Security Digest – July 9

We patched a few things on our servers this week — including three serious Linux kernel bugs and a cPanel fix. Here’s the quick version of what happened and why it mattered.

The Kernel Bugs

GhostLock (CVE-2026-43499) — Disclosed July 7, this one let any local process jump straight to root by exploiting a flaw in how the kernel handles futex locks. Working exploit code was public within hours, and researchers say it got a root shell in about 5 seconds. On a shared server, that’s scary — it means a single hacked WordPress plugin could turn into a fully owned box.

Januscape (CVE-2026-53359) — A 16-year-old bug in KVM (the tech behind virtual machines) that let a VM “escape” and mess with the host it’s running on. If you run anything virtualized, this is the kind of bug that breaks the wall between tenants — which is the whole point of virtualization.

Bad Epoll (CVE-2026-46242) — Disclosed July 1, this is a race-condition bug in epoll, the thing basically every web server (nginx, Apache, Node, you name it) uses to juggle connections. Any local user could exploit it to become root. Can’t be turned off, so patching was the only real fix.

All three are now patched across our infrastructure.

The cPanel Fix

We also updated cPanel & WHM to build 11.134.0.44, which patches a File Manager bug (cPanel’s writeup here). Basically, File Manager was letting users follow symlinks to files they shouldn’t be able to see — stuff they’d be blocked from over SSH, sometimes including other users’ home directories depending on permissions. That’s fixed now.

As always, please do not hesitate to reach out if you have any questions or concerns.

Leave a Reply