CVE Status & Mitigation

Overview

Swivel Secure appliances are built on an Enterprise Linux foundation (Oracle Linux). To ensure stability, our operating system vendor utilizes backporting for security patches.

This means security fixes are applied to existing software versions without changing the major version number. Consequently, automated vulnerability scanners that rely solely on version number comparison (e.g., Nessus, Qualys, Rapid7) often report False Positives.

This document lists specific vulnerabilities that may flag on your scanners, providing evidence of mitigation or explanation of why the appliance is not affected.

Note

If you identify a vulnerability on your appliance that is not listed here, please contact Swivel Secure Support for analysis.

Known False Positives & Mitigations

ssh-keysign-pwn — CVE-2026-46333

Relevant CVEs: CVE-2026-46333

Scanner Status: High (Local Privilege Escalation)

Appliance Status: Patched — upgrade to kernel-uek 5.15.0-320 or later (Oracle ELSA-2026-50280)

Description

CVE-2026-46333 is a Linux kernel local privilege escalation vulnerability published in May 2026. A race condition exists between exit_mm() and exit_files() in the kernel’s ptrace dumpability logic. When a privileged process exits, there is a brief window during which the dumpability check is skipped. An unprivileged local process can call pidfd_getfd(2) in this window and obtain a copy of a file descriptor from the exiting privileged process, potentially gaining access to sensitive resources.

The vulnerability cannot be triggered remotely. An active shell session on the appliance is required before any exploit attempt can be made.

Appliance Impact and Patch

AuthControl Sentry appliances running Oracle Linux 9 were affected on kernel-uek 5.15.0-303 (OL9.5) and 5.15.0-319 (OL9.7). Oracle released a patched kernel (5.15.0-320, advisory ELSA-2026-50280) on 2026-05-20. Swivel Secure verified the fix — the exploit no longer succeeds on kernel 5.15.0-320.

Two attack vectors were assessed:

  1. ssh-keysign vector — blocked on all appliance builds by default. The OpenSSH EnableSSHKeysign directive is not set, so this path was never exploitable even on vulnerable kernels.

  2. chage vector — the chage password expiry utility runs with elevated privileges. This path was open on vulnerable kernels and is closed by the kernel patch.

Contextual Risk Assessment

AuthControl Sentry appliances expose a single administrative shell account. Exploitation would require an attacker who already held admin credentials, which already confers full system access. The practical risk was low, but the patch should be applied.

Recommended Action

Apply the update via the System Update menu in the CMI. After updating and rebooting, verify the patched kernel is running via the CMI main menu by selecting Version Information — the Kernel Version field should show 5.15.0-320 or later.

If you experience any difficulty applying the update or confirming the kernel version, please raise a support ticket at supportdesk@swivelsecure.com.

Note

Legacy CentOS 6 and CentOS 7 appliances (both EOL) run kernel versions in the 2.6.x3.10.x range, which predate the vulnerable code path entirely. No action is required on those platforms.

DirtyFrag — CVE-2026-43284 / CVE-2026-43500

Relevant CVEs: CVE-2026-43284, CVE-2026-43500

Scanner Status: High (Local Privilege Escalation)

Appliance Status: Not Affected / CVE-2026-43284 formally patched in 5.15.0-320 (ELSA-2026-50261)

Description

DirtyFrag is a pair of Linux kernel local privilege escalation vulnerabilities discovered in May 2026. CVE-2026-43284 affects the IPsec ESP subsystem (esp4/esp6 modules) and CVE-2026-43500 affects the RxRPC subsystem.

By exploiting how in-place decryption operates over pipe-backed pages via splice() or sendfile(), an unprivileged local user can obtain a write primitive into the kernel page cache and escalate privileges to root.

The vulnerability cannot be triggered remotely. An active shell session on the host machine as a non-root user is required before any exploit attempt can be made.

Why the Appliance is Not Affected

Current AuthControl Sentry appliances running Oracle Linux 9 are not affected for two independent reasons, either of which is sufficient to prevent exploitation:

  1. Kernel version is below the confirmed vulnerable range. Appliances currently ship with Oracle Unbreakable Enterprise Kernel R7 (5.15.0 branch). DirtyFrag has been confirmed exploitable on mainline kernel 6.12.0 and above. The UEK R7 branch predates the specific code paths targeted by published proof-of-concept exploits.

  2. The vulnerable kernel modules are not loaded. The esp4, esp6, and rxrpc modules — which contain the vulnerable code — are not loaded on Swivel appliances. The appliance does not use IPsec or RxRPC functionality, so these modules are never activated at runtime.

Contextual Risk Assessment

Even in the absence of the above mitigations, the practical risk to customers is low. DirtyFrag requires an unprivileged shell account on the host machine as a starting point. AuthControl Sentry appliances do not expose general-purpose shell accounts to end users. Administrative SSH access is restricted to authorised personnel using username and password credentials, and that level of access already carries full system privileges — removing any incentive for a privilege escalation attack via this route.

Verification

Customers can confirm their appliance is running an unaffected kernel via the CMI main menu by selecting Version Information. On current CMI releases this shows a Kernel Version field; on older CMI releases the equivalent field may be labelled OS Version.

