ksmbd RCE, a Wazuh cluster takeover, and an OpenSSL use-after-free
Linux's in-kernel SMB server has a CVSS 9.8 buffer bug that looks like unauthenticated RCE. Wazuh cluster sync has a 9.0 path traversal to code execution. OpenSSL's DANE verification has a use-after-free (CVSS 8.1, EPSS near zero) worth watching but not panicking over.
Two 9.8s and a 9.0 showed up today, none exploited in the wild yet, but don't let that make you comfortable. A buffer calc bug in ksmbd (the in-kernel SMB3 server) is the headliner: unauthenticated, remote, and likely RCE if you expose it on any network. Right behind it, an authenticated Wazuh cluster peer can chain a path traversal into full code execution on other nodes.
Today's CVEs
Sorted by urgencyCVE-2026-30893
NVDAn authenticated Wazuh cluster peer can use a path traversal bug in the cluster sync routine to write arbitrary files on other cluster nodes. Because the attacker can overwrite Python modules Wazuh loads, this escalates straight to code execution in the Wazuh service context. If your cluster daemon runs with elevated privileges, that means full system compromise.
- Included because
- prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
- Affected estate
- Wazuh Manager nodes running versions 4.4.0 through 4.14.3 in a multi-node cluster configuration.
- How to check
- Run `/var/ossec/bin/wazuh-control info` or check the Wazuh API at GET /manager/info. Any version below 4.14.4 is vulnerable.
- Action
- Upgrade all cluster nodes to Wazuh 4.14.4.
- Urgency
- Patch immediately
- Why it matters
- A compromised or rogue cluster peer can achieve code execution on every other node in your Wazuh cluster, potentially with root-level access.
- Source
- Wazuh vendor advisory
Evidence trail
- NVD: View source
CVE-2026-31478
MSRCA buffer calculation bug in ksmbd (the in-kernel SMB3 server) can be triggered remotely. The CVSS 9.8 score signals unauthenticated remote exploitation is likely possible, though the terse commit message leaves exact impact unclear. If you expose ksmbd on any network, treat this as a potential remote code execution path.
- Included because
- prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
- Affected estate
- Azure Linux 3.0 hosts on kernel 6.6.130.1-3 and CBL Mariner 2.0 hosts on kernel 5.15.202.1-1 with the ksmbd module loaded.
- How to check
- Run `uname -r` to confirm kernel version and `lsmod | grep ksmbd` to check if the module is loaded.
- Action
- Update the kernel package and reboot. Alternatively, unload the ksmbd module with `modprobe -r ksmbd` if SMB3 in-kernel serving is not required.
- Urgency
- Patch within 24 hours
- Why it matters
- A CVSS 9.8 bug in a network-facing kernel module could let an attacker gain kernel-level access remotely without authentication.
- Source
- Microsoft Azure Linux / CBL Mariner advisory
Evidence trail
- NVD: View source
CVE-2018-25318
NVDTenda FH303/A300 routers on firmware V5.07.68_EN don't properly validate session cookies. An unauthenticated attacker on the network can send a crafted request to the DNS settings endpoint and redirect all client traffic through a malicious DNS server. No login required.
- Included because
- prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
- Affected estate
- Tenda FH303 and A300 routers running firmware version V5.07.68_EN.
- How to check
- Log into the router's web interface and check the firmware version on the status or system info page.
- Action
- Apply a firmware update if available. If not, block external access to the management interface and the /goform/AdvSetDns endpoint.
- Urgency
- Patch this week
- Why it matters
- An attacker who can reach the router's web interface can silently hijack DNS for every client on the network, enabling phishing and credential theft at scale.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2018-25317
NVDTenda W3002R, A302, and W309R routers on firmware V5.07.64_en have the same broken session validation as CVE-2018-25318. An unauthenticated attacker can forge an admin cookie and rewrite the router's DNS settings, redirecting all user traffic to attacker-controlled DNS servers.
- Included because
- prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
- Affected estate
- Tenda W3002R, A302, and W309R routers running firmware version V5.07.64_en.
- How to check
- Log into the router's web interface and verify the firmware version on the system info page.
- Action
- Apply a firmware update if one is available. Otherwise, restrict access to the management interface and consider replacing the device.
- Urgency
- Patch this week
- Why it matters
- Unauthenticated DNS hijacking gives an attacker control over name resolution for every device behind the router.
- Source
- NVD
Evidence trail
- NVD: View source
CVE-2026-28387
MSRCA use-after-free bug exists in OpenSSL's DANE client verification code. An attacker who controls a malicious server (or sits in a network position to manipulate TLS handshakes) could trigger this to crash or potentially execute code in any application using OpenSSL's DANE validation. CVSS 8.1 but no known exploitation yet, and the EPSS score is very low at 0.00032.
- Included because
- prioritization factors: exploitation, exposure, prevalence, patch quality, and blast radius
- Affected estate
- Azure Linux 3.0 hosts running OpenSSL 3.3.5-4, nodejs24 packages 24.13.0-3 through 24.14.1-2, or cloud-hypervisor 48.0.246-4.
- How to check
- Run `openssl version` and `tdnf list installed | grep -E 'openssl|nodejs24|cloud-hypervisor'` to identify installed versions.
- Action
- Run `tdnf update openssl nodejs24 cloud-hypervisor` to pull the patched packages.
- Urgency
- Patch this week
- Why it matters
- A use-after-free in a TLS library can lead to crashes or remote code execution in any service that performs DANE-based certificate verification.
- Source
- Microsoft Azure Linux advisory
Evidence trail
- NVD: View source
One email, every weekday morning.
You're in. Check your inbox.
From the field notes
From this beat
Read the rest of the field notes →