs' static analysis (reported by ISC) describes a modular TypeScript/Bun toolkit for credential harvesting, supply-chain poisoning and encrypted exfiltration whose README carries the strings "Love - TeamPCP" and "Change keys and C2 as needed" — and operational copycat forks appeared within hours, commoditising the kit and injecting attribution noise.

Second, an @antv npm wave pushed 639 malicious versions across 323 packages, including high-traffic libraries such as echarts-for-react (~1.1M weekly downloads) and size-sensor (~4.2M weekly downloads); 42 of the packages displayed forged Sigstore verification badges in the npm UI (The Hacker News, 2026-05-19). Read against the campaign's earlier abuse of genuine SLSA Build Level 3 attestations produced by hijacked pipelines, package provenance is now under attack from both directions at once — real attestations from compromised CI and fake badges rendered by the registry UI. Third, three versions of durabletask (1.4.1–1.4.3) on PyPI — Microsoft's official Azure Durable Functions SDK — were trojanised, and ISC reports the second-stage payload includes a Linux disk wiper (T1485), expanding the campaign's capability from credential theft to data destruction.

Defender takeaway: treat any echarts-for-react / size-sensor build pulled in the affected window as compromised; stop treating an npm Sigstore badge or a displayed SLSA attestation as an install-time safety signal — verify provenance out-of-band against a known-good pipeline. durabletask consumers should audit build-runner logs for unexpected outbound connections and destructive disk operations (Sysmon EID 11 for anomalous file-deletion patterns, EID 3 for unexpected node/python egress from CI workers). Pin exact versions and verify lockfile hashes. The open-sourcing means PBKDF2-salt and dead-drop-string lineage will now also fire on unrelated copycats — behavioural detection on the install-time execution chain is more durable than any static artefact.

Lumen's Black Lotus Labs and PwC Threat Intelligence disclosed on 2026-05-21 two purpose-built implants used by the China-aligned espionage cluster Calypso (also tracked as Red Lamassu, Bronze Medley — active since at least mid-2022 based on binary upload and victim telemetry) in a multi-year campaign against telecommunications providers (Lumen Black Lotus Labs, 2026-05-21 · PwC Threat Intelligence, 2026-05-21). Confirmed victims include a Middle East ISP, an Afghanistan ISP, and entities in Azerbaijan, the US, and Ukraine; European telecoms are within the actor's documented targeting pattern. Showboat is a modular ELF binary masquerading as a Linux kernel worker thread (kworker — T1036.005 Masquerade: Match Legitimate Name) providing remote shell (T1059.004), bidirectional file transfer, SOCKS5 proxy to internal network segments (T1090.001 Internal Proxy), and a hide command that fetches a rootkit payload from Pastebin at runtime (T1102.001 Dead Drop Resolver) — the C2 payload is exfiltrated base64-encoded inside PNG image fields to blend with web traffic (Lumen Black Lotus Labs, 2026-05-21). JFMBackdoor, the Windows counterpart, is delivered via DLL sideloading (T1574.002): a batch script drops a legitimate signed executable that loads the malicious DLL, providing remote shell, file operations, SOCKS5 proxy, and self-removal (PwC Threat Intelligence, 2026-05-21). C2 infrastructure clusters to Chengdu, Sichuan-geolocated IP ranges; X.509 certificate SAN/CN patterns link the victim set (Lumen Black Lotus Labs, 2026-05-21). Detection: hunt for kworker ELF processes whose parent is not kthreadd (PID 2) on Linux telecom servers (auditd EXECVE or Sysmon for Linux EID 1 parent-pid check); alert on unsigned DLLs loaded by vendor-signed executables (Sysmon EID 7: signed process, unsigned module); flag egress DNS queries or HTTP GET to pastebin.com from daemon-context processes.

