← All Posts

Linux Kernel Flaw Lets Unprivileged Users Access Root-Only Files, Execute Arbitrary Commands as Root

The Hot Take: Linux becoming a target with people migrating over to it for sure.

Qualys's Threat Research Unit (TRU) has discovered and published a logic flaw in Linux kernel "that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions." Friday their blog pointed out "The bug has resided in mainline Linux since November 2016 (v4.10-rc1)." "Upstream patches and distribution updates are already available." Working exploits are circulating publicly, and administrators should apply vendor kernel updates without delay. During ongoing research into Linux kernel privilege boundaries, TRU identified a narrow window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations even though its dumpable flag should have closed that path. By pairing this window with the pidfd_getfd() syscall (added in v5.6-rc1, January 2020), an attacker can capture open file descriptors and authenticated inter-process channels from a dying privileged process and re-use them under their own uid. The primitive is reliable and turns any local shell into a path to root or to sensitive credential material [including host private keys under /etc/ssh ] CVE-2026-46333 is local-only, but the impact is severe... Any unprivileged shell on a vulnerable host is enough to read /etc/shadow, exfiltrate SSH host private keys, or execute arbitrary commands as root through hijacked dbus connections to systemd. In practice, the distinction between an unprivileged foothold and full host compromise collapses: a phished developer account, a constrained CI runner, a low-privilege service account, or a shared multi-tenant host all become direct paths to root. With the vulnerable code shipping in mainline kernels since v4.10-rc1 (November 2016), the historical exposure spans nine years of enterprise fleets, cloud images, and container hosts. Qualys followed responsible disclosure throughout. Qualys reported the vulnerability privately to the upstream Linux kernel security contact on 2026-05-11. Over the following three days the kernel security team developed and reviewed the fix, CVE-2026-46333 was assigned, and the patch was committed publicly on 2026-05-14. We then engaged the linux-distros mailing list, the standard pre-disclosure channel for downstream coordination. A short time later, an independent exploit derived from the public kernel commit appeared.... Qualys is releasing the complete advisory today because the underlying technique is novel, the public picture is now incomplete and uneven, and independent researchers have already achieved local root and published exploit material. Doing so gives defenders, detection engineers, and downstream maintainers a single authoritative reference for the flaw, the race against do_exit(), the role of pidfd_getfd(), and the four exploitation case studies. Read more of this story at Slashdot.

Read the full article

Microsoft is killing SMS codes for Microsoft account sign-in, aggressively pushes passkeys on Windows 11

The Hot Take: SMS/TXT is going to cause some pain for sure.

