Linux Privilege Escalation Walkthroughs: Identify Misconfigurations for Root Access

Agreed. Every privilege escalation an attacker runs leaves a trail. The skill is reading it. It's about enumeration, a small misconfiguration — a writable cron job, a loose sudo rule — and an attacker who understands why it works.

In the Linux kernel, the following vulnerability has been resolved: smb: smbdirect: introduce smbdirect_socket.recv_io.credits.available The logic off managing recv credits by counting posted recv_io and granted credits is racy. That's because the peer might already consumed a credit, but between receiving the incoming recv at the hardware and processing the completion in the 'recv_done' functions we likely have a window where we grant credits, which don't really exist. So we better have a decicated counter for the available credits, which will be incremented when we posted new recv buffers and drained when we grant the credits to the peer.

Fragnesia Made Public As Latest Linux Local Privilege Escalation Vulnerability: A new Linux local privilege escalation flaw called Fragnesia has been disclosed as a Dirty Frag-like vulnerability, allowing arbitrary byte writes into the kernel page cache of read-only files through a separate ESP/XFRM logic bug. Phoronix reports: Proof of concept code for Fragnesia is already out there. There is a two-line patch for addressing the issue within the Linux kernel's skbuff.c code. That patch hasn't yet been mainlined or picked up by any mainline kernel releases but presumably will be in short order for addressing this local privilege escalation issue. More details can be found here. Read more of this story at Slashdot.

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction.

The Linux operating system is facing a significant challenge due to a wave of bugs generated by artificial intelligence. This situation has complicated the work of developers and system administrators, who must deal with unexpected failures that affect the stability and security of the environment. The automatic 📅 Fri, 22 May 2026 11:24:00 +0000 🔗Subscribe to the Membership: https://lnkd.in/eh_rNRyt

In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transport_finish NF_HOOK After async crypto completes, xfrm_input_resume() calls dev_put() immediately on re-entry before the skb reaches transport_finish. The skb->dev pointer is then used inside NF_HOOK and its okfn, which can race with device teardown. Remove the dev_put from the async resumption entry and instead drop the reference after the NF_HOOK call in transport_finish, using a saved device pointer since NF_HOOK may consume the skb. This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip the okfn. For non-transport exits (decaps, gro, drop) and secondary async return points, release the reference inline when async is set.

Major Linux distributions are issuing fixes for Fragnesia (CVE-2026-46300), a kernel privilege escalation that permits code execution with root privileges. This type of flaw can convert a low-privilege foothold into full system control, which is material to Incident Response triage and containment. Prioritise kernel updates, verify package integrity, and hunt for anomalous setuid binaries or unexpected capability changes across Linux estates. Red Team and Pen Test playbooks are being updated to assess exposure and safely demonstrate potential impact. https://lnkd.in/eps3YXNR #IncidentResponse #RedTeam #PenTesting #LinuxKernel #PrivilegeEscalation #CVE202646300

When legacy exposure, trust assumptions, or weak validation meet real-world infrastructure, the blast radius grows fast. The new local privilege escalation technique gives attackers a reliable path from a low privilege shell to root on many major Linux distributions, and public exploit code appeared before broad coordinated patch coverage was in place. That is why clear operational guidance matters as much as the headline itself.

Stay ahead of endpoint complexity with the latest OESIS Framework update. With improved application visibility, enhanced Linux support, and updates to patch and vulnerability handling, this month’s release helps you manage software risk with greater accuracy across environments. Read the full update. https://bit.ly/4dBDSIe

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put.