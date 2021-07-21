Two independent teams of cybersecurity researchers have discovered separate privilege escalation vulnerabilities in the latest versions of Windows 10 /11 and Linux .

According to reports, while the Windows bug impacts recent builds of Windows 10 (build 1809 and newer), and the preview of Windows 11 , the Linux vulnerability was successfully exploited by researchers on machines running Ubuntu 20.04 , Ubuntu 20.10 , Ubuntu 21.04 , Debian 11, and Fedora 34 Workstation.

Both flaws can be exploited by malicious users to switch from non-administrative local users to the fully-privileged admin/root user on the respective operating system.

According to BleepingComputer, the Windows vulnerability, tracked as CVE-2021-36934, exploits the misconfigured access control list (ACL) for the Security Account Manager (SAM), SYSTEM, and SECURITY registry hive files.

Exploiting the bug enables non-administrative users to read these sensitive registry data stores, and use their contents to gain elevated privileges.

On the other hand, the Linux vulnerability, tracked as CVE-2021-33909 is dubbed Sequoia because of its deep roots in the Linux file system layer.

In a blog post Bharat Jogi, Sr. Manager, Vulnerabilities and Signatures, Qualys, who discovered the vulnerability, writes that any unprivileged local attacker can exploit the bug by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB.

Qualys has also put up a video demonstrating their proof of concept that successfully exploits the vulnerability to grant root user privileges to an unprivileged user on the vulnerable host.

