Two critical security issues related to hosting and servers.

[ukwebhosting]

Hi,

Over the last few days there have been 2 critical security issues around hosting and Linux

The first is one for cPanel & WHM and is rated 9.8 Critical as it allows unauthenticated root level acces to the control panel.

NVD - CVE-2026-41940

nvd.nist.gov

https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026

If you run or have hosting on a cPanel server check with your host that they have updated to a patched version of the cPanel tier they are running.

The second affects every mainstream version of Linux since 2017!

High Vulnerability in the Linux Kernel ("Copy Fail")

High Vulnerability in the Linux Kernel ("Copy Fail")

cert.europa.eu

It can be exploited fairly easily to gain root access to an affected server

Again if you run a Linux server or have hosting on one you should check with your provider if they have mitigated against this exploit (there are some fixes coming online but mainly mitigations at this point)

Both pretty serious and I am sure most hosts have it under control/in hand but by the law of averages some will not so better to be safe than sorry!

Paul

 

[ctrlbrk]

Thanks @ukwebhosting.

Trying to read into this:

By chaining an AF_ALG socket operation with splice(), an unprivileged local user can perform a controlled 4-byte write to an arbitrary page-cache-backed page, targeting a setuid binary such as /usr/bin/su to obtain a root shell [1].

"Unprivileged local user": doesn't this mean that someone would have to gain access to the server first, to be able to then attempt the exploit?

 

[ukwebhosting]

Thanks @ukwebhosting.

Trying to read into this:



"Unprivileged local user": doesn't this mean that someone would have to gain access to the server first, to be able to then attempt the exploit?

Hi

Yes it does indeed.

A good example would be an exploited Wordpress site or any of the others etc or simply a bad actor purchasing a hosting package to gain that access.

But once they have that access it is relatively easy to exploit and elevate to a privileged user.

Thanks

Paul

 

[ctrlbrk]

A good example would be an exploited Wordpress site or any of the others etc or simply a bad actor purchasing a hosting package to gain that access.

Just so I'm clear, the examples you mentioned here would apply to a shared hosting instance?

By that I mean, these examples would not apply to, say, a VPS scenario, would they?

 

[ukwebhosting]

Just so I'm clear, the examples you mentioned here would apply to a shared hosting instance?

By that I mean, these examples would not apply to, say, a VPS scenario, would they?

The WHM/cPanel applies if you're running cPanel/WHM on any server including a VPS

For this you do not need to get access to the server first, there are some nuances etc however it is broken down here https://labs.watchtowr.com/the-inte...nel-whm-authentication-bypass-cve-2026-41940/

And if you have a VPS and it runs cPanel/WHM then you absolutely can be exploited if not updated to a patched version, the only difference is a shared hosting server would just be running many more sites so its all down to the amount of damage.

For the second Linux kernel issue then you would need access to a Linux server first but as mentioned that could be by an exploited Wordpress site or any of the others etc or simply a bad actor purchasing a hosting package to gain that access.

This one also applies to a VPS

And that is a relatively easy exploit once you have that.

Are you running Linux? and what flavour?

Thanks

Paul

 

[ctrlbrk]

For the second Linux kernel issue then you would need access to a Linux server first but as mentioned that could be by an exploited Wordpress site or any of the others etc or simply a bad actor purchasing a hosting package to gain that access.

This one also applies to a VPS

And that is a relatively easy exploit once you have that.

Are you running Linux? and what flavour?

Yes, I do have a debian VPS.

I do understand your exploited Wordpress site example, but I struggle to understand the bad actor purchasing a hosting package - they would still need to gain local access to the server first wouldn't they? And how would that be accomplished?

Thanks.

 

[ukwebhosting]

Yes, I do have a debian VPS.

I do understand your exploited Wordpress site example, but I struggle to understand the bad actor purchasing a hosting package - they would still need to gain local access to the server first wouldn't they? And how would that be accomplished?

Thanks.

Yes, I do have a debian VPS.

I do understand your exploited Wordpress site example, but I struggle to understand the bad actor purchasing a hosting package - they would still need to gain local access to the server first wouldn't they? And how would that be accomplished?

Thanks.

This probably explains it best https://copy.fail/

However briefly it just needs a normal unprivileged user like every hosting account would receive for example hence the bad actor vector if you like.

Thanks

Paul

 

[fisicx]

How does a compromised WP site give you root access to the server?

I can sort of see how they could gain access to the cPanel of that site but not the server root.

 

[ukwebhosting]

How does a compromised WP site give you root access to the server?

I can sort of see how they could gain access to the cPanel of that site but not the server root.

It’s less at that point related to wordpress as that is just a way to upload a shell script for example or any manner of other bits and pieces.

After that wordpress is irrelevant it’s just an open window into the files etc so to speak.

Which then allows the exploit to be used which gives you root access.

A proof of concept is here https://copy.fail/

It could be Wordpress, Zen Cart, Joomla etc etc basically usually one that has not been kept upto date and something they are using has an active vulnerability.

Thanks

Paul