Vulnerability intelligence

CVE-2026-46300, dubbed "Fragnesia," is a local privilege escalation (LPE) vulnerability found in the Linux kernel's XFRM ESP-in-TCP subsystem. This flaw allows an unprivileged local attacker to perform arbitrary byte writes into the kernel page cache of read-only files. The vulnerability arises from a logic error where `skb_try_coalesce()` fails to propagate the `SKBFL_SHARED_FRAG` marker, causing the kernel to lose track of externally backed fragments. This page-cache corruption can be exploited to modify the in-memory cached copies of read-only files, such as `/usr/bin/su`, enabling an unprivileged process to gain root privileges. Fragnesia is the third LPE vulnerability discovered by William Bowling of the V12 security team in the same general area of the Linux kernel (IPsec ESP / rxrpc), following "Copy Fail" and "Dirty Frag." A public proof-of-concept exploit for CVE-2026-46300 is available.

CVE-2026-42945 is a heap buffer overflow vulnerability found in the `ngx_http_rewrite_module` of NGINX Plus and NGINX Open Source. This flaw occurs when a `rewrite` directive is immediately followed by another `rewrite`, `if`, or `set` directive, and an unnamed Perl-Compatible Regular Expression (PCRE) capture (such as `$1` or `$2`) is used within a replacement string that contains a question mark (`?`). An unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests. This can lead to a heap buffer overflow in the NGINX worker process, causing it to restart. Additionally, on systems where Address Space Layout Randomization (ASLR) is disabled, this vulnerability could potentially allow for code execution.

CVE-2025-54957 is a buffer overflow vulnerability affecting Dolby Universal Decoder Core (UDC) versions 4.5 through 4.13. The flaw resides within the Dolby Digital Plus (DD+) decoder process and can be triggered by processing specially crafted, malformed DD+ bitstreams. Specifically, an integer overflow occurs during the length calculation when the `evo_priv.c` component parses "Evolution data" from the DD+ bitstream. This results in an undersized buffer being allocated, which then renders subsequent out-of-bounds checks ineffective and leads to an out-of-bounds write condition. Google Project Zero researchers discovered this vulnerability, highlighting its potential for zero-click exploitation on mobile devices, as audio attachments and voice messages are often decoded automatically.

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

CVE-2026-31431, dubbed "Copy Fail," is a local privilege escalation (LPE) vulnerability found within the Linux kernel's cryptographic subsystem. Specifically, it stems from a logic flaw in the `algif_aead` module of the `AF_ALG` (userspace crypto API), which leads to improper memory handling during in-place operations. This flaw allows an unprivileged local user to perform a deterministic, controlled 4-byte write into the page cache of any readable file on the system, including setuid binaries. This vulnerability has been present in Linux kernels since 2017 and impacts a wide range of major distributions, including Red Hat, SUSE, Ubuntu, and Amazon Linux. Exploitation is described as reliable, not requiring race conditions or kernel-specific offsets, and can be achieved with a small Python script. The in-memory corruption means the file on disk remains unchanged, and typical on-disk checksums would not detect the modification.