A 9.8 kernel-level RCE in Linux ksmbd and 4 more you should know about

ksmbd, the in-kernel SMB3 server in Linux, has an out-of-bounds write bug in its extended-attribute handling (smb2_get_ea). An attacker who can reach the SMB service could potentially get remote code execution at kernel level with no authentication. CVSS 9.8 says it all: if you expose ksmbd to any network, this is a top-priority fix.

Included because

unauthenticated; network-reachable; kernel-level RCE; CVSS 9.8

Affected estate

Azure Linux 3.0 hosts running kernel 6.6.134.1-2 or earlier with the ksmbd module loaded. Also affects upstream kernels with ksmbd enabled.

How to check

Run `uname -r` to check kernel version, then `lsmod | grep ksmbd` to confirm the module is loaded.

Action

Update to the patched kernel package and reboot, or unload ksmbd immediately if it is not needed.

Urgency

Patch immediately

Why it matters

This is an unauthenticated remote kernel-level write, so exploitation gives full system control.

Source

NVD

A vulnerability in FRR (Free Range Routing) affects Azure Linux 3.0 and CBL Mariner 2.0 packages. Details are sparse, but the CVSS 7.5 score and the affected product (a network routing daemon) suggest a remotely triggerable crash or information leak. If you run FRR on these platforms, treat this as a network-facing risk until more detail lands.

Included because

network-facing service; CVSS 7.5; common routing daemon on Azure infrastructure

Affected estate

Azure Linux 3.0 running frr 10.5.0-2 and CBL Mariner 2.0 running frr 8.5.5-5.

How to check

Run `rpm -q frr` or `tdnf list installed frr` to confirm the installed version.

Action

Update frr via tdnf or your package manager to the patched release.

Urgency

Patch this week

Why it matters

FRR handles BGP, OSPF, and other routing protocols. A remotely exploitable bug in a routing daemon can disrupt your entire network fabric.

Source

NVD

During installation of Norton Secure VPN from the Microsoft Store, a low-privilege local user can swap out files in the install path. That lets them delete arbitrary files and escalate to higher privileges. This requires local access and the timing window of an active installation, so it's not remotely exploitable, but any shared workstation where Norton Secure VPN gets deployed is at risk.

Included because

local privilege escalation; CVSS 8.8; common endpoint VPN product

Affected estate

Windows endpoints with Norton Secure VPN installed or scheduled for installation via the Microsoft Store.

How to check

Check installed apps via Settings > Apps or query `Get-AppxPackage *Norton*` in PowerShell.

Action

Update Norton Secure VPN to the latest version. Pause rollout on multi-user machines until patched.

Urgency

Patch this week

Why it matters

A low-privilege user on a shared machine can escalate to full control by exploiting the install window.

Source

NVD

The Skylight Workspace Config Service in Amazon WorkSpaces for Windows has a flaw in its log rotation. A local non-admin user can plant arbitrary files in arbitrary locations, bypassing file system permissions, and escalate all the way to SYSTEM. You need local access, but no admin rights, so this is a real concern on any WorkSpaces desktop.

Included because

local privilege escalation to SYSTEM; no admin rights needed; CVSS 7.8; common VDI product

Affected estate

Amazon WorkSpaces for Windows desktops running Skylight Workspace Config Service versions before 2.6.2034.0.

How to check

Check the installed version of the Skylight Workspace Config Service in Programs and Features or by querying the service binary's file version.

Action

Push the updated WorkSpaces agent (2.6.2034.0+) through your WorkSpaces management console or update pipeline.

Urgency

Patch within 24 hours

Why it matters

Any non-admin user on a WorkSpaces desktop can escalate to SYSTEM, giving them full control of the virtual desktop and any data on it.

Source

NVD