A value beginning with 5.15 confirms the appliance is running UEK R7 and is outside the confirmed vulnerable kernel range.

Note

Legacy CentOS 6 and CentOS 7 appliances (both EOL) run kernel versions in the 2.6.x3.10.x range, which also predate the vulnerable code paths and do not load the relevant modules. No patches will be issued for EOL platforms; the exploitability assessment is the same as above and no customer action is required on those platforms either.

Copy Fail – CVE-2026-31431

Relevant CVEs: CVE-2026-31431

Scanner Status: High (Local Privilege Escalation)

Appliance Status: Not Affected / Formally patched in 5.15.0-320 (ELSA-2026-50261)

Description

Copy Fail is a Linux kernel local privilege escalation vulnerability disclosed in April 2026. It is a logic bug in the authencesn cryptographic template within the kernel’s algif_aead module, the AEAD socket interface of the userspace crypto API (AF_ALG).

By exploiting the flaw, an unprivileged local user can trigger a deterministic 4-byte write into the page cache of any readable file on the system, including setuid binaries, and escalate privileges to root. Unlike many kernel exploits, Copy Fail does not require a race condition and can be triggered reliably. A proof-of-concept exploit of 732 bytes has been published that achieves root on a wide range of Linux distributions.

The vulnerability cannot be triggered remotely. An active shell session on the host machine as a non-root user is required before any exploit attempt can be made.

Why the Appliance is Not Affected

The algif_aead module, which provides the exploitable interface, is not present in the Oracle Unbreakable Enterprise Kernel R7 build shipped with AuthControl Sentry appliances. The module does not exist on disk and therefore cannot be loaded. Without it, the exploit has no entry point regardless of the running kernel version.

Why Scanners May Flag This

Vulnerability scanners perform version-based CVE matching: they compare the installed kernel version against the known vulnerable range for the CVE and flag accordingly. Copy Fail affects kernels released since 2017, so any 5.15.x kernel will be flagged automatically.

However, scanners do not verify whether the specific vulnerable module is present in a given kernel build. Oracle’s UEK R7 kernel is not built with algif_aead included, meaning the attack surface does not exist on the appliance. This is a false positive and no remediation is required.

Contextual Risk Assessment

Even in the absence of the above, Copy Fail requires an unprivileged shell account on the host machine as a starting point. AuthControl Sentry appliances do not expose general-purpose shell accounts to end users. Administrative SSH access is restricted to authorised personnel using username and password credentials, and that level of access already carries full system privileges, removing any incentive for a privilege escalation attack via this route.

Verification

Customers can confirm their appliance kernel via the CMI main menu by selecting Version Information. On current CMI releases this shows a Kernel Version field; on older CMI releases the equivalent field may be labelled OS Version.

A value beginning with 5.15 confirms the appliance is running UEK R7, in which the algif_aead module is absent from the kernel build.

Note

Legacy CentOS 6 and CentOS 7 appliances (both EOL) also do not have the algif_aead module present on disk. The exploitability assessment is the same as above and no customer action is required on those platforms.

ELSA-2025-20114: NetworkManager Dispatcher Permissions

Relevant CVEs: CVE-2025-20114 (and related)

Scanner Status: Critical / High

Appliance Status: Safe / Mitigated

Description

A vulnerability exists in NetworkManager where the dispatcher directory may have incorrect permissions (777), potentially allowing local privilege escalation.

Why this is a False Positive

Vulnerability scanners flag this based on the installed RPM version of NetworkManager (e.g., versions prior to 1.48.10-5.0.3). However, Swivel Secure appliances enforce the correct file permissions via configuration management, regardless of the RPM version installed. The security risk is neutralized by restricting filesystem access.

Verification of Mitigation

You can verify the appliance is secure by checking the directory permissions. Access the appliance command line and run:

ls -ld /etc/NetworkManager/dispatcher.d

Expected Output:

The output must show drwxr-xr-x (755). If the output shows drwxrwxrwx (777), please contact support immediately.

drwxr-xr-x. 2 root root 4096 Dec 9 10:00 /etc/NetworkManager/dispatcher.d

CVE-2024-38541: Kernel ‘of_modalias’ Buffer Overflow

Relevant CVEs: CVE-2024-38541

Scanner Status: High / Medium

Appliance Status: Not Affected

Description

A buffer overflow vulnerability exists in the Linux kernel’s of_modalias() function. This function is part of the Device Tree (Open Firmware) subsystem, used primarily by embedded architectures (like ARM) to describe hardware components.

Why this is a False Positive

Swivel Secure appliances on x86_64 hardware utilize ACPI for hardware discovery, not Device Trees. The vulnerable subsystem is strictly controlled by the kernel configuration flag CONFIG_OF.

On this appliance, this feature is disabled at compile time. This means the vulnerable code is not present in the kernel binary and cannot be executed, rendering the appliance immune to this specific vulnerability.

Verification

You can prove the vulnerable subsystem is not present by checking the running kernel’s build configuration.

grep "CONFIG_OF" /boot/config-$(uname -r)

Expected Output

The command should return no output (or explicitly state is not set), proving the “module” is not active.

# CONFIG_OF is not set