CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Privilege Escalation Vulnerability in Linux Kernel Exploited in Ransomware Attacks

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A high-severity privilege escalation flaw in the Linux kernel (CVE-2024-1086) is being exploited in ransomware attacks. Disclosed in January 2024, the vulnerability allows attackers with local access to escalate privileges to root level. It affects multiple major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat. The flaw was introduced in February 2014 and fixed in January 2024. Additionally, nine confused deputy vulnerabilities, codenamed CrackArmor, have been discovered in the Linux kernel's AppArmor module. These flaws, existing since 2017, allow unprivileged users to bypass kernel protections, escalate to root, and undermine container isolation guarantees. The vulnerabilities affect Linux kernels since version 4.11 and impact major distributions like Ubuntu, Debian, and SUSE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of the initial flaw in ransomware campaigns and added it to its Known Exploited Vulnerabilities (KEV) catalog in May 2024. Federal agencies were ordered to secure their systems by June 20, 2024. Mitigations include blocking 'nf_tables', restricting access to user namespaces, or loading the Linux Kernel Runtime Guard (LKRG) module. Qualys Threat Research Unit discovered the CrackArmor flaws, which stem from a 'confused deputy' flaw allowing unprivileged local users to manipulate AppArmor security profiles. Over 12.6 million enterprise Linux systems are affected, and the flaws enable local privilege escalation, denial-of-service attacks, and container isolation bypass. Qualys has developed proof-of-concept exploits but has not publicly released them.

Timeline

  1. 13.03.2026 10:18 2 articles · 4d ago

    Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation and Bypass Container Isolation

    Cybersecurity researchers disclosed nine confused deputy vulnerabilities in the Linux kernel's AppArmor module, codenamed CrackArmor. These flaws, existing since 2017, allow unprivileged users to bypass kernel protections, escalate to root, and undermine container isolation guarantees. The vulnerabilities affect Linux kernels since version 4.11 and impact major distributions like Ubuntu, Debian, and SUSE. They enable denial-of-service (DoS) attacks, Local Privilege Escalation (LPE), and KASLR bypasses. The flaws stem from a 'confused deputy' flaw that allows unprivileged local users to manipulate AppArmor security profiles by exploiting pseudo-files within the kernel. Over 12.6 million enterprise Linux systems are affected. Qualys developed proof-of-concept exploits but has not publicly released them to limit risk to unpatched systems.

    Show sources
    Open in new tab
  2. 31.10.2025 15:05 1 articles · 4mo ago

    CISA Confirms Exploitation of Linux Kernel Privilege Escalation Flaw in Ransomware Attacks

    CISA confirmed on October 31, 2025, that the high-severity privilege escalation flaw in the Linux kernel (CVE-2024-1086) is being exploited in ransomware attacks. The flaw, disclosed in January 2024, allows attackers to escalate privileges to root level on compromised devices. It affects multiple major Linux distributions and was introduced in February 2014. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and ordered federal agencies to secure their systems by June 20, 2024. Mitigations include blocking 'nf_tables', restricting access to user namespaces, or loading the Linux Kernel Runtime Guard (LKRG) module.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CVE-2026-21385 Exploited in Qualcomm Android Component

Google confirmed that CVE-2026-21385, a high-severity buffer over-read vulnerability in Qualcomm's Graphics component, is being exploited in the wild. The flaw, reported to Qualcomm by Google's Android Security team, is an integer overflow leading to memory corruption. Google's March 2026 update includes patches for 129 vulnerabilities, including critical flaws in System, Framework, and Kernel components. The exploit is under limited, targeted use, but details on the exploitation method remain undisclosed. The vulnerability affects 235 Qualcomm chipsets and Android devices using the impacted Qualcomm component, with patches available in the March 2026 Android security bulletin.

Open in new tab

Critical Linux Vulnerabilities Exploited in the Wild

CISA added two Linux vulnerabilities to its KEV catalog, including a critical authentication bypass in GNU Inetutils (CVE-2026-24061) and an integer overflow in the Linux kernel (CVE-2018-14634). The GNU Inetutils flaw has been actively exploited, with reports of 60 exploitation attempts from 18 unique sources. The vulnerabilities affect various versions of Linux systems, with potential for remote code execution and privilege escalation.

Open in new tab

CVE-2024-37079 in VMware vCenter Exploited in the Wild

CVE-2024-37079, a critical heap overflow flaw in VMware vCenter Server, is being actively exploited in the wild. The vulnerability, patched in June 2024, allows remote code execution via a specially crafted network packet. Broadcom confirmed the active exploitation and advised customers to apply security patches immediately. CISA added the flaw to its KEV catalog, mandating FCEB agencies to secure their systems by February 13, 2026, under BOD 22-01. There are no known workarounds or mitigations, emphasizing the urgency of applying the latest patches.

Open in new tab

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Open in new tab

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab