Daniel Baumann - Posts tagged debian-security

Debian: Linux Vulnerability Mitigation (PinTheft)

2026-05-20T14:27:32+00:00

Following the series of various Linux exploits of the last three weeks, the bug of today is PinTheft [CVE-2026-43494] which is local root privilege escalations.

The vulnerability can be mitigated by unloading and blocking rds modules, linux-vulnerability-mitigation as of 20260519-1 (uploaded to sid, trixie-fastforward-backports and people.debian.org/~daniel) does that automatically for you.

Updates:

default Debian kernels (bullseye, bookworm, trixie, and testing/unstable, experimental) are not directly affected because autoloading of the rds modules is disabled by rds-Disable-auto-loading-as-mitigation-against-local.patch

Added references to CVE-2026-43494

Debian: Linux Vulnerability Mitigation (ssh-keysign-pwn)

2026-05-15T00:14:39+00:00

After the Linux local root privilege escalations of the last two weeks, the bug of today is ssh-keysign-pwn [CVE-2026-46333] which allows to read root-owned files as an unprivileged user.

Exploiting the vulnerability doesn’t require to load any specific modules like the bugs from the last weeks, this one needs to be fixed by rebooting the system into an updated kernel.

I’ve cherry-picked the upstream commit to fix it in trixie-fastforward-backports (linux 7 backports for trixie), confirmed that the exploits don’t work anymore, and submitted a merge request for sid.

Updates:

linux-vulnerability-mitigation 20260515-1 contains a partial mitigation for ssh-keysign-pwn (this makes all exploits known so far to stop working, however, there’s definitely more needed), thanks to Salvatore Bonaccorso (carnil): echo 2 > /proc/sys/kernel/yama/ptrace_scope

linux-vulnerability-mitigation is uploaded to sid - until it is available on deb.debian.org, use people.debian.org/~daniel

linux 7.0.7-1 is uploaded to trixie-fastforward-backports as 7.0.7-1~ffwd13+u1, replacing the previously cherry-picked 7.0.4-1~ffwd13+u2 upload

Added references to CVE-2026-46333

Debian: Linux Vulnerability Mitigation (Dirty Frag)

2026-05-08T03:19:10+00:00

After Copy Fail [CVE-2026-31431] from last week, the new Linux local root privilege escalations of today are Dirty Frag (Part 1) aka Copy Fail 2 [CVE-2026-43284] and Dirty Frag (Part 2) [CVE-2026-43500].

For those who can not update to linux >= 7.0.4-1 that was uploaded to sid and contains the needed fixes (backports for trixie are available in trixie-fastforward-backports), or are waiting for backports and updates to older Debian releases, or can’t reboot on short notice, mitigations might be needed.

Given the current trend, it seems we will see more of these bugs in the future. Therefore, I’ve uploaded a new package linux-vulnerability-mitigation to sid containing the mitigation for both Copy Fail and Dirty Frag (with debconf multiselect).

It can also be downloaded from here:

Tracker: https://tracker.debian.org/pkg/linux-vulnerability-mitigation

Deb: https://deb.debian.org/debian/pool/main/l/linux-vulnerability-mitigation

Git: https://forgejo.debian.net/linux/linux-vulnerability-mitigation

Man: https://manpages.debian.org/linux-vulnerability-mitigation/linux-vulnerability-mitigation.7.en.html

The package is architecture independent, has no dependencies, and can be installed on any version of Debian or Debian derivative.

Updates:

Added references to Dirty Frag Part 2 [CVE-2026-43500]

Updated links to linux-vulnerability-mitigation now that it passed the NEW queue