Kernel Privilege Escalation Has One Linux Maintainer Considering a ‘Kill Swap’
Again-to-back kernel vulnerabilities in Linux has defenders scrambling to use defenses within the age of fast turnaround time for hackers to use nascent flaws.
See Additionally: How Organizations Are Strengthening Defenses Towards Scattered Spider
“Soiled Frag” and “Copy Fail” kernel privilege escalation vulnerabilities turned public information inside two weeks of one another (see: ‘Soiled Frag’ Offers Root on Linux Distros).
Microsoft mentioned in a Friday weblog that it has discovered restricted in-the-wild exercise related to both one of many vulnerabilities.
One Linux maintainer is floating the potential for integrating a “kill change” characteristic that may enable admins to briefly shut down weak kernel features whereas patches are developed.
“For many customers, the price of ‘this socket household stops working for the day’ is way smaller than the price of operating a recognized weak kernel till the repair land,” Linux secure kernel co-maintainer and Nvidia engineer Sasha Levin wrote in an e mail.
The proposal isn’t official and it is solely meant to purchase time between kernel vulnerability discoveries and patch releases.
“As we have seen with the invention of ‘Soiled Frag’ recent on the heels of ‘Copy Fail,’ AI-assisted vulnerability discovery is quickly accelerating the identification of recent vulnerabilities, a pattern that’s solely going to proceed as these fashions proceed to grow to be extra highly effective,” mentioned Scott Caveza, senior workers analysis engineer at Tenable.
Defenders in manufacturing environments are cautious about collateral damages of emergency kernel patching.
“Making use of kernel updates and rebooting throughout enterprise programs requires planning, downtime and threat assessments, leaving system directors on edge for the ‘what if’ eventualities: what occurs if this patch causes unrelated efficiency points?” Caveza mentioned.
“Soiled Frag” impacts Linux distributions together with Ubuntu, Crimson Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed and Fedora. It chains two vulnerabilities collectively: one impacts modules that present assist for storage for EFI boot loaders and is tracked as CVE-2026-43284.
The opposite impacts the RxRPC networking subsystem and was assigned CVE-2026-43500 on Monday.
“A low-privileged native attacker can abuse zero-copy/splice mechanisms to deprave privileged recordsdata corresponding to /usr/bin/su or /and so forth/passwd and procure root privileges, making the difficulty a part of the identical broader bug class as Soiled Pipe and Copy Fail,” mentioned RedHat.
