Security researchers have discovered a new vulnerability in the Linux kernel which could allow malicious actors to run code with elevated privileges, exposing systems to risk of data theft, malware deployment, and even full device takeover.
The vulnerability is tracked as CVE-2026-46300, and was given a severity score of 7.8/10 (high). It’s nicknamed Fragnesia and is apparently in the same vulnerability class as Dirty Frag, another kernel bug that was disclosed recently.
Read more…
Source: TechRadar News
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers
October 24, 2024
Many software manufacturers and service providers deploy software and configuration updates as part of their service offerings. These updates may enhance features and/or address security vulnerabilities to provide benefits and security to customers. However, software and the systems that deploy software are highly complex and continually evolving, making it challenging to deploy secure updates. It is ...
- Command Injection and Local File Inclusion in Grafana: CVE-2024-9264
October 24, 2024
The SonicWall Capture Labs threat research team became aware of a critical vulnerability in Grafana, assessed its impact and developed mitigation measures. Grafana is a multi-platform open-source analytics and visualization solution that can produce charts, graphs and alerts according to the data. Identified as CVE-2024-9264, Grafana versions 11.0.x, 11.1.x and 11.2.x allows an attacker with ‘viewer’ ...
- The Crypto Game of Lazarus APT: Investors vs. Zero-days
October 23, 2024
On May 13, 2024, Kaspersky consumer-grade product Kaspersky Total Security detected a new Manuscrypt infection on the personal computer of a person living in Russia. Since Lazarus rarely attacks individuals, this piqued Kaspersky researchers interest and they decided to take a closer look. The researchers discovered that prior to the detection of Manuscrypt, Kaspersky technologies also ...
- VMWare vCenter Server CVE-2024-38812 DCERPC Vulnerability
October 23, 2024
CVE-2024-38812 is a critical heap-overflow vulnerability identified in VMware vCenter Server’s implementation of the DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol. This flaw allows a malicious actor with network access to the vCenter Server to send specially crafted packets, potentially leading to remote code execution (RCE). The vulnerability, classified under CWE-122 (Heap-based Buffer Overflow), arises when ...
- Code Injection in Spring Cloud: CVE-2024-37084
October 18, 2024
The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability. CVE-2024-37084 is a critical vulnerability affecting Spring Cloud Data Flow versions 2.11.0 through 2.11.3. A malicious user with access to the Skipper server API can exploit a flaw in the upload request process, ...
- New macOS vulnerability, “HM Surf”, could lead to unauthorized data access
October 17, 2024
Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration ...