May 2026 - Security - AlmaLinux List Archives

Security roundup: Copy Fail, Dirty Frag, NGINX Rift, Fragnesia, and ssh-keysign-pwn
by Jonathan Wright 15 May '26

15 May '26

Howdy folks, The last two weeks have been unusual, to put it mildly. Five separate high-severity disclosures that affect AlmaLinux have been announced since 2026-05-01: four local-root kernel flaws and one unauthenticated nginx RCE/DoS. If you have lost track of the running tally, you're not alone. Our build servers want a break. Here is where each one stands as of today, where we still need help, and a brief word on what to expect going forward. At a glance: Copy Fail (CVE-2026-31431) <https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/>: in production Dirty Frag (CVE-2026-43284, CVE-2026-43500) <https://almalinux.org/blog/2026-05-07-dirty-frag/>: in production NGINX Rift (CVE-2026-42945) <https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/>: in production Fragnesia (CVE-2026-46300) <https://almalinux.org/blog/2026-05-13-fragnesia-cve-2026-46300/>: testing, please verify ssh-keysign-pwn (CVE-2026-46333) <https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/>: testing, please verify To the community: thank you. The volume of testing reports we received on these rounds is the reason they moved from testing to production as quickly as they did. The Copy Fail rollout in particular was the highest-engagement community call for testing we have ever run. We do not take that lightly. Two patches are still sitting in the testing repository and need community verification before we can move them to production: Fragnesia (CVE-2026-46300) <https://almalinux.org/blog/2026-05-13-fragnesia-cve-2026-46300/> test builds in almalinux-testing were refreshed on 2026-05-14 with additional upstream patches. ssh-keysign-pwn (CVE-2026-46333) <https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/> is a __ptrace_may_access() logic bug that lets an unprivileged user lift open file descriptors out of a dying privileged process and read root-owned files like /etc/shadow and SSH host keys. Public exploits are already out. The ssh-keysign-pwn build also carries the Fragnesia patches, so installing it gets you both fixes in a single reboot. See the blog post <https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/> for testing instructions. A quick note on the pace. We are aware that "another week, another root" is becoming an actual schedule rather than a joke. Four local-root kernel disclosures in fifteen days is, statistically speaking, a lot. Here is what is not changing: 1. We will keep shipping ahead of upstream when the severity warrants it. ALESCo has approved every one of these fast-track rollouts so far, and that bar has not moved. If a critical fix is sitting upstream and our users are exposed, we will build it. 2. We will keep our patches strictly compatible. Every kernel and every nginx package we have shipped during this run uses the upstream fix backported and adapted to the AlmaLinux branch, with the same NVR scheme, the same module ABI, and the same repository layout you would expect from a normal Red Hat security update. Drop-in compatibility is the contract, and we are not breaking it to ship faster. 3. We will keep asking you to test. Community verification is what lets us move from testing to production with confidence. The reason these patches have rolled out cleanly so far is that you have been there to catch the things we cannot reproduce in our lab. Stay informed: Blog: https://almalinux.org/blog/ Mattermost: https://chat.almalinux.org/ Announce: https://lists.almalinux.org/mailman3/lists/announce.lists.almalinux.org/ Security: https://lists.almalinux.org/mailman3/lists/security.lists.almalinux.org/ -- Jonathan Wright AlmaLinux OS Foundation Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>

1 0

Fragnesia (CVE-2026-46300) patched kernels available in AlmaLinux testing
by Jonathan Wright 13 May '26

13 May '26

Hi everyone, Here we go again. A third local-root flaw in the Linux kernel has been disclosed today in the same code area as Copy Fail and Dirty Frag. The bug, named "Fragnesia" by researcher William Bowling of the V12 security team, is tracked as CVE-2026-46300, and a working proof-of-concept is already public. Fragnesia is a logic flaw in the core socket-buffer code (skb_try_coalesce loses the SKBFL_SHARED_FRAG marker) that the XFRM ESP-in-TCP receive path then turns into in-place AES-GCM decryption over page-cache pages an unprivileged user controls. The end result is arbitrary byte writes into read-only files such as /usr/bin/su, i.e. immediate local root. All supported AlmaLinux releases (8, 9, 10) are affected through esp4 / esp6, which ship in the standard kernel package. AlmaLinux 9 and 10 are additionally affected through rxrpc, but only on systems that have installed the kernel-modules-partner package from the Devel repository. AlmaLinux 8 does not build rxrpc. The AlmaLinux core team has built patched kernels using the upstream skbuff fix, ahead of any Red Hat update, with ALESCo approval. They are available in the almalinux-testing repository today and will move to production once the community has helped verify them. AlmaLinux 8: kernel-4.18.0-553.124.2.el8_10 AlmaLinux 9: kernel-5.14.0-611.54.4.el9_7 AlmaLinux 10: kernel-6.12.0-124.56.2.el10_1 A dedicated Kitten 10 build will follow shortly. If you run AlmaLinux anywhere untrusted users can get a shell (multi-tenant hosts, container build farms, CI runners, shared developer boxes), please install the patched kernel from testing and help us verify it, or apply the one-line modprobe blacklist mitigation in the blog post. The same mitigation already used for Dirty Frag (esp4 / esp6 / rxrpc) also blocks Fragnesia, so if you applied that one you are already covered. Full write-up, install steps, NVRs, and the mitigation command: https://almalinux.org/blog/2026-05-13-fragnesia-cve-2026-46300/ References: NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-46300 Red Hat: https://access.redhat.com/security/cve/CVE-2026-46300 PoC: https://github.com/v12-security/pocs/tree/main/fragnesia Please report any problems with the patched kernel in https://chat.almalinux.org or on https://bugs.almalinux.org so we can get this into the production repositories quickly. -- Jonathan Wright AlmaLinux OS Foundation Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>

1 0

CVE-2026-43284 "Dirty Frag" still present in raspberry pi kernel
by hambingen＠protonmail.com 09 May '26

09 May '26

Dear AlmaLinux community, the recently disclosed "Dirty Frag" exploit that was thankfully patched by the AlmaLinux team with impressive speed in the main kernels is still present in the `raspberrypi2-kernel4` package that is shipped with AlmaLinux for Raspberry Pi (https://repo.almalinux.org/almalinux/10/raspberrypi/images/) It can however easily be fixed as the upstream commit (https://github.com/raspberrypi/linux/commit/b54edf1e9a3fd3491bdcb82a21f8d21…) cleanly applies against the AlmaLinux raspberry pi kernel sources. I have quickly created a fedora copr repo (https://copr.fedorainfracloud.org/coprs/hambingen/raspberry-pi_kernel/) with the patched kernel for an example of how to secure your system. Please consider patching this CVE in the raspberry pi kernel (if this is not already in the works). Yours, Hambingen

1 0

Call for testing — patched kernels for Copy Fail (CVE-2026-31431)
by Jonathan Wright 01 May '26

01 May '26

Hello AlmaLinux Users, A few days ago Xint Code disclosed Copy Fail (CVE-2026-31431), a Linux kernel logic flaw in the crypto subsystem (algif_aead chained through AF_ALG and splice()). It lets any unprivileged local user escalate to root with a 732-byte exploit that the researchers report is 100% reliable across every mainstream Linux distribution built since 2017. Every supported AlmaLinux release is affected. Red Hat has not yet shipped a kernel update, so our core team has built patched kernels for AlmaLinux 8, 9, 10, and Kitten 10 using the upstream fix. ALESCo approved shipping ahead of upstream — the patched kernels are in the testing repository today, and they'll move to production once the community has helped us verify them. If you can spare a test box — especially anything multi-tenant, a container host, or a CI runner where untrusted users get a shell — we'd love your help testing. Full instructions, kernel versions, and feedback channels are on the blog: https://almalinux.org/blog/2026-05-01-cve-2026-31431-copy-fail/ -- Jonathan Wright AlmaLinux OS Foundation Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>

1 1