Lead Story | High — RCE, Public Exploit Chain | Cloud+DevOps · Dev |
|
An autonomous AI tool found a two-year-old RCE hiding in Redis — CVE-2026-23479 puts the cloud’s most common datastore at risk
The flaw is a use-after-free in Redis’s client-unblock path that an authenticated user can turn into remote code execution; Redis patched it May 5, but most cloud instances run without a password, where the default account already holds every privilege the exploit needs.
CVE-2026-23479 is notable for who found it: Xint Code, an autonomous AI tool built by Theori to hunt bugs in large codebases, surfaced a flaw that sat in every stable Redis branch for over two years. NVD rates it 8.8. The bug is a use-after-free in unblockClientOnKey(): when a key event wakes a blocked command, Redis re-runs the command, frees the client structure, then keeps using the freed pointer — a chain an authenticated user can drive to remote code execution. The Hacker News → Redis Advisory →
Exploitation needs an authenticated session, which sounds limiting until you look at how Redis is deployed. Wiz finds it in a large majority of cloud environments, most running with no password at all, where the default user already holds every privilege the exploit requires. Redis reports no evidence of exploitation, but it published the full technical chain on May 5, so the window is open. NVD →
→ Key Takeaway An AI tool surfaced a critical Redis RCE that evaded human review for two years, and the full exploit chain is now public — the patch landed May 5, but the exposure is the large fleet of passwordless cloud Redis instances that have not updated. Because the default account carries every privilege the chain needs, a passwordless instance is effectively unauthenticated against this exploit. Action: Ask your platform and cloud teams to inventory every Redis instance, confirm each is on a patched release and requires authentication, and verify none are reachable from the public internet. |
Quick Hits
| 01 |
A Leftover Debug Flag Let Any Android App Steal Microsoft 365 Tokens From Word, Excel, and Copilot
Researchers at Enclave detailed FlagLeft, a flaw in six Microsoft 365 Android apps where a debug flag left enabled in a shared SDK disabled the verification on Microsoft’s FOCI token-sharing system. Any other app on the same device could then silently request and receive long-lived Microsoft tokens — no prompt, no consent — granting access to the user’s email, files, and calendar. Microsoft assigned four CVEs (CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, and CVE-2026-42832, CVSS up to 7.7) and shipped fixes; update Word, Excel, PowerPoint, Microsoft 365 Copilot, Loop, and OneNote from Google Play, and treat any device that ran the older builds as a token-exposure risk. The Hacker News → SecurityWeek →
| High — Patch Available | Enterprise · IT Ops |
|
CVE Watch
|
CVE Watch
CVE-2022-0492 (Linux Kernel cgroups): A 2022 Container-Escape Flaw Added to CISA KEV After In-the-Wild Exploitation
CVE-2022-0492 is a privilege-escalation flaw in the Linux kernel’s cgroups v1 release_agent feature: because the kernel does not properly check permissions on the cgroup_release_agent_write path, a local user with the right capabilities can run code as root on the host and break out of a container. CISA added it to the Known Exploited Vulnerabilities catalogue on June 2, 2026, confirming active exploitation, though no public reporting yet details the in-the-wild method or actor. The kernel fix has shipped since 2022 — for example 5.16.6, plus the backported 5.15.20, 5.10.97, and 5.4.177 — so the systems still at risk are legacy, embedded, or container hosts running unpatched cgroups v1 kernels. Apply a patched kernel, prefer cgroups v2, and drop CAP_SYS_ADMIN from containers that do not need it. NVD → Bleeping Computer →
| Vendor: Linux Kernel · CVE: CVE-2022-0492 · CVSS: 7.8 (NVD CVSS 3.1) · Attack Vector: Local (privilege escalation / container escape, cgroups v1) · Affected: Linux kernel through 5.16.5 using cgroups v1 · Fix: Patched kernels (5.16.6, 5.15.20, 5.10.97, 5.4.177, and others) · Status: Active exploitation confirmed (CISA KEV, June 2, 2026); in-the-wild method not publicly reported |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — GV.RM-02 — Govern: Risk Management Strategy
Does Your Risk Tolerance Actually Permit Passwordless Cloud Data Stores?
NIST CSF 2.0 GV.RM-02 requires that “Risk appetite and risk tolerance statements are established, communicated, and maintained” — and the Redis exposure is a risk-tolerance question, not only a patching one: a fleet of internet-reachable, passwordless data stores is a posture an organization either tolerates or does not. Writing that tolerance down forces the decision into the open, where a board can see it and a platform team can enforce it. Action: Confirm your risk tolerance statement explicitly addresses unauthenticated, internet-reachable data and cache services, and have your cloud team produce a list of any that breach it. NIST CSF 2.0 reference: csf.tools/gv-rm-02 →
|
On Our Radar
UEFI Secure Boot KEK certificate expiry — June 24, 2026 (20 days): Microsoft’s Corporation KEK CA 2011 expires June 24; the UEFI CA 2011 follows June 27; the Windows Production PCA 2011 expires October 2026. Organizations with dual-boot Linux configurations or air-gapped systems not receiving automatic firmware updates should confirm remediation plans now. Tracking since Issue #039. Microsoft Support →
|
