NHacker Next
  • new
  • past
  • show
  • ask
  • show
  • jobs
  • submit
Fragnesia Made Public as Latest Linux Local Privilege Escalation Vulnerability (phoronix.com)
22 points by mikece 2 hours ago | 10 comments
bestouff 1 hours ago [-]
Lots of privilege escalations these days. But are there that many multiuser Linux systems nowadays ? I'm under the impression the whole landscape is either servers or single-user desktops (and ofc Android phones).
dathinab 8 minutes ago [-]
> many multiuser Linux systems nowadays

not relevant IMHO

we don't live anymore in a time where you can trust that local apps do not misbehave, and in such a context LPE is pretty bad even in a single user system

just thing about all the supply chain problems of recent times

zahlman 52 minutes ago [-]
I impersonate multiple users on my machine for organizational reasons.

LPEs also potentially make user-level malware into system-level malware, which is only marginally more impactful for a single person on a desktop, but considerably harder to clean up. (It also broadens the range of what such malware could exfiltrate from me.)

INTPenis 1 hours ago [-]
The idea is that you can exploit a service hosted on Linux to run these.
nubinetwork 43 minutes ago [-]
At what point do we all start rolling our own microkernels? This is kind of getting silly now... 4 now in the past month?
craftkiller 33 minutes ago [-]
I hate that the Qubes OS people were right.
itintheory 1 hours ago [-]
Sounds like this one is in the same kernel modules as dirtyfrag, so the existing mitigations (if in place) are sufficient.
chasil 39 minutes ago [-]
RedHat's mitigation is this:

  $ cat /etc/modprobe.d/dirtyfrag.conf
  install esp4 /bin/false
  install esp6 /bin/false
  install rxrpc /bin/false
Are those correct for this exploit?

https://access.redhat.com/security/vulnerabilities/RHSB-2026...

itintheory 20 minutes ago [-]
Yep, that's the advice from AWS for the previous set of vulnerabilities:

https://aws.amazon.com/security/security-bulletins/2026-027-...

That one also includes disabling user namespaces. Could be problematic if they're in use.

LawnGnome 25 minutes ago [-]
I don't know, but the problem with blocking esp4 and esp6 is that IPsec stops working, as I understand it.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Rendered at 18:03:34 GMT+0000 (Coordinated Universal Time) with Vercel.