CVE Status & Mitigation
Overview
Swivel Secure appliances are built on an Enterprise Linux foundation (Oracle Linux). To ensure stability, our operating system vendor utilizes backporting for security patches.
This means security fixes are applied to existing software versions without changing the major version number. Consequently, automated vulnerability scanners that rely solely on version number comparison (e.g., Nessus, Qualys, Rapid7) often report False Positives.
This document lists specific vulnerabilities that may flag on your scanners, providing evidence of mitigation or explanation of why the appliance is not affected.
Note
If you identify a vulnerability on your appliance that is not listed here, please contact Swivel Secure Support for analysis.
Known False Positives & Mitigations
DirtyFrag — CVE-2026-43284 / CVE-2026-43500
Relevant CVEs: CVE-2026-43284, CVE-2026-43500
Scanner Status: High (Local Privilege Escalation)
Appliance Status: Not Affected (current release)
Description
DirtyFrag is a pair of Linux kernel local privilege escalation vulnerabilities discovered in May 2026. CVE-2026-43284 affects the IPsec ESP subsystem (esp4/esp6 modules) and CVE-2026-43500 affects the RxRPC subsystem.
By exploiting how in-place decryption operates over pipe-backed pages via splice() or sendfile(), an unprivileged local user can obtain a write primitive into the kernel page cache and escalate privileges to root.
The vulnerability cannot be triggered remotely. An active shell session on the host machine as a non-root user is required before any exploit attempt can be made.
Why the Appliance is Not Affected
Current AuthControl Sentry appliances running Oracle Linux 9 are not affected for two independent reasons, either of which is sufficient to prevent exploitation:
Kernel version is below the confirmed vulnerable range. Appliances currently ship with Oracle Unbreakable Enterprise Kernel R7 (
5.15.0branch). DirtyFrag has been confirmed exploitable on mainline kernel 6.12.0 and above. The UEK R7 branch predates the specific code paths targeted by published proof-of-concept exploits.The vulnerable kernel modules are not loaded. The
esp4,esp6, andrxrpcmodules — which contain the vulnerable code — are not loaded on Swivel appliances. The appliance does not use IPsec or RxRPC functionality, so these modules are never activated at runtime.
Contextual Risk Assessment
Even in the absence of the above mitigations, the practical risk to customers is low. DirtyFrag requires an unprivileged shell account on the host machine as a starting point. AuthControl Sentry appliances do not expose general-purpose shell accounts to end users. Administrative SSH access is restricted to authorised personnel using username and password credentials, and that level of access already carries full system privileges — removing any incentive for a privilege escalation attack via this route.
Verification
Customers can confirm their appliance is running an unaffected kernel via the CMI main menu by selecting Version Information. On current CMI releases this shows a Kernel Version field; on older CMI releases the equivalent field may be labelled OS Version.
A value beginning with 5.15 confirms the appliance is running UEK R7 and is outside the confirmed vulnerable kernel range.
Note
Legacy CentOS 6 and CentOS 7 appliances (both EOL) run kernel versions in the 2.6.x–3.10.x range, which also predate the vulnerable code paths and do not load the relevant modules. No patches will be issued for EOL platforms; the exploitability assessment is the same as above and no customer action is required on those platforms either.
Copy Fail – CVE-2026-31431
Relevant CVEs: CVE-2026-31431
Scanner Status: High (Local Privilege Escalation)
Appliance Status: Not Affected
Description
Copy Fail is a Linux kernel local privilege escalation vulnerability disclosed in April 2026. It is a logic bug in the authencesn cryptographic template within the kernel’s algif_aead module, the AEAD socket interface of the userspace crypto API (AF_ALG).
By exploiting the flaw, an unprivileged local user can trigger a deterministic 4-byte write into the page cache of any readable file on the system, including setuid binaries, and escalate privileges to root. Unlike many kernel exploits, Copy Fail does not require a race condition and can be triggered reliably. A proof-of-concept exploit of 732 bytes has been published that achieves root on a wide range of Linux distributions.
