What's New
Module 9 — Privilege Escalation (Kernel CVEs & Sudo Vectors)
A new ninth check category has been added to vulnScan.sh covering local privilege escalation (LPE) paths.
Kernel CVE Checks
| CVE | Name | Summary | Fixed In |
|---|---|---|---|
| CVE-2022-27666 | ESP Heap Overflow | Heap buffer overflow in IPsec esp4/esp6 — local LPE | kernel ≥ 5.16.15 |
| CVE-2026-31431 | Copy Fail | algif_aead page-cache write → overwrite setuid binaries | 6.18.22 / 6.19.12 / 7.0+ |
| CVE-2026-43284 | Dirty Frag ESP | Memory corruption in IPsec ESP fragmentation path | Per-LTS branch (5.10.255, 5.15.205, 6.1.171, 6.6.138, 6.12.87, 6.18.28, 7.0.5+) |
| CVE-2026-43500 | Dirty Frag rxrpc | Same class of bug in AF_RXRPC subsystem | 6.18.29+ / 7.0.6+ |
Each CVE check escalates WARN → FAIL when the relevant kernel module is actively loaded, and appends a verification note for RHEL-family kernels.
Sudo Auditing
- NOPASSWD detection — FAIL if any uncommented NOPASSWD entry exists in sudoers
- gtfobins scan — WARN for 20 binaries (vim, python, find, perl, bash, etc.) that allow shell escape when invoked via sudo
- Missing defaults — WARN if
env_resetorsecure_pathare absent
Linux File Capabilities
- FAIL for
cap_setuid/cap_sys_adminon any binary - WARN for
cap_dac_override,cap_dac_read_search,cap_net_raw,cap_net_bind_service - Gracefully skipped if
getcapis not installed
Other Changes
- Added
version_lt()semver comparison helper (uses GNUsort -V) - All prior module headers renumbered
1/8–8/8→1/9–8/9 - CLAUDE.md and README.md updated to reflect 9 categories