CISA Adds Actively Exploited Linux Kernel Flaw to KEV

CISA has officially added CVE-2026-31431, a critical Linux kernel privilege escalation vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog. Often referred to as "Copy Fail," this flaw stems from an issue in the `algif_aead` crypto interface where improper handling of out-of-place operations can be leveraged for local root access. Security researchers and industry analysts have highlighted the vulnerability's potential for reliable exploitation across major Linux distributions. Given its active exploitation in the wild, organizations should prioritize patching or applying vendor-supplied mitigations immediately to prevent unauthorized privilege escalation.

A series of critical vulnerabilities in Apache Polaris, tracked as CVE-2026-42809, CVE-2026-42810, CVE-2026-42811, and CVE-2026-42812, exposes the platform to significant storage credential and metadata manipulation risks. These flaws allow attackers to bypass intended access controls, potentially leading to unauthorized access to S3 or GCS buckets by exploiting how the system handles namespace names, table metadata, and temporary credential issuance. Because these issues involve the core security architecture of how Polaris manages delegated storage access, they represent a severe risk to data integrity and confidentiality. Administrators must review their Polaris configurations and apply updates to ensure that storage policies are correctly scoped and validated.

Unisys WebPerfect Image Suite is affected by two critical vulnerabilities, CVE-2026-39906 and CVE-2026-39907, which allow unauthenticated remote attackers to compromise systems via TCP port 1208. The first flaw involves a deprecated .NET Remoting channel that permits the leakage of NTLMv2 machine-account hashes, while the second allows for path traversal and file access through an unsanitized WCF SOAP endpoint. These vulnerabilities provide clear paths for both credential harvesting and unauthorized file system interaction. Given the ease of exploitation for unauthenticated actors, these services should be isolated from public network access until patches are applied.

Multiple critical vulnerabilities have been identified in legacy and enterprise software, including Eclipse Equinox OSGi (CVE-2023-54342, CVE-2023-54344), Kestra (CVE-2026-38428), and ERPNext (CVE-2026-38431). The Eclipse Equinox flaws allow unauthenticated remote code execution via the OSGi console, while Kestra and ERPNext are susceptible to SQL injection and server-side template injection, respectively. These vulnerabilities highlight the persistent risk posed by exposed management interfaces and improperly sanitized user inputs in web-based applications. Organizations should audit their environments for these specific versions and prioritize the remediation of any internet-facing instances.

A cluster of critical vulnerabilities continues to plague network appliances, specifically affecting D-Link DI-8100 (CVE-2026-7853, CVE-2026-7854), Totolink A8000RU (CVE-2026-7823), and EFM ipTIME NAS1dual (CVE-2026-7834). These devices are vulnerable to various forms of buffer overflows and OS command injection, typically triggered through manipulated CGI or HTTP parameters. Such flaws are frequently targeted by automated botnets looking to gain initial access to small office and home office (SOHO) networks. Users of these devices should check for firmware updates or, if no patch is available, restrict management access to trusted internal networks only.