Cisco SD-WAN: CVE-2026-20182 Added to KEV

Cisco SD-WAN: CVE-2026-20182 Added to KEV

May 15, 2026
|In Cybersecurity News
|By Diego MacCastrillon

On May 14, 2026, CISA officially added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog. This critical authentication bypass flaw affects Cisco Catalyst SD-WAN Controllers and Managers.

  • CVSS Score: 10.0 (Critical)

  • The Flaw: A logic error in the peering authentication mechanism during the control connection handshake.

  • Impact: A remote, unauthenticated attacker can bypass authentication to gain administrative privileges (though technically non-root). This allows access to NETCONF, giving the attacker full control to manipulate network configurations across the entire SD-WAN fabric.

  • Active Exploitation: A sophisticated threat actor, tracked as UAT-8616, has been observed exploiting this as a zero-day. They often use this access to inject SSH keys for persistence or perform software downgrades to trigger older, unpatched vulnerabilities (like CVE-2022-20775) to escalate to root.

  • Deadline: CISA has set a strict remediation deadline of May 17, 2026, for federal agencies.

Linux Kernel: The “Fragnesia” Vulnerability

While Cisco dealt with edge security, a new Linux kernel threat dubbed Fragnesia (CVE-2026-46300) was disclosed on May 13, 2026. It is the third major Local Privilege Escalation (LPE) bug identified in the kernel within a two-week window, following “Copy Fail” and “Dirty Frag.”

Technical Breakdown

Fragnesia resides in the kernel’s XFRM ESP-in-TCP subsystem. It is a logic bug that allows an unprivileged local user to achieve a “deterministic page-cache corruption primitive.”

  1. The Trigger: An attacker uses splice() to move file-backed data into a TCP stream.

  2. The Flaw: By switching the socket to espintcp mode, a bug in skb_try_coalesce() causes the kernel to treat read-only file pages as ciphertext.

  3. The Exploit: The kernel decrypts this “ciphertext” in place, allowing the attacker to write arbitrary bytes directly into the memory (page cache) of sensitive files like /usr/bin/su.

  4. The Result: The attacker overwrites the cached version of su with a payload that grants a root shell. Because only the memory cache is changed and not the disk, traditional file integrity checkers (like AIDE or Tripwire) may not detect it.

Comparison of Recent Linux LPEs

Vulnerability CVE ID Primary Mechanism Key Characteristic
Copy Fail CVE-2026-43200 Improper handling of copy_from_user Exploits memory management flaws.
Dirty Frag CVE-2026-43284 XFRM ESP Page-Cache Write Requires specific race conditions.
Fragnesia CVE-2026-46300 XFRM ESP-in-TCP Logic Bug Deterministic; no race condition required.

Mitigations and Market Activity

  • Immediate Action: For those unable to patch Linux kernels immediately, the recommended mitigation is to disable and blacklist the esp4, esp6, and rxrpc modules.

  • Cybercrime Activity: Parallel to these disclosures, a threat actor named “berz0k” has been seen on forums selling a separate zero-day Linux LPE for $170,000. While that exploit is reportedly TOCTOU-based (Time-of-Check Time-of-Use), it highlights the high demand and high stakes for stable Linux root exploits in the current threat environment.

Breaches

Privacy Preference Center

Privacy Preferences