Impact
| Version(s) | Toggle summary | ||||
|---|---|---|---|---|---|
| Copy Fail | Low | CVE-2026-31431 | 4.x | ||
We are aware of the high profile ‘Copy Fail’ vulnerability which impacts all Linux kernel versions since 2017 (CVE-2026-31431). It is important to note that this vulnerability requires local access to a system to be exploited, something that would require an issue with the running micro-services or associated services to have been exposed and exploited in the first instance. The vast majority of our micro-services all run with allowPrivilegeEscalation set to false which further lows the potential risk. However given the volatile nature of cyber security, and to ensure we continue to meet high levels of security and transparency we have made available a mitigation playbook which can be applied to a running VQCM instance. This will require a restart of VQCM VM for the mitigation to take effect, and will disable the vulnerable Linux kernel module If you have any questions about this CVE, please email security@vqcomms.com To request access to the playbook, please email support@vqcomms.com | |||||
| Dirty Frag | Low | CVE-2026-43284 and CVE-2026-43500 | 4.x | ||
We are aware of the high profile ‘Dirty Frag’ exploit which impacts all current Linux kernel versions. It is important to note that this exploit requires local access to a system to be exploited, something that would require an issue with the running micro-services or associated services to have been exposed and exploited in the first instance. The impacted kernel modules are also not loaded by default within the VQCM VM, preventing exploitation without a privileged user first having loaded these modules. To ensure peace of mind for our customers and meet the our high levels of security and transparency we have made available a mitigation playbook which can be applied to a running VQCM instance. This will make sure the impacted modules are not loaded and prevent them from being loaded in the future. This should not impact the running VQCM instance at all and there should be no down time. If you have any questions about this CVE, please email security@vqcomms.com To request access to the playbook, please email support@vqcomms.com | |||||
| PinTheft | Low | CVE-2026-46333 | 4.x | ||
We are aware of the recent CVE-2026-46333 which has a public exploit (‘PinTheft’) and impacts major Linux kernel versions, RHEL included. It is important to note that this exploit requires local access to a system to be exploited, something that would require an issue with the running micro-services or associated services to have been exposed and exploited in the first instance. The impacted kernel modules are also not loaded by default within the VQCM VM, preventing exploitation without a privileged user first having loaded these modules. To ensure peace of mind for our customers and meet the our high levels of security and transparency we have made available a mitigation playbook which can be applied to a running VQCM instance. This will make sure the required changes are made the to the kernel ptrace scope. If you have any questions about this CVE, please email security@vqcomms.com To request access to the playbook, please email support@vqcomms.com | |||||
| AspNetCore.DataProtection – Privilege Escalation | Informational | CVE-2026-40372 | 4.8.0 | ||
We are aware of the recent security advisories around CVE-2026-40372 which impacts the Microsoft.AspNetCore.DataProtection.* NuGet packages (10.0.0-10.0.6). This is a vulnerability which allows for padding attacks against impacted systems, this is a non-trivial attack vector which requires network access to impacted systems for an extended period of time. We have carried out a review of our systems and found that this does not impact the VQCM instance as we do not load or use a NuGet Microsoft.AspNetCore.DataProtection.* at runtime. However out of an abundance of caution and to ensure we continue to meet high levels of security and transparency we have made available a patch playbook. This will replace the Identity Server image on the VQCM, which handles authentication and token generation for user sessions. Once the playbook has been run users will need to shut down any open browsers sessions to the VQCM instance and log back in. If you experience issues logging in we suggest clearing your browser history and using a new private browsing session to avoid issues with session caching. | |||||
No advisories match the current filter.
Showing 1 – 20 of 4