One week after the Copy Fail vulnerability, a new Linux local privilege escalation bug has been made public. This time around there are no patches or CVEs yet for this "Dirty Frag" vulnerability as the embargo was broken early and thus the security researcher went ahead and published earlier than anticipated.
An out-of-bounds access within the Linux kernel has existed in mainline the past three years that could be exploited by an unprivileged user submitting a specially crafted certificate to the kernel.
The AppArmour security module for the Linux kernel, which most notably is backed by Canonical for Ubuntu, has some small improvements and fixes for Linux 7.0.
Adding to the exciting features for the big Linux 7.0 kernel release is support for the Module-Lattice-Based Digital Signature Algorithm "ML-DSA" quantum-resistant signature algorithm.
CVE-2026-0915 was published on Friday as a security issue with the GNU C Library "glibc" for code introduced 30 years ago. The latest Glibc Git code is now patched for this issue introduced in 1996.
Stemming from a security researcher and his team proposing a new Linux Security Module (LSM) three years ago and it not being accepted to the mainline kernel, he raised issue over the lack of review/action to Linus Torvalds and the mailing lists. In particular, seeking more guidance for how new LSMs should be introduced and raised the possibility of taking the issue to the Linux Foundation Technical Advisory Board (TAB).
Linux's Integrity Policy Enforcement "IPE" module is gaining a useful addition with the in-development Linux 6.19 kernel.
Merged yesterday to the Linux 6.19 Git codebase was the "core/uaccess" pull that introduces new scoped user-mode access with auto-cleanup functionality. This can reduce the number of speculation barriers encountered when needing to access user-mode memory and thereby avoiding some of the performance penalties incurred by speculation barriers.
New code likely to be submitted for the upcoming Linux 6.19 kernel would introduce ML-DSA/Dilithium post-quantum cryptography to be initially used for dealing with kernel module signing.
A big patch series was posted today for the Linux kernel that would allow enabling/disabling CPU security mitigations at run-time rather than the current handling that can only be managed at boot-time via various Linux kernel command-line arguments. Thus due to changing security needs, differing workloads mandating different CPU security concerns and the like, this proposed feature would allow Spectre, Meltdown, and other CPU security mitigations to all be toggled at run-time.
Introduced last year in Linux 6.10 was TPM bus encryption and integration protection for Trusted Platform Module 2 (TPM2) handling. The intent was on better TPM security after a prior security demonstration showed TPM key recovery from Microsoft Windows BitLocker as well as TPM sniffing attacks. Shortly after being merged it was limited to just an x86_64 default where it had been tested the most at the time. Now more than one year later, this feature is being disabled by default in the mainline Linux kernel.
Made public and mitigated within the mainline Linux kernel last month was the VMSCAPE vulnerability affecting both AMD and Intel CPUs. Now merged for the in-development Linux 6.18 kernel is adding VMSCAPE to the recently-introduced Attack Vector Controls functionality.
Earlier this month the VMSCAPE CPU security vulnerability was made public and affecting both AMD and Intel processors. VMSCAPE can lead to leaking information from a user-space hypervisor via speculative side channels. An Intel engineer today posted a new set of patches for helping to reduce the mitigation costs of VMSCAPE protections on modern Intel processors.
The Linux kernel was just patched moments ago for a new CPU security vulnerability... VMSCAPE. VMSCAPE affects both Intel and AMD processors.
One of the new exciting security features with Linux 6.17 is Attack Vector Controls as a means of easier managing CPU security mitigations depending upon the system/server use-case. It drastically simplifies CPU security mitigation management for only activating the mitigations relevant to intended use. With the Linux 6.17-rc2 kernel due out later today, Attack Vector Controls refines its logic around the Speculative Return Stack Overflow (SRSO) mitigation.
Several years ago Google engineers began exploring address space isolation for the Linux kernel and ultimately proposing Linux ASI for better dealing with CPU speculative execution attacks. While the hope was it would better cope with the ever growing list of CPU speculative execution vulnerabilities, the effort was thwarted initially by I/O throughput seeing a 70% performance hit. That level of performance cost was unsustainable. But now that I/O overhead has been reduced to just 13%.
Canonical engineer John Johansen sent out the AppArmor pull request today for the Linux 6.17 merge window that is heavy on changes for this Linux kernel security module.
The Attack Vector Controls work is now in Linux 6.17 for those new tuning knobs worked on by AMD engineer David Kaplan to make it more straight-forward for Linux server administrators and power users to more easily select the CPU security mitigations relevant to their system(s) and intended workloads.
The AMD engineering led work on Attack Vector Controls for the Linux kernel could be mainlined with the upcoming Linux 6.17 kernel with the remaining patches now being queued within a TIP branch.
Merged back in late 2023 for Linux 6.7 was a cross-vendor solution for confidential computing attestation reports with the Linux Trusted Security Manager (TSM). In the succeeding kernel releases there weren't any further TSM updates issued but now for Linux 6.16 there finally is renewed work on this confidential computing code.
It was just yesterday that Training Solo was made public as a new speculative execution CPU vulnerability affecting some Intel and Arm CPUs... Today another one is now public for Intel processors: Branch Privilege Injection.
The VUSec security researchers are at it again... The embargo is now lifted on another set of of security vulnerabilities affecting Intel processors as well as Arm core designs. This new vulnerability is dubbed Training Solo.
Going back to last year an AMD engineer has been pursuing "Attack Vecotr Controls" to rethink CPU security mitigation handling. Attack Vector Controls aims to make it easier to manage CPU security mitigation settings by focusing on the class/scope of vulnerabilities rather than managing the mitigations at an individual level. It's looking like the initial attack vectors control code will be ready for mainlining in the upcoming Linux 6.16 cycle but stopping short of the complete implementation.
Merged today was this week's batch of x86 fixes ahead of the Linux 6.15-rc2 release on Sunday. Notable with these x86 fixes are landing several patches to fix and clean-up the Spectre Return Stack Buffer "RSB" mitigation handling as well as introducing a new document to clarify the overall state and current mitigations.
In addition to all of the memory management "MM" changes merged for the Linux 6.15 kernel, a secondary round of MM updates was submitted and subsequently merged for this next kernel version. Interesting here is using the recent MSEAL system call for being able to now seal system mappings.
While there is a lot of exciting new x86_64 CPU features coming with Linux 6.15, there is also some of the not so fun changes too: namely the "x86/bugs" pull request to bring the latest CPU security mitigation work to the mainline kernel.
The EROFS open-source, read-only Linux file-system is set to be extended with the upcoming Linux 6.15 kernel cycle to support massive amounts of data to support AI model training.
FineIBT-BHI as a means of tougher kernel defenses for fending off Branch History Injection (BHI) looks like it will be ready for upstreaming in next month's Linux 6.15 merge window.
A "request for comments" patch series sent out on Monday is working on Spectre mitigations for BPF programs using speculation barriers.
FineIBT is a Linux kernel initiative led by Intel engineers that aimed to combine the best of Intel Control-flow Enforcement Technology (CET) and Control Flow Integrity. FineIBT was merged in 2022 for the Linux 6.2 kernel as an alternative control flow integrity implementation. Some FineIBT weaknesses were previously addressed but now the implementation has been determined to be "critically flawed" at least until next-generation Intel processors appear with FRED.
Intel Linux engineer Peter Zijlstra has updated his set of patches implementing FineIBT-BHI mitigations for toughening up the FineIBT kernel protections previously introduced. This FineIBT-BHI code depends upon newly-merged code for the LLVM Clang compiler as part of the compiler defenses.
The Landlock Linux security module that was added to the mainline Linux kernel four years ago for unprivileged application sandboxing and similar access controls has a rather weird update for the in-development Linux 6.14 kernel: Land lock can now deal with "weird files".
Last year an AMD engineer proposed the notion of "Attack Vector Controls" for the Linux kernel to re-think how the CPU security mitigation handling is done and making it easier for system administrators/users to toggle the mitigations they are concerned about or not.
Google engineers and others have been talking about Address Space Isolation "ASI" for the Linux kernel to better deal with speculative execution attacks and other CPU vulnerabilities. Last summer there were some new "request for comments" patches working on Linux Address Space Isolation and today a second iteration of those RFC patches were published. They are now out for review but they are unlikely to see much use: the I/O throughput as measured by FIO takes a 70% hit.
While most users frown upon the increasing number of CPU security mitigations in part due to the additional overhead commonly introduced, a new Linux kernel patch by a Google engineer would allow users/developers to opt-in to forcing CPU bugs and their mitigations even if the system in use isn't known to be vulnerable.
Linux 6.10 introduced TPM bus encryption and integrity protection for enhancing the Trusted Platform Module support to protect against interposers from compromising them with TPM sniffing attacks. There is now a new option being added to opt-out of this protection due to a discovered performance bottleneck.
Enterprise security firm Edera today is announcing OpenPaX that they promoted in their advance press notice as a "new open-source alternative to GrSecurity." GrSecurity being the firm focused on providing out-of-tree Linux kernel patches focused in the name of security enhancements. With OpenPaX they are open-source and publicly available kernel patch for mitigating common memory safety errors and other system hardening.
There's been much speculation since this morning over a reported "severe" unauthenticated remote code execution (RCE) flaw affecting Linux systems that carries a CVSS 9.9.9 score... The embargo has now lifted with the details on this nasty issue.
Landlock as the Linux security module for unprivileged access control handling is adding new controls around Unix socket handling with the Linux 6.12 kernel.
Not to be confused with the proposal a few days ago by an AMD engineer for Attack Vector Controls for broader control over CPU security mitigation handling, the in-development Linux 6.12 kernel is adding new Kconfig options to allow for more build-time control over what CPU security mitigation code is compiled for the kernel.
Merged as part of the Linux Security Modules (LSM) updates for the Linux 6.12 kernel is the new Integrity Policy Enforcement (IPE) module that has been years in the making. Integrity Policy Enforcement is an alternative to access controls.
David Kaplan who is a Senior Fellow at AMD focused on security technologies has published an initial set of Linux kernel patches for "Attack Vector Controls" in rethinking the CPU security mitigation handling. The proposed Attack Vector Controls makes it easier to manage desired security mitigations to have enabled/disabled based upon intent of the system rather than having to be knowledgeable about individual CPU security vulnerabilities and the various tuning knobs.
The Linux 6.12 kernel cycle later this year is expected to see a number of new Kconfig options introduced for greater build-time control over what CPU speculative execution security mitigations are included as part of the kernel build.
Merged back in 2021 for Linux 5.13 was Landlock as a means of unprivileged application sandboxing. The Landlock Linux security module has continued to be improved since but it turns out there's been a big hole within this security module since its introduction... The possibility for apps to drop restrictions on itself.
Kees Cook submitted all of the hardening updates this week for the Linux 6.11 merge window in beefing up the kernel's defenses against various attack vectors and vulnerabilities.
The "x86/bugs" code has been merged for the Linux 6.11 kernel that is just three patches this go around but includes a new Spectre BHI mitigation option.
Linux engineer Christian Brauner at Microsoft sent out his various pull requests for areas of the kernel he oversees ahead of the Linux 6.11 merge window. One of the more interesting pull requests from Brauner this cycle are the "vfs procfs" updates that now allow restricting access to the /proc/[pid]/mem files of processes.
While there were plans of adding getrandom() in the vDSO with the upcoming Linux 6.11 merge window to speed up user-space random number generation access, Linus Torvalds is unconvinced by the work and intends to reject any pull request with it for Linux 6.11.
In the making the past two years by developer Jason Donenfeld (of WireGuard fame) is adding getrandom() to the vDSO in the name of better performance. In some tests this has yielded as much as a ~15x speed-up to performance for user-space obtaining crypographically secure random number generation. It's looking like for the upcoming Linux 6.11 merge window, this work will finally be merged.
UC San Diego researchers have gone public with Indirector, high-precision branch target injection attacks on the indirect branch predictor. This UCSD security researchers found Indirector impacting recent Intel Alder Lake and Raptor Lake processors. Intel believes though that no further mitigations are required.
338 Linux Security news articles published on Phoronix.