Linux “Copy Fail” local privilege escalation – CVE-2026-31431 – (Medium, CVSS 7.8) — Kernel crypto subsystem flaw enables root on major distributions (Amazon Linux, RHEL, Ubuntu, etc.).
This is an interesting one; and affects all Linux distributions going back 9 years; till 2017. The vulnerability was introduced with kernel 4.14 and affects all distributions through the unfixed line. The vulnerability originates from a 2017 in-place optimization introduced to algif_aead.c (commit 72548b093ee3). When a user splices a file into a pipe and feeds it into an AF_ALG socket, the AEAD input scatterlist holds direct references to the kernel’s physical page cache pages of that file — not copies. This vulnerability does not require race-winning, kernel version offsets, recompilation and/or compiled payloads. A single 732-byte Python script using only standard library modules achieves deterministic root on every tested distribution and architecture. The exploit targets the kernel’s page cache, the in-memory representation of files, by triggering a controlled 4-byte write into a page cache page belonging to any file readable by the attacker.
The vulnerability is fixed in the following kernel versions:
- 7.0+
- 6.19.12
- 6.18.22
- 6.12.85
- 6.6.137
- 6.1.170
- 5.15.204
- 5.10.254
Google Gemini Command Line Remote Code Execution vulnerability – No CVE identifier – Critical CVS 10.0. Patch immediately.
The vulnerability comes from the trust that Google placed in the startup execution of a tools.discoveryCommand; present in the (.gemini/settings.json) configuration file. Attackers could load harmful configuration files and run code with the same permissions as the Command Line Interface user. If the CLI is working with untrusted code; frequently seen in CI/CD environments; this presents a severe concern.
Google fixed this in version 0.39.1, which requires users to explicitly trust the workspace. The CLI must be set to require explicit trust for folders in automated environments. In today’s agentic AI workflows, avoid giving AI agents automatic and broad permissions to write to repositories or run shell commands in shared, non-disposable environments
Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340) – Actively exploited
Given the recent security activity compromising Mobile Device Management, this one has higher priority. CISA has also added CVE-2026-1281 to its Known Exploited Vulnerabilities Catalog. Palo Alto’s Unit 42 has a good write-up on this; which points to the Ivanti Security Advisory to apply the necessary patches and clarifies that no downtime & no functionality impairment is associated with the patch.
Most recent [April 15, 2026] update from Ivanti states: “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.”
Cisco Catalyst SD-WAN Manager vulnerabilities: CVE-2026-20122, CVE-2026-20128 and CVE-2026-21033: Added to the CISA KEV on April 20, 2026
These vulnerabilities involve the incorrect usage of privileged APIs, password storage in a recoverable format and exposure of sensitive information to an unauthorized actor.
Patch bulletins:
Microsoft April 2026 Patch Tuesday: About 167 CVEs are patched this time around, including two zero-days:
- SharePoint Server spoofing : CVE-2026-32201. Actively exploited.
- Windows Defender “Blue Hammer”: CVE-2026-33825. Publicly disclosed with exploit code
Oracle April 2026 Critical Patch Update : 8 new patches for database products [and third-parties]
Android April 2026 Security Bulletin states: “The most severe of these issues is a critical security vulnerability in the Framework component that could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.”
Sujeet Bambawale 
Leave a comment