Aaron Esau (V12 Security) disclosed PinTheft on 2026-05-19 via the oss-security mailing list — a Linux kernel local privilege escalation that chains an RDS (Reliable Datagram Sockets) zerocopy double-free with io_uring fixed-buffer reference manipulation to overwrite the page cache of a SUID-root binary and gain root (oss-security / V12 Security, 2026-05-19; BleepingComputer, 2026-05-20). The bug lives in rds_message_zcopy_from_user() in the RDS send path: a partial page fault mid-scatter causes the error path to drop already-pinned pages while leaving the scatterlist bookkeeping live, so cleanup drops the pages a second time. The exploit registers an anonymous memory page as an io_uring fixed buffer (FOLL_PIN bias of 1024 references), drains all references via 1024 deliberately-failing RDS sends, then reuses the stale io_uring page pointer to overwrite the page cache of a SUID-root binary and redirect execution to attacker shellcode. Prerequisites: RDS kernel module loaded, io_uring enabled, a readable SUID-root binary, x86_64. The RDS module is default-loaded only on Arch Linux — not on Ubuntu, Fedora, Debian, RHEL or SUSE — narrowing the primary defender population to Arch CI/CD runners, developer workstations and AUR-based servers, plus any environment that explicitly modprobe'd rds. Upstream kernel patch landed before disclosure; no CVE assigned at disclosure. Technique class: T1068 Exploitation for Privilege Escalation. Defender detection — auditd syscall events for rds_sendmsg / io_uring_* from unexpected binaries; Sysmon Linux EID 1 with process lineage showing a non-root process spawning a root shell without sudo/su. Hardening: modprobe.d blacklist rds if not in use; sysctl kernel.io_uring_disabled=2 for untrusted workloads; apply upstream kernel patch when distributed via the distro's normal update channel.

CVE-2026-31635 is a page-cache write due to a missing copy-on-write guard in rxgk_decrypt_skb() in net/rxrpc/rxgk_crypt.c — the RxGK (Kerberos-for-AFS) subsystem of the Linux kernel. Researchers at Zellic/V12 disclosed the issue on 2026-05-09; kernel maintainers traced the regression and noted it was a duplicate of a vulnerability quietly patched in mainline on 2026-04-25. A working PoC was published by V12 on 2026-05-19, prompting BleepingComputer and The Hacker News coverage (Hacker News carries the CVSS 7.5 score; the Moselwal technical write-up characterises the LPE class as in the 7.8–8.1 range without a settled NVD score at time of publication). Affected only where kernels are compiled with CONFIG_RXGK=y — that's Fedora, Arch Linux, and openSUSE Tumbleweed in standard configurations. Debian Stable, RHEL, and Ubuntu LTS build kernels without CONFIG_RXGK and are not affected. No in-the-wild exploitation reported.

DirtyDecrypt is assessed as a variant of the "Copy Fail" family (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300). Mitigation: apply the kernel patch from 2026-04-25 (or any linux-stable build derived from it); or temporarily blacklist the rxrpc module via /etc/modprobe.d/ — the latter breaks IPsec/AFS-VPN and is fragile. Verify with grep RXGK /boot/config-$(uname -r). Detection: Falco / Tetragon rules on unexpected rxrpc module load events; Sysmon-for-Linux EID 8 for UID changes from unprivileged processes; container runtime alerts for unexpected root spawning from container context. Relevant where rolling-release Linux distros host CI/CD runners, developer workstations, or research VMs in EU/CH public-sector environments.

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

Disclosed 2026-05-15 with public PoC; mainline kernel patch landed 2026-05-14, distro propagation underway. LPE primitive against the xfrm ESP-in-TCP code path; trips IPsec VPN endpoints in particular. Mitigation modprobe -r esp4 esp6 (breaks IPsec). Distinct from Dirty Frag (different code paths) but conceptually adjacent — both abuse kernel xfrm assumptions (daily 2026-05-15).

CVE-2026-46300 (codename "Fragnesia") is a local privilege escalation vulnerability in the Linux kernel's xfrm IPsec subsystem, specifically in the ESP-over-TCP code path that provides NAT traversal fallback for IPsec connections (Wiz Research, 2026-05-13 · Help Net Security, 2026-05-14). The vulnerability was discovered by William Bowling of Zellic.io using Zellic's AI-agentic source code auditing tool; Wiz Research (whose researcher Hyunwoo Kim had previously discovered the related Dirty Frag vulnerability family) published the technical writeup. A working proof-of-concept demonstrating escalation from an unprivileged local user to root on unpatched kernels has been released (hosted at github.com/v12-security/pocs). Exploitation requires local code execution on the target — there is no known remote exploitation path absent a prior foothold or a co-chained remote vulnerability (e.g., an RCE that drops a low-privilege shell). Fragnesia is therefore primarily relevant as a post-compromise privilege-escalation primitive and as a jailbreak-class risk in shared compute environments: VPS and bare-metal hosting providers, university Linux clusters, multi-tenant cloud workloads running on shared kernels, and container environments where the kernel namespace boundary can be crossed. MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation). No in-the-wild exploitation reported as of 2026-05-15. Affected: Linux kernels shipping the xfrm ESP-in-TCP implementation across the 5.x and 6.x LTS series — consult your distribution's security bulletin for the exact affected package version range. Distributions shipping patches as of 2026-05-15 include upstream Linux and major vendors (Ubuntu, Debian, RHEL, SUSE); apply the available kernel update and reboot. Interim workaround: disable the xfrm_espintcp kernel module where IPsec ESP-over-TCP is not operationally required (modprobe -r esp6_offload esp4_offload where applicable); also consider restricting CAP_NET_ADMIN capability to reduce the xfrm attack surface in multi-tenant environments.

