Threat Advisories:
SANDWORM_MODE: npm Supply Chain Attack Targeting AI Development Tools Mercenary Akula’s Court-Themed Campaign Hits European Finance Operation Olalampo: MuddyWater’s Expanding Campaign Across MENA February 2026 Linux Patch Roundup CRESCENTHARVEST an Espionage Campaign Disguised as Solidarity Fake Homebrew ClickFix Campaign Delivering Cuckoo Stealer on macOS CVE-2026-22769: UNC6201 Exploiting Dell RecoverPoint Zero-Day OysterLoader Threat Model: Silent, Signed, Systematic ClickFix to Control: Matanbuchus Campaign Deploys AstarionRAT in Minutes UNC1069’s Social Engineering Operations Focused on Crypto Sector Google Chrome CSS Use-After-Free Zero-Day Vulnerability (CVE-2026-2441) CVE-2026-1731: Active Exploitation of BeyondTrust WebSocket RCE Apple Zero-Day Exploited in Targeted Attacks (CVE-2026-20700) Microsoft’s February 2026 Patch Tuesday Fixes Active Zero-Day Exploits Critical API Flaw Puts SmarterMail Servers at Risk TGR-STA-1030: Global State-Aligned Cyber Espionage Campaign Transparent Tribe Targets India’s Startup Ecosystem with Crimson RAT Amaranth-Dragon: Low Noise, High Impact Espionage in Southeast Asia Web Traffic Hijacking via Malicious NGINX Configuration Injection DEAD#VAX: AsyncRAT Deployment via IPFS-Hosted VHD Phishing
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

February 2026 Linux Patch Roundup

Red | Vulnerability Report
Download PDF

February 2026 Linux Patch Roundup

Summary

In February 2026, the Linux ecosystem experienced a comprehensive security overhaul with more than 381 new vulnerabilities discovered and addressed across major distributions including Debian, Red Hat, OpenSUSE, and Ubuntu. During this critical security period, over 3080 vulnerabilities were highlighted with corresponding hotfixes and patches released to resolve critical security issues affecting Linux systems worldwide.

These Linux vulnerabilities span a wide range of severity levels and impact categories, from information disclosure and privilege escalation to remote code execution vulnerabilities. HiveForce Labs has identified 10 severe vulnerabilities within this February 2026 Linux patch roundup that are either actively exploited in the wild or demonstrate high potential for successful exploitation, necessitating immediate attention from security teams and system administrators.

The Linux vulnerabilities addressed in February 2026 enable adversarial tactics aligned with Initial Access, Execution, Persistence, Discovery, Resource Development, and Privilege Escalation. Notably, two of the identified Linux vulnerabilities are already under active exploitation as zero-day vulnerabilities, significantly elevating organizational risk and underscoring the critical need for accelerated patch management and exposure reduction across Linux infrastructure. To ensure comprehensive protection against these Linux security threats, organizations must upgrade systems to the latest versions with necessary security patches and implement appropriate security controls.

Vulnerability Details

Linux Ecosystem Security Overhaul

In February 2026, the Linux ecosystem underwent an extensive security overhaul addressing critical vulnerabilities across multiple distributions and associated products. More than 3080 Linux vulnerabilities were addressed during this period, with over 381 flaws newly identified and remediated. These Linux security issues span high-impact categories including information disclosure, privilege escalation, and remote code execution vulnerabilities. During this review cycle, HiveForce Labs highlighted 10 critical Linux vulnerabilities that are either actively exploited in the wild or assessed as highly likely to be weaponized in the near term.

Collectively, these Linux vulnerabilities enable adversarial tactics aligned with Initial Access, Execution, and Privilege Escalation attack vectors. Notably, two of the identified Linux vulnerabilities are already under active exploitation as zero-day vulnerabilities, significantly elevating organizational risk and underscoring the need for accelerated Linux patch management and exposure reduction.

CVE-2026-24061: GNU InetUtils Authentication Bypass

CVE-2026-24061 affects GNU InetUtils telnetd service through version 2.7, representing a critical zero-day Linux vulnerability actively exploited in the wild. This Linux security flaw allows a remote authentication bypass by supplying a crafted “-f root” value to the USER environment variable, effectively granting unauthenticated root access to compromised Linux systems. The GNU InetUtils vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog, confirming active exploitation of this Linux security issue.

CVE-2026-2441: Google Chrome Use-After-Free Vulnerability

CVE-2026-2441 is a use-after-free vulnerability in the CSS component of Google Chrome before version 145.0.7632.75 on Windows/macOS and version 144.0.7559.75 on Linux platforms. By exploiting a memory corruption condition via a crafted HTML page, remote attackers can achieve arbitrary code execution within the browser sandbox on Linux systems. The flaw resides in the Chromium rendering engine, and Google has confirmed active exploitation in the wild, making immediate browser updates critical for Linux users.

CVE-2007-4559: Python Directory Traversal Vulnerability

CVE-2007-4559, despite being disclosed in 2007, continues to resurface as a persistent Linux vulnerability due to Python’s ubiquity across Linux distributions. This Linux security vulnerability affects the tarfile.extract() and tarfile.extractall() functions, enabling directory traversal through ‘..’ sequences embedded in TAR archive filenames. This can result in arbitrary file overwrite during extraction on Linux systems. With a CVSS v3.1 score of 9.8 (Critical), this Python vulnerability remains relevant because Python is deeply integrated into Linux system tooling and application stacks, repeatedly reintroducing risk where secure extraction practices are not enforced.

