Vulnerability intelligence

CVE-2024-30085 is an elevation of privilege vulnerability found within the Windows Cloud Files Mini Filter Driver (cldflt.sys), a kernel-level component responsible for managing cloud file synchronization operations in Windows, particularly for services like OneDrive. The flaw is a heap-based buffer overflow (CWE-122) that occurs because the driver improperly validates the size of user-supplied data before copying it into a fixed-size buffer when processing reparse points. This vulnerability allows a local attacker with low-level privileges to exploit the system. By crafting a malicious application or script that interacts with the cldflt.sys driver, an attacker can trigger the buffer overflow, corrupting kernel heap memory. Successful exploitation can lead to privilege escalation, granting the attacker SYSTEM-level access and potentially full control over the affected machine.

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability found in React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This vulnerability affects packages including `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution. Exploitation requires only a crafted HTTP request. Patches are available for React and Next.js. It is recommended to upgrade to patched React versions such as 19.0.1, 19.1.2, or 19.2.1, and to update frameworks like Next.js to their corresponding patched versions.

CVE-2025-33073 is an elevation of privilege vulnerability affecting the Windows Server Message Block (SMB) client. It stems from improper access control within Windows SMB, potentially allowing an authorized attacker to elevate privileges over a network. To exploit this vulnerability, an attacker could execute a specially crafted script. This script would coerce the victim machine to connect back to the attacker's system using SMB and authenticate, potentially resulting in the attacker gaining SYSTEM privileges.

CVE-2026-31431, dubbed "Copy Fail," is a local privilege escalation (LPE) vulnerability found within the Linux kernel's cryptographic subsystem. Specifically, it stems from a logic flaw in the `algif_aead` module of the `AF_ALG` (userspace crypto API), which leads to improper memory handling during in-place operations. This flaw allows an unprivileged local user to perform a deterministic, controlled 4-byte write into the page cache of any readable file on the system, including setuid binaries. This vulnerability has been present in Linux kernels since 2017 and impacts a wide range of major distributions, including Red Hat, SUSE, Ubuntu, and Amazon Linux. Exploitation is described as reliable, not requiring race conditions or kernel-specific offsets, and can be achieved with a small Python script. The in-memory corruption means the file on disk remains unchanged, and typical on-disk checksums would not detect the modification.

CVE-2026-41940 is an authentication bypass vulnerability impacting cPanel & WHM and WP Squared products. This flaw allows unauthenticated remote attackers to bypass the login process and gain unauthorized administrative access to affected systems. The vulnerability stems from a Carriage Return Line Feed (CRLF) injection within the login and session loading mechanisms of cPanel & WHM, where an attacker can manipulate the `whostmgrsession` cookie to circumvent encryption. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, including its configurations, databases, and the websites it manages. Security firm watchTowr Labs has published a technical analysis and proof-of-concept exploit for this vulnerability, detailed in their blog post titled "The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)". The vulnerability affects cPanel and WHM versions after 11.40, with patches available in later versions.

CVE-2026-32202 is a protection mechanism failure vulnerability found in Windows Shell that allows an unauthorized attacker to perform spoofing over a network. This flaw enables attackers to bypass security controls designed to prevent spoofing attacks, potentially leading to information disclosure through deception of users or security controls. The vulnerability can be exploited by enticing a user to interact with malicious content over a network connection, often involving specially crafted Windows shortcut (LNK) files that leverage Universal Naming Convention (UNC) paths. This can lead to authentication coercion and credential theft, as the system may automatically authenticate to an attacker's server without direct user interaction. This vulnerability has been linked to an incomplete patch for a previous Windows Shell security bypass (CVE-2026-21510).