π¬ Open Source & Linux Weekly - W20_2026
Third kernel root exploit in 14 days, spawned by its own fix. 170+ packages hit by self-propagating supply chain worm. Germany funds KDE with 1.28M EUR.
A kernel security patch introduced a root exploit worse than the one it fixed. A supply chain worm carried valid Supply Chain Levels for Software Artifacts (SLSA) provenance while stealing credentials from 170+ packages. Germany paid 1.28 million EUR for a desktop environment that most enterprises refuse to deploy.
Trust Boundaries Broke Twice in Seven Days...
A security patch introduced a vulnerability worse than the one it fixed. A supply chain worm carried a valid digital passport. And both happened in the same week.
Welcome back!
Here's the roadmap. First, the page cache. The shared memory layer that every process on every Linux machine trusts without question. A researcher found a vulnerability inside the patch for the previous vulnerability. He built a working exploit that hands you root. Three times in fourteen days, same assumption, same failure.
Second, a supply chain worm that compromised 42 packages in six minutes, then jumped to 170 more. It carried a valid provenance certificate. The provenance system built to verify package authenticity looked at the worm and said, "legitimate."
Third, Daniel Stenberg's manifesto, "Don't Trust, Verify." He's the creator of curl. He wrote it in March. It went viral again, the same week, 170 packages proved why verification matters.
Four stable kernel releases in seven days. That pace hasn't happened since Spectre and Meltdown in 2018. Greg Kroah-Hartman ships Linux stable releases. He pushed emergency patches at a speed the kernel community hasn't seen in eight years.
Federal agencies in the US hit their patching deadline with four root-access bugs stacked on the same rotation window. Four. Same window. That has never happened before.
All four bugs share one ancestor. The page cache.
Think of the page cache like a shared water pipe in a building. Every floor drinks from it. The rule is: you only read from the pipe, you never inject anything back. The performance of the whole system depends on that one-way flow.
But what happens when someone figures out they can inject their own liquid into the pipe? And what happens when sealing that injection point cracks open a new one, right next to the one you just patched?
A researcher named William Bowling at V12 Security did something unusual. He didn't scan old code looking for new bugs. He audited the patch. The fix itself.
He read the code that fixed the previous vulnerability, called Dirty Frag. And he asked a question most researchers never ask. What if the fix is the bug?
He was right.
The Dirty Frag fix patched one code path but never audited skb_try_coalesce, a neighboring function that also handles the same memory fragments. That function drops the SKBFL_SHARED_FRAG marker when merging buffers. Without that marker, the kernel skips copy-on-write and decrypts directly into shared page-cache pages. Anyone with local access can overwrite read-only system files.
That is Fragnesia. The third root escalation from the same trust boundary in fourteen days, and each one was born from the patch that closed the last.
Same week... Different layer. Same structural flaw.
A threat group called TeamPCP published 84 malicious versions across 42 packages in six minutes. I just want to underline here: six minutes, start to finish.
The worm jumped. From those 42 packages to Mistral AI, UiPath, and OpenSearch. Over 170 packages total across two registries, where developers download code they trust. If you've ever run a package install command, you've used these registries. Your CI pipeline uses them. Your production servers use them.
It stole cloud credentials. Authentication keys. Docker secrets. And it deployed a persistent backdoor that can wipe developer home directories on command.
This is happening frequently nowadays, right? You are hearing the TeamPCP name more than your wife's. But there is a catch:
The worm carried valid provenance certificates. The digital certificate that's supposed to prove software came from a legitimate source passed the attack without flinching. The certificate system gave the worm a green light.
The attack carried a valid passport.
Same week...
A fake model impersonating OpenAI hit number one on Hugging Face. 244,000 downloads in 18 hours. Delivered malware to every machine that ran it. Model registries are the new package registries. Same trust model. Same attack surface.
Daniel Stenberg wrote, "Don't Trust, Verify." He created curl, the tool running on ten billion devices. His argument: the default posture of trusting well-known components is dead.
He wrote it in March. It resurfaced this week because 170 packages proved exactly why.
An 18-year-old memory corruption bug in NGINX turned out to be remotely exploitable. The whole time. One of the most deployed web servers on the planet, and the maintainers never checked whether this specific pattern-matching path could be reached from the outside. It could. The whole time.
See the pattern?
The page cache has trusted performance optimizations for years. No one questioned them. Provenance attestation was supposed to verify supply chains. No one stress-tested it against the attack itself. Hugging Face trusted popularity signals. NGINX trusted its own pattern-matching rules. All collapsed in the same week.
