A proof-of-concept exploit named PinTheft has been published for a Linux kernel local privilege escalation, leveraging an RDS zerocopy double-free flaw to gain root access under specific kernel configurations. The PoC demonstrates a novel way to steal references via io_uring and overwrite in-memory pages, underscoring ongoing Linux kernel security challenges. Admins should apply latest patches or blacklist vulnerable modules to mitigate risk.
Linus Torvalds says AI tools are reshaping Linux development by increasing commits and lowering entry barriers, but they also create social and security strains in open source. He introduced AI security disclosure guidelines, argued that AI won’t replace human programmers, and stressed that open source remains essential to managing complexity. The discussion also highlights burnout risks for maintainers due to flood-like AI bug reports and the need to understand the end result of AI-generated code, not just prompts.
Qualys disclosed CVE-2026-46333, a nine-year-old Linux kernel privilege-escalation flaw in __ptrace_may_access() that can let an unprivileged local user read /etc/shadow, access SSH private keys, and execute commands as root on Debian, Fedora, and Ubuntu; a PoC is available, patches have been released, and mitigations include updating the kernel or setting kernel.yama.ptrace_scope=2 and rotating host keys.
A public proof‑of‑concept exploit for the DirtyDecrypt (DirtyCBC) Linux kernel local privilege escalation (CVE-2026-31635) has been released. It exploits a missing copy-on-write guard in rxgk_decrypt_skb() within the RxGK subsystem, enabling a local unprivileged user to overwrite privileged memory (including /etc/shadow, sudoers, and SUID binaries) and gain root. The upstream patch was merged on April 25, 2026, and affected kernels require RXGK to be enabled (CONFIG_RXGK=y/m). Rolling‑release distributions with unpatched kernels (e.g., Fedora Rawhide, Arch before patch, openSUSE Tumbleweed) are at risk, while distros that ship RXGK disabled (e.g., some Debian/RHEL/Ubuntu builds) are less affected. In containers and Kubernetes environments, the flaw can lead to container escapes and host compromise. Mitigations include upgrading the kernel package and rebooting; as a temporary workaround, blacklisting rxrpc, esp4, and esp6 can be used at the expense of IPsec/AFS functionality. Kubernetes operators should rebuild worker images with patched kernels and enforce strict pod security settings.
A newly released PoC for CVE-2026-31635, aka DirtyDecrypt, enables local privilege escalation in the Linux kernel by exploiting a missing copy-on-write guard in rxgk_decrypt_skb. The flaw affects systems with CONFIG_RXGK (e.g., Fedora, Arch, openSUSE) and can write to privileged memory or the kernel page cache, with potential container escape paths. It’s linked to the Dirty Frag/Copy Fail family of flaws, and mitigations being discussed include a kernel runtime killswitch and Rocky Linux’s opt-in security repository to push urgent fixes before upstream patches.
A publicly released PoC demonstrates PinTheft, a Linux local privilege escalation in the RDS zerocopy path that can yield root on Arch Linux by pinning user pages and stealing FOLL_PIN references through io_uring fixed buffers; exploitation requires the RDS module to be loaded (default on Arch among common distros), io_uring enabled, a readable SUID-root binary, and x86_64 support, which limits its practical attack surface. Users should patch with the latest kernel, and as a mitigation can unload the RDS modules and disable them via modprobe.d (install rds /bin/false and install rds_tcp /bin/false) until patches are deployed.
A patched Linux kernel flaw in the rxgk module, known as DirtyDecrypt/DirtyCBC, now has a proof-of-concept exploit that can grant root access on affected systems. The vulnerability aligns with CVE-2026-31635 and requires CONFIG_RXGK; it mainly affects distros tracking upstream kernels (e.g., Fedora, Arch, openSUSE). V12 Security reported the flaw, and patches are available, though a temporary mitigation involving disabling specific modules could disrupt IPsec VPNs and AFS. This comes amid broader activity around root-privilege flaws, with CISA warning about Copy Fail being exploited in the wild.
The Linux kernel has faced severe CVEs (Copy Fail and Dirty Frag) that enable privilege escalation. NVIDIA engineer Sasha Levin proposed an in-kernel “kill switch” that would intercept calls to affected functions and return a safe value, allowing systems to keep running until patches arrive. Proponents say this could buy time without rebooting; critics warn it would patch the kernel in memory, may require reboots to clear, could create new attack surfaces, and raises concerns about AI-generated patches and how it compares to existing livepatch approaches.
In response to the ssh-keysign-pwn vulnerability that allowed unprivileged users to read root-owned files, Linux released the 7.0.8 stable kernel and updated several LTS kernels (6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, 5.10.256), incorporating Linus Torvalds’ patch that makes ptrace get_dumpable() logic “slightly saner,” to mitigate the issue across supported releases.
A Linux kernel information-disclosure flaw, CVE-2026-46333 dubbed ssh-keysign-pwn, lets unprivileged users read sensitive files such as SSH host keys and the shadow password file by abusing the ptrace check logic and the ssh-keysign helper. Patches have been released across multiple stable branches, but many distros haven’t rolled them out yet. Workarounds include tightening Yama ptrace restrictions or disabling host-based SSH authentication, though both can disrupt admin workflows. Users should update to patched kernels (e.g., 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, 5.10.256) as soon as feasible; this is the fourth major Linux kernel flaw reported in recent weeks.
A new Linux kernel local privilege escalation called Fragnesia (CVE-2026-46300) targets the XFRM ESP-in-TCP subsystem to corrupt the kernel page cache and convert unprivileged users into root. A PoC has been released, advisories have been issued by major distros, and patches are available. Users should patch promptly or apply Dirty Frag mitigations (e.g., disable esp4/esp6 and harden containers) while monitoring for escalation attempts. A threat actor, berz0k, is advertising a zero-day LPE exploit for sale on cybercrime forums.
Fragnesia has been disclosed as a new Linux kernel local privilege escalation vulnerability, mirroring the Dirty Frag issue. It stems from a logic bug in the ESP/XFRM code that allows arbitrary writes into the kernel page cache of read-only files. A two-line patch in skbuff.c exists to fix it, but it has not yet been mainlined or included in mainline releases; more details are available on the oss-security list.
Security researchers disclosed Fragnesia, a local privilege-escalation vulnerability in the Linux kernel (Dirtyfrag family) that lets an unprivileged user escalate to root by abusing ESP-in-TCP ULP handling and corrupting the kernel page cache, effectively enabling an in-memory overwrite of /usr/bin/su to spawn a root shell without altering on-disk binaries. The flaw affects virtually all kernels affected by Dirtyfrag up to May 13, 2026; upstream patches exist, but unpatched systems remain at risk. Mitigations include unloading/disabling the affected ESP modules (esp4, esp6, rxrpc) via a dirtyfrag.conf and flushing caches or rebooting to drop the modified page cache. A public PoC on GitHub lowers the barrier to exploitation, so applying the patch promptly is critical.
Security researchers have disclosed Dirty Frag, a new unpatched Linux kernel local privilege escalation that chains two bugs—xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write—to grant root on most distributions (e.g., Ubuntu 24.04.4, RHEL 10.1, Fedora 44). There is no CVE yet, and a working PoC exists; exploits are being weaponized in the wild. Patches are not yet available, so admins are advised to block esp4, esp6, and rxrpc modules until fixes arrive. The flaw sits in in-place decryption paths for paged fragments in esp4/esp6/rxrpc, allowing plaintext access and privilege escalation even if other mitigations like algif_aead are in use.
As the Linux kernel accumulates more file-systems (about 69 in the mainline as of now), VFS maintainers are publishing formal guidelines for upstreaming new ones. The draft documentation stresses using the modern VFS interface, providing necessary user-space utilities and fsck tools, robust testing, and active maintainer commitment, while encouraging developers to extend existing file-systems or use FUSE for niche use-cases. Unmaintained or non-conforming file-systems may be deprecated and removed; the patch guiding these rules is queued in VFS.git under vfs-7.2.misc ahead of the Linux 7.2 merge window.