CVE Summary Table

If you did nothing this week: Microsoft Security Blog observed active campaigns deploying both Linux LPE families post-compromise; the daily 2026-05-09 UPDATE synthesised the operator-side selection logic as Copy Fail (algif_aead page-cache write) used on hosts where the module is available, Dirty Frag (xfrm-ESP and RxRPC page-cache writes) on hosts where user namespaces are enabled without algif_aead. Microsoft documents the same initial-access vector (SSH credential stuffing on exposed management ports) feeding both chains, and both defeat conventional on-disk file-integrity monitoring because the write lands in the kernel page cache rather than on disk (Microsoft Security Blog, 2026-05-08 · daily 2026-05-09 update).

Copy Fail (CVE-2026-31431, CVSS 7.8) is deterministic — no kernel-version offsets, no timing windows. A public 732-byte Python exploit exists; Go and Rust reimplementations have appeared in public code repositories; Kaspersky validated the container-to-host escape vector on Docker / LXC / Kubernetes when algif_aead is loaded on the host kernel (default on most distributions) (CERT-EU Advisory 2026-005, 2026-04-30 · Unit 42 — Copy Fail · BSI WID-SEC-2026-1232 · daily 2026-05-06 deep dive). Dirty Frag chains CVE-2026-43284 (xfrm-ESP / IPsec) with CVE-2026-43500 (RxRPC) into another deterministic root primitive via page-cache write primitives in both subsystems; researcher Hyunwoo Kim disclosed it 2026-05-07/08 after a third party reverse-engineered the upstream patch and broke embargo. CVE-2026-43500 distro patches remain pending at week-end (Wiz Research, 2026-05-08 · Red Hat RHSB-2026-003 · Ubuntu — Dirty Frag fixes-available · NCSC-CH 12547 · daily 2026-05-09). Both map to T1068 Exploitation for Privilege Escalation and T1548.001 Setuid and Setgid Abuse. Defenders should treat file-integrity monitoring as insufficient detection for either family — runtime detection lands on auditd execve of /usr/bin/su / /usr/bin/sudo / /usr/bin/passwd from anomalous parent processes, EDR process-ancestry rules for root from non-root contexts, and (for Copy Fail specifically) eBPF or EDR alerts on AF_ALG socket creation in container namespaces.

Mitigation hierarchy when patches are not yet deployable: kernel patches first (Ubuntu 6.1.98-1ubuntu1, RHEL kernel-5.14.0-503.14.1, Debian 12 pending at week-end; upstream 6.18.22 / 6.19.12 / 7.0 for Copy Fail); blacklist algif_aead via modprobe.d and update-initramfs -u; modprobe -r esp4 esp6 rxrpc for Dirty Frag (breaks IPsec VPNs and AFS); seccomp profiles blocking AF_ALG socket creation for containerised workloads; disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Ubuntu / Debian, user.max_user_namespaces=0 on RHEL) to remove CAP_NET_ADMIN as a default acquisition path for Dirty Frag.

The official download page of JDownloader (German-developed AppWork GmbH, Java-based download manager popular across European user bases) was compromised between approximately 2026-05-06 and 2026-05-08; attackers exploited an unpatched access-control flaw in the site's CMS layer to replace Windows and Linux installer download links without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — triggering Windows SmartScreen warnings that helped some users detect the substitution. The substituted installers carry a Python-based remote-access payload; a more specific capability description has not been corroborated by a named research lab in available reporting. The JDownloader team confirmed and asked users to verify file hashes against the project's published SHA-256 manifest (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07 · daily 2026-05-10). Defender takeaway: audit developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link; hunt for unsigned / non-AppWork-signed JDownloader*.exe, unexpected Python interpreters in user-profile paths, and Python child processes spawned from JDownloader parent images.

