Fragnesia Linux LPE PoC Circulates

"DirtyDecrypt" (CVE-2026-43500) — a new Linux kernel privilege-escalation flaw dubbed Fragnesia — is the day's highest-signal story, with a public PoC and active exploit code already circulating. Tracked as CVE-2026-43500 and nicknamed Fragnesia, this is a use-after-free in the kernel's rxrpc (AF_RXRPC) subsystem that lets an unprivileged local user escalate to root. As BleepingComputer reported, the flaw was spawned by an earlier Dirty Frag patch and affects multiple distributions. The Register notes it also allows reading root-only files. Tenable and Help Net Security have published detailed FAQs. Patches are available in the mainline kernel; distros including Debian 13.5 (Help Net Security) have begun shipping fixes. Given the public PoC and root-level impact, this should be prioritized for patching on any exposed Linux server or workstation.

Two critical Linux kernel flaws in the ksmbd SMB server — a use-after-free (CVE-2026-31718) and an insufficient ACE-size check (CVE-2026-31712) — enable remote code execution and denial of service. CVE-2026-31718 is a use-after-free in __ksmbd_close_fd() triggered via the durable handle scavenger path when a session disconnects without a proper SMB2_LOGOFF. An attacker who can establish an SMB session can exploit this to corrupt kernel memory. CVE-2026-31712 is a missing minimum-ACE-size validation in smb_check_perm_dacl() that can lead to out-of-bounds reads. Both affect the ksmbd kernel server (not the user-space Samba daemon). Ksmbd is enabled by default in several NAS-focused distros. Patches are in the mainline kernel; administrators running ksmbd should update immediately.

A critical arbitrary file upload vulnerability in the Peugeot Music WordPress plugin (CVE-2018-25335) allows unauthenticated attackers to upload malicious files, with active exploitation reported. The plugin's upload.php endpoint accepts POST requests without any authentication or file-type validation, enabling attackers to upload web shells and take over sites. The Hacker News and BleepingComputer both cover active exploitation campaigns. Separately, the AI Engine plugin (CVE-2026-8719, CVSS 8.8) has a privilege-escalation flaw in its MCP OAuth bearer-token authorization that lets attackers gain administrative access. Wordfence estimates over 200,000 sites are at risk from related WordPress plugin flaws. Site operators should audit their plugin inventories and apply any available updates.

GitBucket 4.23.1 ships with a critical unauthenticated RCE (CVE-2018-25332, CVSS 9.8) stemming from weak secret-token generation and insecure file upload. Attackers can brute-force the weak secret token and then upload a malicious file that executes arbitrary commands on the server. GitBucket is a popular self-hosted Git server written in Scala, often used in CI/CD pipelines. There is no evidence of active exploitation yet, but the CVSS 9.8 score and the lack of authentication required make this a high-priority patch for any organization running an exposed instance. No public PoC has been confirmed in the bundle, but the technical details are straightforward enough that weaponization is likely.

ACL Analytics versions 11.x through 13.0.0.579 contain a critical arbitrary code execution flaw (CVE-2018-25320, CVSS 9.8) via the EXECUTE function. Attackers can leverage bitsadmin to download and execute malicious PowerShell payloads. ACL Analytics is widely used in audit, finance, and compliance departments for data analysis. The attack vector is unauthenticated and requires no user interaction. Organizations using ACL Analytics should verify they are on version 13.0.0.580 or later. Given the product's deployment in sensitive financial-data environments, this warrants immediate attention.

Das U-Boot before 2026.04 is vulnerable to a FIT image signature-verification bypass (CVE-2026-46728, CVSS 8.2). The flaw occurs because the hashed-nodes property is omitted from the hash calculation, allowing an attacker to modify portions of a signed FIT image without invalidating the signature. U-Boot is the bootloader used in countless embedded Linux devices, routers, IoT hardware, and single-board computers. An attacker with physical access or the ability to intercept firmware updates could install a malicious boot image. Device manufacturers and embedded Linux distributors should update to U-Boot 2026.04 or later.