We keep building new infrastructure on old trust assumptions that were never validated.
The missing column here is trust boundary integrity.
Now, switch to optimism...
Germany's Sovereign Tech Fund dropped 1.28 million euros on KDE over two years. It is operational funding for a desktop environment that German and French government offices run in production. Thirty thousand employees in one German state alone. The government decided that depending on software maintained by volunteers and hoping for the best is a national security risk. So they funded it like infrastructure. Because it is.
π€ If you need me, I'll explain to my manager why our next patch cycle requires a patch cycle for the patch cycle while TeamPCP ships more reliably than most startups I have seen.
Have a great week!
π§ Linux
Fragnesia: The Patch That Broke the Fix, Then Gave Everyone Root
William Bowling of V12 Security published Fragnesia (CVE-2026-46300) on May 13 with a working proof-of-concept that overwrites /usr/bin/su through the page cache and hands you root. The vulnerability lives in the kernel's Transform (XFRM) ESP-in-TCP subsystem. When a TCP socket transitions into espintcp Upper Layer Protocol (ULP) mode after data has already been spliced from a file into the receive queue, the kernel treats queued file pages as ESP ciphertext and decrypts them in place. The critical part: Fragnesia was an unintended side effect of the Dirty Frag fix itself. The upstream patch explicitly cites the Dirty Frag fix commit (f4c50a4034e6) as one of two commits it "fixes." Organizations that applied only the Dirty Frag patches without module blacklists remain vulnerable. Kernel 7.0.7 shipped May 14 with the complete fix.
Four Stable Kernels in Seven Days: The Densest Patch Run Since Spectre
Greg Kroah-Hartman released stable kernels 7.0.7, 6.18.30, and 6.12.88 on May 14, completing the Fragnesia fix. Combined with 7.0.4 through 7.0.6 (May 7-11), that is four stable releases in seven days, addressing CopyFail backports, Dirty Frag ESP, Dirty Frag RxRPC, and Fragnesia. Fedora 44, Ubuntu 26.04, Arch, and openSUSE Tumbleweed shipped updated packages within 48 hours. Four privilege-escalation patches inside a single change window has no precedent outside Spectre/Meltdown.
Linux 7.1-rc3: Torvalds Confirms Patch Volume Is "The New Normal"
Linus Torvalds released Linux 7.1-rc3 on May 10, with networking consuming one third of the diff. His exact words: "that wasn't a fluke brought on by a .0 release, it simply seems to be the new normal." The release includes Intel Auto Counter Reload for Xeon Diamond Rapids, Apple Mac USB-C networking support, AlphaTheta/Pioneer DJ drivers, and security patches across Bluetooth and GPU drivers. Final 7.1 release expected June 7 or 14. No fix for the Graviton4 PostgreSQL regression in rc3.
CopyFail Federal Deadline Passes as Active Exploitation Continues
The CISA Binding Operational Directive 22-01 deadline for CVE-2026-31431 (CopyFail) passed on May 15. Every federal civilian executive branch agency was required to have patched or mitigated the nine-year-old privilege-escalation vulnerability. Active exploitation confirmed against U.S. think tanks, European manufacturing companies, and cloud service providers. Federal agencies faced patching four page-cache CVEs inside a single rotation window. That has never happened before.
KDE Plasma 6.7 Beta Ships With Union CSS Theming Engine
KDE released Plasma 6.7 Beta on May 14 with the first public tech preview of Union, a CSS-based style and theming engine. Union uses a three-layer architecture: an input layer reading style descriptions, an intermediate library producing an abstract data model, and an output layer translating that model into rendering commands for QtQuick and QtWidgets. Also in this release: Plasma Big Screen revival for TV PCs, per-screen virtual desktops, HDR improvements, better CPU rendering performance, NVIDIA driver fixes, and Intel overlay plane support. Stable release targets June 16.
Ubuntu 25.10 to 26.04 LTS Upgrade Path Opens
Canonical opened the upgrade path from Ubuntu 25.10 to Ubuntu 26.04 LTS on May 14. Users on 25.10 can now run do-release-upgrade. Ubuntu 24.04 LTS users wait for 26.04.1 in summer 2026. The LTS ships kernel 7.0, GNOME 50, Python 3.14, PHP 8.5, Java 25, TPM-backed full-disk encryption, post-quantum cryptography in OpenSSL, and Wayland-only GNOME. The PostgreSQL Graviton4 regression carries forward for affected workloads on kernel 7.0.
