Patch Now: Linux Kernel Privilege Escalation; cPanel & WHM Authentication Bypass; Gemini CLI RCE

Theori has disclosed and published a proof-of-concept exploit for a high-severity flaw in the Linux kernel affecting most distributions of Linux released since 2017. CVE-2026-31431, CVSS score 7.8, allows an unprivileged local attacker to elevate privileges to root by using a ten-line Python script to "trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system," which could include modifying a setuid binary. Researcher Taeyang Lee discovered this vulnerability with assistance from Theori's Xint Code AI tool, while "studying how the Linux crypto subsystem interacts with page-cache-backed data." Theori disclosed the vulnerability to the Linux kernel security team on March 23, 2026, and patches were committed to the mainline kernel by April 1. However, Will Dormann, Senior Principal Vulnerability Analyst at Tharros Labs, has criticized the researchers for not coordinating with maintainers of major Linux distributions before disclosure, meaning the exploit was public before many distributions could address the flaw; several major distributions do not have patches available at the time of this writing. Users should consult their distribution's advisories to determine if they are affected, and apply kernel updates once available, "prioritizing Kubernetes nodes and CI/CD runners." CERT-EU offers temporary mitigation recommendations to take while awaiting a kernel patch: "Disable the algif_aead kernel module persistently on all affected systems" and "[block] AF_ALG socket creation via seccomp policies on all containerised workloads and pipelines, regardless of patch status."

Web hosting control panel provider cPanel has disclosed and issued patches for a critical flaw affecting all currently supported versions of cPanel and its WebHost Manager (WHM) administrative interface application. CVE-2026-41940, CVSS score 9.8, allows a remote unauthenticated attacker to gain access to the control panel by using carriage return line feed (CRLF) injection to bypass authentication in cPanel and WHM 11.40 and later. The flaw also affects WP Squared, a platform offering cPanel management of WordPress hosting. Watchtowr estimates that cPanel and WHM are in use for over 70 million domains; Rapid7's Shodan scan indicates about 1.5 million vulnerable cPanel instances are exposed to the internet. The flaw was added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog (CISA KEV) on April 30, with a mitigation deadline of May 3. Domain name registrar Namecheap responded by immediately "appl[ying] a firewall rule to block access to TCP ports 2083 and 2087," and has applied the fix to all servers as of 2:42 UTC on April 28. cPanel's advisory gives instructions to users to upgrade to fixed cPanel and WHM versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.136.0.5, and 11.134.0.20, and to WP Squared version 136.1.7. If updates cannot be applied, cPanel recommends mitigation by blocking ports 2083, 2087, 2095, and 2096 at the firewall, or by stopping cpsrvd and cpdavd. cPanel has also provided a detection script to check for indicators of compromise.

Google has patched a maximum-severity flaw in Gemini CLI and the run-gemini-cli GitHub action. Novee Security, who disclosed the issue to Google, states that the vulnerability allows a remote attacker to trigger command execution on the host system by planting a malicious configuration in a repository's workspace, taking advantage of Gemini CLI's automatic trust of the current workspace folder when running in headless mode. The agent would act on the file "without review, sandboxing, or human approval." A CVE has not yet been assigned at the time of this writing. Google's fix is to require explicit trust of folders before configuration files are processed, which means that pipelines including GitHub actions "will fail to load workspace-specific settings until they are updated to use explicit trust mechanisms." Users whose workflows run on trusted inputs should set GEMINI_TRUST_WORKSPACE to 'true', and users whose workflows run on untrusted inputs should review Google's guidance for hardening against malicious content and setting the environment variable. Gemini CLI versions 0.39.1 and 0.40.0-preview.3 include folder trust and tool allowlisting, and the run-gemini-cli GitHub Action will automatically run the latest version unless a workflow specifies an older version.

On Wednesday, April 29, 2026, SonicWall released firmware updates to address three vulnerabilities in SonicOS. CVE-2026-0204 is a high-severity improper access control vulnerability, CVE-2026-0205 is a medium-severity post-authentication path traversal vulnerability, and CVE-2026-0206 is a medium-severity post-authentication stack-based buffer overflow vulnerability. The flaws affect SonicWall's Gen6, Gen7, and Gen8 firewalls. If users are unable to apply the fixes immediately, SonicWall "strongly recommends that administrators fully disable HTTP/HTTPS-based firewall management and SSLVPN on all interfaces, and restrict management access to SSH only." SonicWall's security advisory credits the Advanced Research Team at CrowdStrike.

