CISA Adds Linux and LiteLLM Flaws to KEV

CISA has officially added the Linux kernel vulnerability CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) catalog. Often referred to as "Copy Fail," this flaw resides in the `algif_aead` cryptographic interface and allows for reliable local privilege escalation, granting attackers root access across major distributions. As The Hacker News reported, the vulnerability stems from a regression in how the kernel handles out-of-place operations. Security teams should prioritize patching, as The Register Security noted that attackers are actively leveraging this flaw to escalate privileges in the wild.

The LiteLLM proxy server is under active exploitation following the disclosure of a critical SQL injection vulnerability, CVE-2026-42208. The flaw exists in the proxy's API key verification process, where user-supplied input is improperly sanitized before being included in database queries. According to The Hacker News, exploitation began within 36 hours of the vulnerability's public disclosure. CISA has added this to the KEV catalog, and users are urged to update to version 1.83.7 or later to mitigate the risk of unauthorized access and potential credential theft.

Multiple critical command injection vulnerabilities have been identified in the Electerm terminal and SSH client, specifically CVE-2026-41501, CVE-2026-41500, and CVE-2026-43944. These flaws allow for arbitrary local code execution through various vectors, including crafted deep links, CLI arguments, and malicious shortcuts. The vulnerabilities impact versions prior to 3.3.8 and 3.8.15 respectively. Given the nature of the application as a multi-protocol client, successful exploitation could lead to full system compromise for users who interact with malicious configuration files or external links.

Critical sandbox breakout vulnerabilities have been disclosed for the Node.js VM2 library, identified as CVE-2026-24781 and CVE-2026-24118. Both vulnerabilities allow attackers to escape the restricted environment and execute arbitrary commands on the underlying host system, effectively bypassing the intended security boundaries of the sandbox. These issues affect all versions prior to 3.11.0. Organizations relying on VM2 for executing untrusted JavaScript code should immediately audit their dependencies and upgrade to the patched version to prevent host-level compromise.

Argo Workflows is facing two high-severity security issues, CVE-2026-42297 and CVE-2026-42295, affecting versions 4.0.0 through 4.0.4. The first involves a failure to validate inputs in the Sync Service's ConfigMap-backed provider, while the second involves the insecure logging of sensitive artifact repository credentials, such as S3 access keys, to workflow executor logs. These vulnerabilities expose organizations to potential lateral movement and credential harvesting within their Kubernetes environments. Users are advised to upgrade to version 4.0.5 or later to address these configuration and logging weaknesses.