Back to Intelligence

CVE-2026-3021: GitHub Actions RCE & Linux Kernel LPE — Critical Detection and Hardening Guide

SA
Security Arsenal Team
May 4, 2026
7 min read

This week, the threat landscape shifted from opportunistic breaches to persistent occupation. Attackers are not just knocking on doors; they are moving in. The "Weekly Recap" highlights a disturbing trend: critical infrastructure is being targeted via trusted mechanisms. Among the most pressing concerns are a critical code execution flaw in GitHub Actions (CVE-2026-3021) and a high-severity Linux Kernel Local Privilege Escalation (LPE) vulnerability.

For SOC analysts and defenders, the implication is clear. Your CI/CD pipelines are no longer just build mechanisms; they are active battlefields. The Linux servers hosting your workloads are vulnerable to kernel-level escapes that bypass standard containerization and access controls. We have moved past the era of simple web shells; we are now dealing with malicious commits and kernel exploits that grant attackers root access silently.

This post provides a technical breakdown of these specific threats, actionable detection logic (Sigma, KQL, VQL), and immediate remediation steps.

Technical Analysis

1. GitHub Actions Critical Code Execution (CVE-2026-3021)

Affected Product: GitHub Enterprise Server & GitHub Actions (Self-hosted runners) CVE: CVE-2026-3021 CVSS Score: 9.8 (Critical)

The Vulnerability: A flaw exists in how GitHub Actions handles workflow artifacts and symlink processing in self-hosted runners. An attacker with write access to a repository can craft a malicious workflow that triggers a code execution vulnerability on the underlying runner host.

Attack Chain:

  1. Initial Access: Attacker pushes a malicious commit (often a "dependency update" or typo squatting) to a public repository or a private one they have accessed.
  2. Execution: The CI/CD pipeline triggers the GitHub Action.
  3. Exploitation: The action creates a symlink pointing outside the designated working directory, followed by a file write operation that overwrites a critical system binary or configuration (e.g., injecting a crontab or modifying sshd_config).
  4. Persistence: The attacker gains the permissions of the runner service account (often root or Administrator on self-hosted runners), establishing a foothold in the build environment.

Exploitation Status: Confirmed active exploitation in the wild targeting supply chain vendors.

2. Linux Kernel Local Privilege Escalation (CVE-2026-4150)

Affected Platform: Linux Kernel (Versions 5.10 through 6.8) CVE: CVE-2026-4150 CVSS Score: 7.8 (High)

The Vulnerability: A use-after-free vulnerability was discovered in the Netfilter subsystem (nf_tables), which handles firewall rules. This flaw allows a local, low-privileged user to trigger a memory corruption flaw that leads to kernel code execution.

Attack Chain:

  1. Access: Attacker gains initial access via web shell, SQLi, or compromised credentials (non-root).
  2. Escalation: Attacker executes a malicious binary leveraging the nf_tables flaw.
  3. Kernel Exploit: The exploit corrupts kernel memory to disable security mechanisms (SELinux/AppArmor) and escalates the current process to root.
  4. Occupation: The attacker installs kernel-level rootkits to hide processes and network connections.

Exploitation Status: Public proof-of-concept (PoC) code available; widespread scanning for vulnerable kernels observed.

Detection & Response

The following detection rules focus on identifying the exploitation of these vectors. For the GitHub flaw, we look for suspicious process lineage from the runner. For the Linux flaw, we look for indicators of kernel module manipulation or unexpected root-level file modifications from low-privilege contexts.

SIGMA Rules

YAML
---
title: Potential GitHub Actions Runner Symlink Attack
id: 8c4d2e10-9a1f-4b2c-8e3d-1f5a6b7c8d9e
status: experimental
description: Detects suspicious process creation patterns indicative of GitHub Actions Runner exploitation (symlink attacks escaping the workspace).
references:
 - https://securitylab.github.com/research/github-actions-bypass/
author: Security Arsenal
date: 2026/05/15
tags:
 - attack.execution
 - attack.t1059.004
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|endswith: '/Runner.Worker'
   Image|endswith:
     - '/bash'
     - '/sh'
     - '/cp'
     - '/mv'
 filter_legit:
   CommandLine|contains:
     - '/actions/'
     - '/__files/'
 condition: selection and not filter_legit
falsepositives:
 - Legitimate build scripts that modify system configuration
level: high
---
title: Linux Netfilter Kernel Exploit Indicators
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects suspicious system calls or binary modifications associated with CVE-2026-4150 Netfilter exploitation.
references:
 - https://kernel.org
author: Security Arsenal
date: 2026/05/15
tags:
 - attack.privilege_escalation
 - attack.t1068
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   Image|endswith:
     - '/insmod'
     - '/modprobe'
   CommandLine|contains:
     - '/tmp/'
     - '/dev/shm/'
   User|contains: 'non-root' # Assuming user mapping is available, otherwise rely on UID logic in context
filter_legit:
   CommandLine|contains:
     - '/lib/modules/'
 condition: selection and not filter_legit
falsepositives:
 - Legitimate admin driver testing
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious GitHub Runner activity escaping workspace
// Note: Adjust table names based on your ingestion (Syslog for Linux)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "Runner.Worker"
| where ProcessFileName in~ ("bash", "sh", "cp", "mv", "chmod", "chown")
| where not(ProcessCommandLine has "/actions/" or ProcessCommandLine has "runner/_work/")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| extend AlertContext = "Potential GitHub Actions Symlink Attack"
;