The vulnerability cannot be triggered remotely. An active shell session on the host machine as a non-root user is required before any exploit attempt can be made.
Why the Appliance is Not Affected
The algif_aead module, which provides the exploitable interface, is not present in the Oracle Unbreakable Enterprise Kernel R7 build shipped with AuthControl Sentry appliances. The module does not exist on disk and therefore cannot be loaded. Without it, the exploit has no entry point regardless of the running kernel version.
Why Scanners May Flag This
Vulnerability scanners perform version-based CVE matching: they compare the installed kernel version against the known vulnerable range for the CVE and flag accordingly. Copy Fail affects kernels released since 2017, so any 5.15.x kernel will be flagged automatically.
However, scanners do not verify whether the specific vulnerable module is present in a given kernel build. Oracle’s UEK R7 kernel is not built with algif_aead included, meaning the attack surface does not exist on the appliance. This is a false positive and no remediation is required.
Contextual Risk Assessment
Even in the absence of the above, Copy Fail requires an unprivileged shell account on the host machine as a starting point. AuthControl Sentry appliances do not expose general-purpose shell accounts to end users. Administrative SSH access is restricted to authorised personnel using username and password credentials, and that level of access already carries full system privileges, removing any incentive for a privilege escalation attack via this route.
Verification
Customers can confirm their appliance kernel via the CMI main menu by selecting Version Information. On current CMI releases this shows a Kernel Version field; on older CMI releases the equivalent field may be labelled OS Version.
A value beginning with 5.15 confirms the appliance is running UEK R7, in which the algif_aead module is absent from the kernel build.
Note
Legacy CentOS 6 and CentOS 7 appliances (both EOL) also do not have the algif_aead module present on disk. The exploitability assessment is the same as above and no customer action is required on those platforms.
ELSA-2025-20114: NetworkManager Dispatcher Permissions
Relevant CVEs: CVE-2025-20114 (and related)
Scanner Status: Critical / High
Appliance Status: Safe / Mitigated
Description
A vulnerability exists in NetworkManager where the dispatcher directory may have incorrect permissions (777), potentially allowing local privilege escalation.
Why this is a False Positive
Vulnerability scanners flag this based on the installed RPM version of NetworkManager (e.g., versions prior to 1.48.10-5.0.3). However, Swivel Secure appliances enforce the correct file permissions via configuration management, regardless of the RPM version installed. The security risk is neutralized by restricting filesystem access.
Verification of Mitigation
You can verify the appliance is secure by checking the directory permissions. Access the appliance command line and run:
ls -ld /etc/NetworkManager/dispatcher.d
Expected Output:
The output must show drwxr-xr-x (755). If the output shows drwxrwxrwx (777), please contact support immediately.
drwxr-xr-x. 2 root root 4096 Dec 9 10:00 /etc/NetworkManager/dispatcher.d
CVE-2024-38541: Kernel ‘of_modalias’ Buffer Overflow
Relevant CVEs: CVE-2024-38541
Scanner Status: High / Medium
Appliance Status: Not Affected
Description
A buffer overflow vulnerability exists in the Linux kernel’s of_modalias() function. This function is part of the Device Tree (Open Firmware) subsystem, used primarily by embedded architectures (like ARM) to describe hardware components.
Why this is a False Positive
Swivel Secure appliances on x86_64 hardware utilize ACPI for hardware discovery, not Device Trees. The vulnerable subsystem is strictly controlled by the kernel configuration flag CONFIG_OF.
On this appliance, this feature is disabled at compile time. This means the vulnerable code is not present in the kernel binary and cannot be executed, rendering the appliance immune to this specific vulnerability.
Verification
You can prove the vulnerable subsystem is not present by checking the running kernel’s build configuration.
grep "CONFIG_OF" /boot/config-$(uname -r)
Expected Output
The command should return no output (or explicitly state is not set), proving the “module” is not active.
# CONFIG_OF is not set