For years, typing in a six-digit code sent to your phone has been the universal standard for verifying your identity online. But that era is officially coming to an end in the Windows ecosystem. In a statement to Windows Latest, Microsoft independently confirmed that it’ll stop sending SMS codes for personal accounts. Now, first spotted by Windows Latest, Microsoft has officially announced that it is pulling the plug on SMS codes for personal accounts. According to a support document quietly published earlier this year, the company is actively phasing out text messages as a method for both two-factor authentication and account recovery. While the tech giant subtly hinted at this shift in a previous security advisory earlier this year, stating it was “committed to advancing security standards,” the newly released documentation explicitly confirms the end of SMS verification. Moving forward, Microsoft is forcing a transition to passwordless alternatives, mandating the use of passkeys, authenticator apps, and verified secondary email addresses. Why Microsoft is abandoning SMS authentication Redmond’s decision to kill off SMS verification comes down to the undeniable fact that text messages are no longer a secure way to protect your digital identity. In their official advisory, Microsoft states that “SMS-based authentication is now a leading source of fraud.” “Microsoft is committed to advancing security standards, and as such, we will start phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts,” Microsoft noted in an advisory spotted by Windows Latest. “Microsoft believes that the future of authentication is passwordless, secure, and user-friendly.” Text messages were never designed with modern cybersecurity in mind. They are transmitted in plain text across vulnerable cellular networks, making them highly susceptible to interception. Furthermore, hackers frequently use SIM-swap attacks, a tactic where a malicious actor tricks your mobile carrier into transferring your phone number to a device they control. Once the transfer is complete, the hacker instantly receives all of your SMS two-factor authentication codes, allowing them to easily hijack your accounts. To combat this, Microsoft believes the future of account security is entirely passwordless. The company is replacing SMS with passkeys, which are a modern, phishing-resistant security standard. Unlike traditional passwords or text codes that can be intercepted, passkeys use your device’s built-in biometric hardware. When you sign in using a passkey, you authenticate your identity using Windows Hello facial recognition, a fingerprint scanner, or a localized device PIN. This creates a cryptographic key pair where the private key never leaves your physical hardware, rendering remote phishing attacks virtually impossible. Depending on your setup, passkeys can be device-bound, meaning the private key never leaves the physical hardware (like your laptop’s TPM chip), or they can be synced across your devices via services like Apple iCloud Keychain or Google Password Manager. This cross-device compatibility ensures that if you lose your phone, your verified email and synced passkeys will still allow you to recover your account safely. The problem of a forced passwordless transition On paper, eliminating vulnerable SMS codes in favor of biometric passkeys is an objective win for global cybersecurity. In my daily workflow, the passwordless ecosystem is genuinely fantastic. I use Microsoft Edge, Microsoft Password Manager, and the Microsoft Authenticator app across all my devices. Thanks to the IR camera on my Lenovo laptop, Windows Hello face recognition makes logging into my personal Microsoft account a breeze. However, Microsoft’s forced transition may cause significant headaches for power users. As a Windows Insider, I constantly spin up, configure, and manage new virtual machines (VMs) to test software builds. When I attempt to log into my Microsoft account within these isolated, nested environments, the passkey experience falls apart. Biometric hardware won’t be available on a VM, for obvious reasons, and I do not have access to security keys either. When trying to log in with passkeys via PIN, I’m always shown an error. In these highly technical, edge-case scenarios, requesting an SMS code was the ultimate, foolproof fallback. It just worked. Passwords and SMS codes are ubiquitous. Typing in a six-digit text code is an instinctive, habitual behavior for billions of people. To successfully change a deeply ingrained habit, the replacement technology must be utterly flawless across every conceivable scenario. Microsoft could drop the forced Microsoft account sign-in during Windows 11 setup; now that’s one less place where you’ll need to sign in!. Either way, Microsoft will soon begin prompting all personal account holders with a “Sign in faster with your face, fingerprint, or PIN” screen, urging them to set up a passkey and verify a backup email address. While losing the convenience of SMS codes may be a bitter pill to swallow for some, it is a necessary step to secure Windows 11 against modern threats. The post Microsoft is killing SMS codes for Microsoft account sign-in, aggressively pushes passkeys on Windows 11 appeared first on Windows Latest

Read the full article

Open source malware sees a 21 percent increase

The Hot Take: As Linux gains market share just put a target on its back for compromise.

A new report from Sonatype identifies 21,764 malicious open source packages in the first quarter of the year, up 21 percent from the same period last year and bringing the total logged since 2017 to 1,346,867. The npm registry continues to be the target of most new malicious attacks, at 75 percent, seeing the equivalent of 46 malicious packages per day, with the quarter defined by credential theft, host reconnaissance, and staged payload delivery aimed at developer and CI/CD environments. Python package index PyPI saw 18 percent of total malware in Q1, with other registries significantly lower, suggesting that attackers… [Continue Reading]

Read the full article

New 'GeForge' and 'GDDRHammer' attacks can fully infiltrate your system through Nvidia's GPU memory — Rowhammer attacks in GPUs force bit flips in protected VRAM regions to gain read/write access

The Hot Take: More GPU security issues, #FUN.

Two new Rowhammer attacks for GPUs have been discovered that can cause bit flips in VRAM to gain arbitrary read/write access over it. These attacks target page files and the page directory that are otherwise protected from electrical disturbance by the driver. By "massaging" these data structures into vulnerable regions where a bit flip can occur, the attacker can access even the CPU memory.

Read the full article