Fedora 42 Reaches End of Life
Fedora 42 reached end of life on May 13. No security updates, no bug fixes. Users must upgrade to Fedora 43 or 44. Combined with openSUSE Leap 15.6 EOL on April 30, two major distribution branches ended support within two weeks.
Subnautica 2 Runs Day-One on Linux at 60+ FPS via Proton 11
Steam's most-wishlisted game entered Early Access on May 14 and runs out of the box on desktop Linux through Proton 11 Beta. On Fedora KDE 44 at 2560x1440 High settings with TSR Quality, it holds above 60 FPS. Steam Deck verified at 30 FPS with a minor workaround on first boot. The developers confirmed they test with Proton. A major AAA early-access title running day-one without configuration. That is exactly the kind of week Linux gaming needed.
OpenZFS 2.4.2 Ships With Linux 7.0 Kernel Support
OpenZFS 2.4.2 released on May 12 with Linux 7.0 kernel support (up from 6.19 in the prior release), maintaining backwards compatibility to Linux 4.18. The release includes storage reliability fixes for rare checksum errors after rebuilds, dRAID checksum issues with degraded disks, and data corruption after clearing a disk in dRAID setups. Also in: initramfs improvements, POSIX_FADV_DONTNEED support, and early Linux 7.1 fixes.
Arm Submits 128-Bit Page Table Entry Patches for Linux
Arm submitted RFC patches enabling FEAT_D128 (128-bit page table entries) for Armv9.3 and later processors. Each table contains 256 sixteen-byte descriptors resolving 8 bits of input address per level, requiring 5 table lookups for full resolution. The feature supports larger physical and virtual address memory ranges. Current limitations: no KVM, no KASAN. RFC-stage work targeting future silicon, not current hardware. But it defines the memory architecture next-generation Arm servers will need.
Intel Wants LPMD Power Management in the Kernel Source Tree
Intel engineers submitted patches to move their Low Power Mode Daemon into the kernel source tree, arguing it would "increase its effectiveness through maintaining higher quality standards and better community cooperation." LPMD helps hybrid laptop and desktop CPUs deliver better power efficiency under Linux. Same model as Turbostat, which already lives in the kernel tree. Intel wants LPMD as official kernel infrastructure rather than a standalone userspace tool.
Linux Gems
DirtyFrag-Detector: Quick Patch Status for the Dirty Frag Vulnerability Pair
Detection script that checks whether your running kernel is patched against CVE-2026-43284 and CVE-2026-43500. Runs non-destructive checks and reports mitigation status. The module blacklist it recommends (esp4, esp6, rxrpc) also mitigates Fragnesia (CVE-2026-46300). If you manage multi-host Linux deployments and need a quick inventory across the Dirty Frag family, this saves hours of manual verification.
𧩠Open Source
Mini Shai-Hulud Worm Hits TanStack, Mistral AI, and 170+ Packages
TeamPCP published 84 malicious versions across 42 @tanstack/* npm packages between 19:20 and 19:26 UTC on May 11 by chaining pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning, and OIDC token memory extraction from the runner process. The attack self-propagated to Mistral AI, UiPath, OpenSearch, Guardrails AI, and over 170 packages total across npm and PyPI. TanStack React Router serves 12.7 million weekly downloads. The malware steals AWS, GCP, Kubernetes, and HashiCorp Vault credentials, exfiltrates SSH keys and Docker secrets, and deploys a persistent daemon that can wipe developer home directories. First documented attack carrying valid SLSA provenance attestations.
Sovereign Tech Fund Awards KDE 1.28 Million EUR
Germany's Sovereign Tech Fund announced 1,285,200 EUR over 2026-2027 for KDE. The funding targets Plasma desktop improvements, KDE Linux QA infrastructure, data backup and restore, network shares, and Personal Information Management (PIM) integration with Flatpak delivery. Largest single public-funder grant to a desktop environment project. KDE Plasma is the chosen desktop for Germany's Schleswig-Holstein government migration (30,000 employees), and France's broader national Linux migration plan cites the Gendarmerie Nationale's 103,000-workstation Ubuntu deployment as a governance model. The funding targets exactly the infrastructure gaps those deployments surface. Operational funding, not a research grant.
NGINX Rift: 18-Year-Old Heap Overflow Enables Unauthenticated RCE
Security researchers disclosed NGINX Rift (CVE-2026-42945, CVSS 9.2) on May 13: a critical heap buffer overflow in NGINX's rewrite module present since version 0.6.27 (approximately 2008). The vulnerability triggers when unnamed Perl Compatible Regular Expressions (PCRE) captures ($1, $2) combine with question marks in replacement strings. A single crafted HTTP request overflows the heap, crashing the worker (DoS loop) or executing code when Address Space Layout Randomization (ASLR) is bypassed. Remotely exploitable without authentication on any internet-facing NGINX reverse proxy using affected rewrite patterns. Patched in 1.30.1 and 1.31.0.
