A critical authentication bypass vulnerability in cPanel software has triggered widespread exploitation within 24 hours of disclosure, while two new Linux kernel vulnerabilities are already seeing active attacks. CVE-2026-41940, affecting cPanel, WebHost Manager, and WP Squared products, carries a CVSS score of 9.8 and allows attackers to gain administrative access to servers hosting millions of websites.
According to Dark Reading, KnownHost CEO Daniel Pearson confirmed the vulnerability had been exploited “at least for the last 30 days,” with attack attempts traced back to February 23. Internet scanning from Censys showed multiple threat actors began targeting the flaw within hours of the April 29 disclosure.
cPanel Zero-Day Exploitation Predates Disclosure
The cPanel vulnerability timeline reveals concerning pre-disclosure activity. WatchTowr Labs published a proof-of-concept exploit on April 29, describing the flaw as a “disaster” that enables complete server takeover. KnownHost flagged approximately 30 servers showing exploitation attempts, confirming the vulnerability operated as a zero-day for at least a month before public disclosure.
The authentication bypass affects all supported versions of cPanel’s web hosting control panel software. Once exploited, attackers gain administrative privileges over both the hosting infrastructure and individual websites. The rapid weaponization following disclosure demonstrates the high-value target these hosting platforms represent to threat actors.
Linux Kernel Vulnerabilities Enable Root Access
Two separate Linux kernel vulnerabilities are enabling privilege escalation attacks across major distributions. CVE-2026-31431, dubbed “Copy Fail,” has been added to CISA’s Known Exploited Vulnerabilities catalog after confirming active exploitation. The vulnerability affects the kernel’s authentication AEAD template and has lurked undetected since 2017.
Microsoft reported limited in-the-wild exploitation of Copy Fail, primarily involving proof-of-concept testing. However, the company warns the vulnerability has “broad applicability” with a working exploit publicly available. Successful exploitation leads to full root privilege escalation and can facilitate container breakouts in cloud environments.
A second Linux vulnerability chain called “Dirty Frag” combines CVE-2026-43284 and CVE-2026-43500 to achieve deterministic privilege escalation. SecurityWeek reported that researcher Hyunwoo Kim disclosed the vulnerability responsibly, but premature public disclosure forced early technical details release. Microsoft’s Defender has detected limited activity potentially indicating exploitation of either Dirty Frag or Copy Fail.
Android and AI Tool Vulnerabilities Patched
Google patched CVE-2026-0073, a critical remote code execution vulnerability in Android’s System component affecting the Android Debug Bridge daemon (adbd). According to SecurityWeek, the flaw allows attackers to execute code as the shell user without additional privileges or user interaction. No evidence suggests active exploitation of this Android vulnerability.
A separate critical vulnerability in Google’s Gemini CLI tool received a perfect CVSS score of 10.0. Pillar Security discovered the flaw could enable supply chain attacks through indirect prompt injection via GitHub issues. In “yolo mode,” the AI agent would ignore tool allowlists and execute any command, potentially allowing attackers to extract secrets and gain repository write access.
Exploitation Techniques and Attack Vectors
The Linux vulnerabilities demonstrate sophisticated attack chaining capabilities:
- Copy Fail modifies cache pages of setuid-root binaries in memory, leaving minimal forensic traces
- Dirty Frag requires no race conditions and maintains high success rates across attempts
- Both vulnerabilities can be chained with SSH access, malicious CI jobs, or container access
Cloud environments face particular risk due to the reliability and stealth characteristics of these exploits. The in-memory-only modifications make detection challenging for traditional security tools.
What This Means
This vulnerability cluster highlights the compressed timeline between disclosure and active exploitation in today’s threat landscape. The cPanel zero-day activity predating disclosure suggests sophisticated threat actors maintain extensive vulnerability research capabilities, potentially stockpiling exploits for high-value targets.
The Linux kernel vulnerabilities pose significant risks to cloud infrastructure, where privilege escalation can lead to multi-tenant compromise and lateral movement. Organizations running containerized workloads should prioritize patching, as these vulnerabilities can facilitate container escapes to host systems.
The rapid weaponization patterns observed across these vulnerabilities reinforce the need for automated patch management and continuous vulnerability monitoring. Security teams now have hours, not days, to respond to critical disclosures before exploitation begins.
FAQ
How quickly should organizations patch the cPanel vulnerability?
Immediate patching is critical, as CVE-2026-41940 was exploited as a zero-day for at least 30 days before disclosure and came under mass exploitation within 24 hours of the April 29 announcement.
Which Linux distributions are affected by Copy Fail and Dirty Frag?
Copy Fail (CVE-2026-31431) affects all Linux distributions since 2017, while Dirty Frag impacts major distributions through the xfrm-ESP and RxRPC kernel components. Both require local access but enable full root privilege escalation.
Are there indicators of compromise for these vulnerabilities?
Microsoft’s Defender has detected limited activity potentially indicating Linux vulnerability exploitation, including modifications to GLPI LDAP authentication files and reconnaissance activities. The in-memory nature of these exploits makes detection challenging through traditional methods.
