<![CDATA[Another day, another #Linux security vulnerability!]]>Another day, another security vulnerability!

Dirty Frag: https://github.com/V4bel/dirtyfrag

For my fellow users, here is the mitigation I applied to my systems: https://github.com/stapelberg/nix/commit/05e40d77799a8d68dc019b316cb824904a53361c

]]>https://board.circlewithadot.net/topic/ec74f821-1cfa-4b91-bc54-200c197b7ba8/another-day-another-linux-security-vulnerabilityRSS for NodeThu, 14 May 2026 20:51:06 GMTFri, 08 May 2026 08:40:48 GMT60<![CDATA[Reply to Another day, another #Linux security vulnerability! on Fri, 08 May 2026 12:15:23 GMT]]>@zekjur I do the module block with the install rule; but I think the most elegant is what Debian sysadmin team does: https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/blob/production/modules/debian_org/templates/rc.local.erb?ref_type=heads

/etc/rc.local (which runs at boot if systemd/init hooks it, do check that):
sleep 60
echo 1 > /proc/sys/kernel/modules_disabled

Thus after the first minute of boot, disable any further module loading.
Works on kernels and for modules that one does not use. Thus Debian is fine, RHEL is not for this class of bugs.

(and one can 0 it if need to load a mod)

]]>https://board.circlewithadot.net/post/https://secluded.ch/users/jeroen/statuses/116538902001472322https://board.circlewithadot.net/post/https://secluded.ch/users/jeroen/statuses/116538902001472322Fri, 08 May 2026 12:15:23 GMT<![CDATA[Reply to Another day, another #Linux security vulnerability! on Fri, 08 May 2026 08:42:21 GMT]]>Now, the exploit did not work as-is on the NixOS 25.11 system I tested, so maybe the exploit code needs more adjustment (buys us more time) or does not work on NixOS for some reason.

But better safe than sorry! So just mitigate proactively.

]]>https://board.circlewithadot.net/post/https://mas.to/users/zekjur/statuses/116538064354697554https://board.circlewithadot.net/post/https://mas.to/users/zekjur/statuses/116538064354697554Fri, 08 May 2026 08:42:21 GMT