// Hunt for Linux Kernel Exploit precursors (Userland to Root transitions)
DeviceProcessEvents
| where Timestamp > ago(3d)
| where DeviceType == "Linux"
| where ProcessFileName in~ ("insmod", "modprobe", "kmod")
| where ProcessCommandLine has "/tmp/" or ProcessCommandLine has "/var/tmp/"
| where ProcessCommandLine !has "/lib/modules/" // Exclude standard module loading paths
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessId
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for GitHub Runner Workspace Escape Attempts
-- Checks for process execution where parent is a runner but command touches system paths
SELECT
  Pid,
  Name,
  CommandLine,
  Exe,
  Username,
  Parent.Pid AS ParentPid,
  Parent.Name AS ParentName,
  Parent.CommandLine AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ "Runner.Worker"
  AND Name =~ "^(bash|sh|cp|chmod|chown)$"
  AND NOT CommandLine =~ "/actions/"
  AND NOT CommandLine =~ "/runner/_work/"

-- Hunt for temporary kernel module loads (LPE)
SELECT
  Name,
  Size,
  ModTime,
  FullPath
FROM glob(globs="/tmp/*.ko", /tmp/*/tmp.ko)
WHERE ModTime > now() - 7d

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation script for CVE-2026-4150 (Linux Kernel) & GitHub Runner Hardening

echo "[+] Checking Kernel Version for CVE-2026-4150..."
CURRENT_KERNEL=$(uname -r)
VULNERABLE_RANGE="5.10-6.8"

# Simplified check logic - replace with actual upstream patch verification
if [[ "$CURRENT_KERNEL" =~ ^5\. ]] || [[ "$CURRENT_KERNEL" =~ ^6\.[0-7]\. ]]; then
    echo "[!] WARNING: Kernel $CURRENT_KERNEL is potentially vulnerable to CVE-2026-4150."
    echo "[!] Action Required: Update to Kernel 6.9+ or apply vendor patches immediately."
    # Check for Red Hat/CentOS specific fix
    if [ -f /etc/redhat-release ]; then
        echo "[!] Checking for available updates..."
        yum check-update kernel
    fi
else
    echo "[+] Kernel version $CURRENT_KERNEL appears patched or out of scope."
fi

echo "[+] Auditing Self-Hosted GitHub Runners..."
# Check for runner processes
RUNNER_USER=$(ps aux | grep -i 'Runner.Worker' | grep -v grep | awk '{print $1}' | head -n 1)
if [ -n "$RUNNER_USER" ]; then
    echo "[!] Detected GitHub Runner running as user: $RUNNER_USER"
    if [ "$RUNNER_USER" == "root" ]; then
        echo "[!] CRITICAL: Runner is running as ROOT. Follow principle of least privilege."
    fi
    # Check workspace permissions
    echo "[+] Checking workspace permissions..."
    # This is a placeholder for specific path checks
else
    echo "[+] No local GitHub Runner processes detected."
fi

echo "[+] Hardening Netfilter (load pinning)..."
# Ensure kernel module pinning is active (if supported)
sysctl net.netfilter.nf_conntrack_max > /dev/null 2>&1 && echo "Netfilter active."

echo "[+] Remediation Check Complete."

Remediation

1. Patch GitHub Actions (CVE-2026-3021)

  • Immediate Action: Upgrade GitHub Enterprise Server to the latest version (2026.05.2+).
  • Runner Hardening: Ensure self-hosted runners run as non-privileged users. Implement rootless containers or VM isolation for runners.
  • Workflow Audit: Audit all repository workflows for actions that write symlinks or modify system paths. Disable actions/checkout with persist-credentials: true on untrusted repos.
  • Reference: GitHub Security Advisory

2. Patch Linux Kernel (CVE-2026-4150)

  • Immediate Action: Update all Linux endpoints to kernel version 6.9 or apply the distribution-specific patches (e.g., RHEL-2026:1542, Ubuntu USN-6789-1).
  • Mitigation (if patching is delayed): Restrict access to CAP_NET_ADMIN and CAP_NET_RAW capabilities for non-root users. Unload the nf_tables module if not strictly required for firewalling (sudo modprobe -r nf_tables).
  • Verification: Run uname -r to confirm the update.

3. AI-Powered Social Engineering Defense

  • Policy: Implement "out-of-band" verification for any request involving credential transfer or financial transaction, even if the email appears to come from a known internal contact (AI models can spoof writing styles perfectly).
  • Technical: Deploy DMARC SPF/DKIM hardening and configure email gateways to flag AI-generated content patterns (e.g., low perplexity scores if available via security plugins).

4. Android Spying Tool ("Lorec" Variant)

  • Detection: Deploy Mobile Device Management (MDM) solutions to flag applications with REQUEST_INSTALL_PACKAGES permission requesting accessibility services.
  • Remediation: Factory reset is the only guaranteed removal method for sophisticated Android spyware leveraging kernel vulnerabilities.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemgithub-actionscve-2026-3021linux-kernel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action