CVE-2023-51385: OpenSSH Command Injection Vulnerability

CVE-2023-51385 is a command injection vulnerability in the client-side component of OpenSSH affecting Linux systems. This Linux security issue manifests when the ProxyCommand directive processes hostnames containing shell metacharacters, such as backticks, without adequate sanitization before passing them to the shell. An attacker can embed arbitrary commands in the hostname, enabling command execution on Linux client systems. Public proof-of-concept exploits were released shortly after disclosure, accelerating the likelihood of exploitation in real-world Linux environments.

CVE-2025-14009: NLTK Arbitrary Code Execution Vulnerability

CVE-2025-14009 impacts the NLTK downloader component in all versions of nltk/nltk libraries commonly deployed on Linux systems. The _unzip_iter function leverages zipfile.extractall() without path validation, allowing attackers to craft malicious ZIP archives that execute arbitrary code when extracted on Linux platforms. Several Linux distributions have yet to release patches for this vulnerability, leaving dependent systems exposed, particularly in data science and research environments where NLTK is widely used.

CVE-2025-65791: ZoneMinder Command Injection Vulnerability

CVE-2025-65791 affects ZoneMinder v1.36.34 running on Linux platforms, where unsanitized user input is passed directly to the exec() function in web/views/image.php, resulting in command injection. This ZoneMinder vulnerability creates a direct pathway to remote code execution on Linux systems. Some Linux distributions are still pending patches, extending the exposure window for organizations running ZoneMinder on Linux infrastructure.

CVE-2025-69872: DiskCache Unsafe Pickle Deserialization

CVE-2025-69872 concerns DiskCache (python-diskcache) through version 5.6.3 on Linux systems, which relies on Python’s pickle module for default serialization. If an attacker gains write access to the cache directory on Linux systems, they can introduce malicious serialized objects that trigger arbitrary code execution when deserialized by the application. Patch availability for this Linux vulnerability remains inconsistent across distributions.

CVE-2025-15467: OpenSSL Stack Buffer Overflow Vulnerability

CVE-2025-15467 represents a stack buffer overflow vulnerability in OpenSSL affecting Linux platforms. This critical Linux security flaw enables code execution through network-based attacks, requiring immediate patching across Linux distributions to prevent exploitation.

CVE-2026-27475: SPIP Insecure Deserialization Vulnerability

CVE-2026-27475 affects SPIP content management system running on Linux platforms. This insecure deserialization vulnerability in SPIP enables code execution on Linux systems through network-based attacks, representing a significant threat to Linux servers running SPIP.

CVE-2025-40778: BIND 9 Cache Poisoning Vulnerability

CVE-2025-40778 impacts BIND 9 DNS servers on Linux platforms, enabling cache poisoning attacks with unsolicited resource records. This Linux DNS vulnerability allows attackers to manipulate DNS resolution on Linux systems, potentially redirecting traffic to malicious servers.

Recommendations

Eliminate High-Risk Legacy Services

Immediately decommission Telnet services on Linux systems and replace with hardened SSH configurations. Block inbound Telnet (TCP/23) at perimeter firewalls and internal segmentation gateways protecting Linux infrastructure. Enforce secure configuration baselines for GNU InetUtils deployments across all Linux distributions.

Aggressive Patch and Version Governance

Implement automated patch orchestration across Linux distributions including Debian, Red Hat, OpenSUSE, and Ubuntu. Track third-party libraries on Linux systems including Python modules, NLTK, DiskCache, ZoneMinder, and OpenSSH clients. Enforce browser version compliance policies to prevent use of vulnerable Chrome builds on Linux platforms.

Restrict Privilege and Execution Surfaces

Apply least privilege across Linux services and applications. Disable root login wherever possible on Linux systems. Restrict write permissions on cache directories and system-critical paths across Linux infrastructure to prevent exploitation of deserialization vulnerabilities.

Archive and File Handling Governance

Disallow automatic extraction of untrusted TAR/ZIP archives on Linux systems. Implement content validation and sandboxing for file ingestion workflows on Linux platforms. Introduce checksum and signature validation for downloaded packages across Linux distributions.

Harden Development and Application Security Practices

Prohibit unsafe deserialization on Linux systems including Python pickle in production contexts. Replace extractall() usage with validated extraction logic that enforces path sanitization on Linux platforms. Validate and sanitize all user-controlled input before passing to exec() or shell contexts on Linux systems. Enforce secure coding guardrails via SAST/DAST and dependency scanning for Linux applications.

Immediate Containment

Isolate affected Linux systems from the network. Disable compromised accounts and rotate credentials on Linux infrastructure. Remove exposed Telnet services immediately from Linux servers.

Credential and Key Hygiene

Rotate SSH keys across affected Linux infrastructure. Reset passwords for potentially impacted users on Linux systems. Revoke API tokens and service credentials for compromised Linux applications.

Persistence and Lateral Movement Checks

Look for newly created admin users on Linux systems. Identify scheduled tasks, cron jobs, or system services added post-compromise on Linux platforms. Audit SSH configs for malicious ProxyCommand entries on Linux infrastructure. Monitor unusual internal east-west traffic between Linux systems.

References

https://lore.kernel.org/linux-cve-announce/

https://github.com/leonov-av/linux-patch-wednesday

https://www.debian.org/security/#DSAS

https://lists.ubuntu.com/archives/ubuntu-security-announce/

https://access.redhat.com/security/security-updates/

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/

Instant Root Access via CVE-2026-24061: A Decade-Old Bug Comes Alive

Google Chrome CSS Use-After-Free Zero-Day Vulnerability (CVE-2026-2441)

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox