Vulnerability intelligence

CVE-2020-17103 is an Elevation of Privilege vulnerability found in the Windows Cloud Files Mini Filter Driver (cldflt.sys). This flaw allows a locally authenticated attacker with low privileges to escalate their access to SYSTEM-level permissions on a vulnerable system. The vulnerability was initially disclosed and patched by Microsoft as part of their December 2020 Patch Tuesday release cycle. However, it has recently resurfaced in discussions among threat actors and in public exploitation guidance forums, leading to renewed attention on potential exploitation attempts against unpatched Windows environments.

CVE-2025-59057 describes a Cross-Site Scripting (XSS) vulnerability found within React Router's `meta()` and `<Meta>` APIs when operating in Framework Mode. This flaw specifically arises during the generation of `script:ld+json` tags. If untrusted user-supplied content is incorporated into this tag generation process, it can lead to the injection and execution of arbitrary JavaScript code during Server-Side Rendering (SSR). The vulnerability affects `@remix-run/react` versions 1.15.0 through 2.17.0 and `react-router` versions 7.0.0 through 7.8.2. Applications utilizing Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter`/`<RouterProvider>`) are not impacted by this issue.

CVE-2026-46300, dubbed "Fragnesia," is a local privilege escalation (LPE) vulnerability found in the Linux kernel's XFRM ESP-in-TCP subsystem. This flaw allows an unprivileged local attacker to perform arbitrary byte writes into the kernel page cache of read-only files. The vulnerability arises from a logic error where `skb_try_coalesce()` fails to propagate the `SKBFL_SHARED_FRAG` marker, causing the kernel to lose track of externally backed fragments. This page-cache corruption can be exploited to modify the in-memory cached copies of read-only files, such as `/usr/bin/su`, enabling an unprivileged process to gain root privileges. Fragnesia is the third LPE vulnerability discovered by William Bowling of the V12 security team in the same general area of the Linux kernel (IPsec ESP / rxrpc), following "Copy Fail" and "Dirty Frag." A public proof-of-concept exploit for CVE-2026-46300 is available.

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

CVE-2026-31431, dubbed "Copy Fail," is a local privilege escalation (LPE) vulnerability found within the Linux kernel's cryptographic subsystem. Specifically, it stems from a logic flaw in the `algif_aead` module of the `AF_ALG` (userspace crypto API), which leads to improper memory handling during in-place operations. This flaw allows an unprivileged local user to perform a deterministic, controlled 4-byte write into the page cache of any readable file on the system, including setuid binaries. This vulnerability has been present in Linux kernels since 2017 and impacts a wide range of major distributions, including Red Hat, SUSE, Ubuntu, and Amazon Linux. Exploitation is described as reliable, not requiring race conditions or kernel-specific offsets, and can be achieved with a small Python script. The in-memory corruption means the file on disk remains unchanged, and typical on-disk checksums would not detect the modification.