Bleeding Llama: Ollama Memory Leak Exposes 300,000 Servers
CVE-2026-7482 (CVSS 9.1) lets unauthenticated attackers extract full process memory of Ollama servers using three API calls. The out-of-bounds read in the GGUF model loader accepts an attacker-supplied file with tensor offsets exceeding actual length, causing the server to read past the allocated heap buffer. Leaked memory includes environment variables, API keys, system prompts, and conversation data. The /api/create endpoint has no authentication in upstream distribution. Patched in Ollama 0.17.1, but over 300,000 servers remain exposed globally. The gap between patch availability and patch adoption will define the blast radius.
Fake OpenAI Model Hits #1 on Hugging Face With 244K Downloads, Delivers Infostealer
A malicious Hugging Face repository impersonating OpenAI's Privacy Filter model hit #1 trending with 244,000 downloads and 667 likes in under 18 hours. The payload: a 1.07 MB Rust-based executable that defeats debuggers, detects VMs, disables Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), then harvests Discord tokens, crypto wallets, FileZilla configs, and browser data from Chromium and Gecko engines. Six repositories under the same account, all uploaded April 24, point to a coordinated campaign targeting ML platforms.
Exim "Dead.Letter" RCE: One of the Highest-Caliber Bugs Ever Found in Exim
CVE-2026-45185 (CVSS 9.8) is a use-after-free in Exim's Binary Data (BDAT) message body parsing when TLS is handled by GnuTLS. A client sends TLS close_notify before body transfer completes, then sends a final byte in cleartext on the same TCP connection, causing Exim to write into freed memory. Affects versions 4.97 through 4.99.2 with GnuTLS. No credentials needed, no special configuration required. XBOW called it "one of the highest-caliber bugs" they have found in Exim. Patched in 4.99.3.
Daniel Stenberg: "Don't Trust, Verify" for Software Supply Chains
Daniel Stenberg argued in March that the industry's default posture of trusting well-known components is finished. curl provides signed release artifacts and a verification page so independent users can confirm releases match the git repository. He lists scenarios: malicious contributor, breached committer, extorted team member, hacked distribution server. Even a small number of independent verifiers provides real defense. The argument gained fresh coverage the same week TanStack's worm carried valid SLSA provenance. "Verify" stopped being philosophical and became operational overnight.
Open Source Summit North America Opens May 18 in Minneapolis
The Linux Foundation's flagship event runs May 18-20 with co-located Linux Security Summit, OpenSSF Community Day, and Embedded Linux Conference. CopyFail/Dirty Frag/Fragnesia will dominate the security track. The Sustaining Package Registries Working Group may hold its first public session. Speaker rosters from AWS, Google, IBM, Intel, Microsoft, Netflix, OpenAI, and Sony.
Open Source Gems
SDL3 Adds Native 2026 Steam Controller Support Without Requiring Steam Client
A pull request merged into SDL3 on May 14 adds native support for the 2026 Steam Controller's touchpads, capacitive stick touch, grip sense detection, and pressure sensitivity. All functional outside the Steam client. For Linux developers using emulators, RetroArch, or non-Steam games, this removes the Steam ecosystem dependency from the $99 controller entirely.
π Spotlight
William Bowling - V12 Security / Fragnesia (CVE-2026-46300)
William Bowling, working with V12 Security, discovered and disclosed Fragnesia on May 13, with a patch available the same day. His disclosure included a working proof of concept and a clear technical write-up identifying the root cause of skb_try_coalesce()'s failure to propagate the SKBFL_SHARED_FRAG marker. What makes this discovery stand apart is the methodology. Bowling found a vulnerability created by the patch for a previous vulnerability. He audited the Dirty Frag fix commit itself, found that ownership flag propagation was incomplete in adjacent code paths, and built an exploit proving the gap was reachable. V12 Security attributes part of the discovery process to agentic AI-assisted security tooling.
That approach (auditing fixes rather than scanning original code) is undervalued in security research. Most researchers look for new bugs in old code. Bowling looked for new bugs in new patches. The result accelerated the kernel team's understanding that the page-cache trust boundary needs systematic remediation, not point fixes. Three root-escalation disclosures in 14 days, all in the same vulnerability class, and the researcher who found the third did so by reading the patch for the second.