An open-source tool built by the NSA for mapping the network architecture of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems is vulnerable to information exposure, warns the US Cybersecurity and Infrastructure Security Agency (CISA). CVE-2026-6807, CVSS score 5.5, could allow an attacker to expose sensitive information by using crafted session data to trigger improper handling of XML input, due to insufficient hardening of the XML parsing process in GRASSMARLIN v3.2.1. This flaw will not be patched, because GRASSMARLIN reached end of life (EoL) status in 2017. CISA recommends users ensure control systems are not exposed to the internet; isolate control system networks and remote devices from business networks and protect them behind firewalls; use up-to-date VPNs for remote access, acknowledging that a VPN "is only as secure as the connected devices"; and follow best practices for defending ICS and protecting against social engineering. Rapid7 penetration tester Anna Quinn has published a proof-of-concept exploit and notes that the main vector of risk for exploitation is through phishing.

Microsoft has announced that it intends to fully deprecate support for legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online later this year. Microsoft ended support for TLS 1.0 and 1.1 in 2020 and began blocking older versions of TLS in early 2023 while allowing users to opt in to continue their use. Starting in July 2026, Microsoft will begin to completely block legacy versions of TLS. Microsoft expects that the July deadline will affect only users who have opted in to using legacy endpoints. Affected users are urged to ensure that their email clients, applications, and libraries support TLS 1.2 or later and are not using legacy endpoints to connect to Exchange Online. For reference, TLS 1.0 and 1.1 were introduced in 1999 and 2006, respectively.

On Tuesday, April 28, Google and Mozilla both released updates for their flagship browsers to address a variety of security issues. Google Chrome 147 includes fixes for 30 flaws, including four critical use-after-free vulnerabilities. Firefox 150.0.1 includes fixes for four security issues, including three critical and high-severity memory safety bugs and a high-severity information disclosure vulnerability.

The US Federal Bureau of Investigation's (FBI's) Internet Crime Complaint Center (IC3) has published a PSA "to warn the public of cyber threat actors increasingly using sophisticated, cyber-enabled tactics to impersonate legitimate businesses to hijack freight, steal high-value shipments, and reroute deliveries, resulting in a surge of strategic cargo theft." Losses from cargo theft in the US and Canada last year were estimated to be nearly $725 million, a 60 percent increase over the figures for 2024. The threat actors start by compromising carrier brokers' load board accounts; a load board is an online marketplace where shippers can connect with carriers. Once threat actors have control of that account, they post fake loads online and respond to bidding carriers with malicious links that turn over control of the carriers' systems. They then bid on real loads and reroute them. The PSA includes a list of indicators of cyber-enabled cargo theft schemes as well as advice for shippers and carriers to protect their businesses.

Researchers at the US Department of Energy's Oak Ridge National Laboratory in Tennessee have developed a new device that can detect both spoofing and jamming of GPS satellite signals. While there are commercial tools available to detect and mitigate GPS jamming, doing the same for spoofing has proven more complex. "The ORNL technology detects location, time, and data spoofing. It is effective regardless of whether the attacker is faking all satellite signals or only a few, and regardless of movement. Its most distinctive feature is the ability to distinguish spoofing, even when fake and real signals are equally strong, a functionality no other known systems possess." The ORNL team's focus for this project is trucking: GPS spoofing has been used to make it appear that goods are on their expected route, while they have actually been rerouted by thieves. The ORNL team is now working on making the device more affordable.

Colorado legislators voted against a bill that would have dismantled parts of the state's right-to-repair law. That law, the Consumer Right to Repair Digital Electronic Equipment, was passed in 2024 and took effect in January 2026. The new bill would have exempted equipment designated as "critical infrastructure" from the right-to-repair protections. In early April, the bill passed a state Senate committee hearing unanimously and passed in the full state Senate on April 16. However, a lengthy hearing in the Colorado House’s State, Civic, Military, and Veterans Affairs Committee earlier this week resulted in the bill being voted down and indefinitely postponed. French law enforcement officials have detained a 15-year-old individual in connection with the cyberattack on France's National Agency for Secure Documents (ANTS), the country's agency that manages passports, driver's licenses, identification cards, and other secure documents. The suspect allegedly broke into ANTS systems, stole data, and tried to sell the data online.