The official download page of JDownloader, a German-developed (AppWork GmbH) Java-based download manager popular across European user bases, was compromised between approximately 2026-05-06 and 2026-05-08; attackers replaced the Windows and Linux installers with malicious counterparts (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07). The intrusion exploited an unpatched access-control flaw in the site's content-management layer, allowing unauthenticated modification of download-link targets without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — instead of the legitimate AppWork GmbH signature, triggering Windows SmartScreen warnings that helped some users detect the substitution before execution. The substituted installers are described in available reporting as carrying a Python-based remote-access payload; the precise capability description has not been corroborated by a named research lab in this run's window (see § 7). The JDownloader team confirmed the breach and have asked users to verify file hashes against the project's published SHA-256 manifest.

ATT&CK mapping: T1195.002 Supply Chain Compromise: Software Supply Chain, T1036.005 Match Legitimate Name (forged AppWork-adjacent publisher names), T1059.006 Python for the RAT runtime.

Defender takeaway: Audit endpoints — particularly developer / power-user / multimedia-engineering workstations across DACH — for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site. Hunt for unsigned or non-AppWork-signed JDownloader*.exe and unexpected Python interpreters in user-profile paths; alert on Python child processes spawned from JDownloader* parent images (Sysmon EID 1 + parent-image filter). Inventory installations are uncertain via Winget / Flatpak / Snap (those distributions were not poisoned in this window) — the trojanised path was specifically the project's web-hosted installer and "Alternative Installer" download links.

Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch. The chain exploits two page-cache write primitives: CVE-2026-43284 (xfrm-ESP/IPsec subsystem, introduced ~2017, kernel mainline patch merged 2026-05-08) and CVE-2026-43500 (RxRPC subsystem, introduced ~2023, patch still pending at disclosure). Unlike race-condition kernel exploits, this chain is deterministic and near-100% reliable: both primitives allow userland code to write arbitrary values into read-only page-cache pages (e.g., /etc/passwd, /usr/bin/su, setuid binaries) via memory aliasing caused by DMA remapping. The combined primitive produces a stable root primitive without timing windows. Exploitation requires CAP_NET_ADMIN — available by default in Linux user namespaces on Ubuntu, Fedora, and most Arch-based distributions; restricted on RHEL 8/9 and some hardened configs. Public PoC was published alongside disclosure. Microsoft Defender telemetry confirms limited active campaigns in which threat actors escalated from SSH-compromised user accounts, modified LDAP authentication files, exfiltrated PHP session contents, and disrupted active sessions (Microsoft Security Blog, 2026-05-08 · Wiz Research, 2026-05-08 · NCSC-CH advisory 12547, 2026-05-08).

Affected distributions with confirmed exposure: Ubuntu 22.04/24.04/24.10, RHEL 8/9/10, Fedora, CentOS Stream, AlmaLinux, openSUSE Tumbleweed. Red Hat published RHSB-2026-003 (Red Hat security bulletin); Ubuntu published a fixes-available blog (Ubuntu blog). Mitigation until patches land: modprobe -r esp4 esp6 rxrpc (breaks IPsec VPNs and AFS filesystems). This is a distinct chain from CVE-2026-31431 ("Copy Fail"), also by Kim; the two vulnerabilities are not the same primitive.

Detection: Sysmon EID 1 / auditd execve on setuid binaries called from anomalous parent processes; EDR process ancestry anomalies for processes spawning as root from a non-root user context; unexpected writes to /etc/passwd or /etc/shadow detected via auditctl -w /etc/passwd -p w.

UPDATE (originally covered 2026-05-06):

CISA added CVE-2026-31431 to KEV on 2026-05-06 with a federal remediation deadline of 2026-05-15 — six days from today. Organisations with unpatched Linux kernel deployments running the algif_aead module (present by default on most distributions unless FIPS mode is active) are approaching the federal deadline. Downstream distribution patches: Ubuntu 22.04/24.04 (linux-image 6.1.98-1ubuntu1); RHEL 8/9 (kernel-5.14.0-503.14.1); Debian 12 (pending as of 2026-05-09 06:00 UTC).

Material update: The Microsoft Security Blog post published on 2026-05-08 (same post covering "Dirty Frag") provides new detail on the "Copy Fail" cluster. Microsoft observes that threat actors are using CVE-2026-31431 and CVE-2026-43284/43500 (Dirty Frag) as complementary techniques in post-compromise Linux privilege escalation operations — deploying CVE-2026-31431 on hosts where the algif_aead module is available and rxrpc/esp* are not, and Dirty Frag on hosts where user namespaces are enabled without algif_aead. The same initial access vector (SSH-based credential stuffing with exposed management ports) is used across both chains. This operationalises the two LPE vulnerabilities as a "pair" covering different Linux deployment configurations.