Name¶

Linux Vulnerability Mitigation - Mitigation for some Linux kernel security vulnerabilities

Description¶

The Linux kernel has recently got some local privilege escalation bugs.

CVE-2026-31431: Copy Fail¶

Copy Fail (<https://copy.fail/>) is a vulnerability in the Linux kernel that allows unauthorized privilege escalation.
It was disclosed by security firm Theori to the public on 29 April 2026 and is fixed as of Linux version 7.0.5 (Debian: 7.0.4-1).

CVE-2026-43284/CVE-2026-43500: Dirty Frag¶

Dirty Frag (<https://github.com/V4bel/dirtyfrag>) is a vulnerability in the Linux kernel that allows unauthorized privilege escalation.
It was disclosed by Hyunwoo Kim to the public on 7 May 2026 and is fixed as of Linux version 7.0.6.

CVE-2026-46300: Fragnesia¶

Fragnesia (<https://github.com/v12-security/pocs/tree/main/fragnesia>) is a vulnerability in the Linux kernel that allows unauthorized privilege escalation.
It was disclosed by William Bowling to the public on 13 May 2026 and is fixed as of Linux version 7.0.7.

CVE-2026-46333: ssh-keysign-pwn¶

ssh-keysign-pwn (<https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn>) is a vulnerability in the Linux kernel that allows to read root-owned files as an unprivileged user.
It was disclosed by security firm Qualys to the public on 15 May 2026 and is fixed as of Linux version 7.0.8 (Debian: 7.0.7-1).

CVE-2026-43494: PinTheft¶

PinTheft (<https://github.com/v12-security/pocs/tree/main/pintheft>) is a vulnerability in the Linux kernel that allows unauthorized privilege escalation.
It was disclosed by Aaron Esau to the public on 19 May 2026 and is fixed as of Linux version 7.1-rc4.

Interactive usage¶

The linux-vulnerability-mitigation package applies mitigations based on the admins selection via debconf:

sudo dpkg-reconfigure linux-vulnerability-mitigation

The debconf dialog allows to choose the mode to select which mitigations are run:

all:: enable all mitigations
auto:: automatically install/remove necessary mitigations for the currently running Linux kernel
manual:: manually select mitigations
none:: enable no mitigations (noop)

If 'manual' is selected, the list of all available mitigations (multiselect) is shown.

Non-interactive usage¶

The linux-vulnerability-mitigation package can be preseeded with debconf, e.g.:

TMPFILE="$(mktemp)"
cat > "${TMPFILE}" << EOF
linux-vulnerability-mitigation linux-vulnerability-mitigation/mode select auto
EOF
cat "${TMPFILE}" | debconf-set-selections
dpkg-reconfigure -fnoninteractive -pcritical linux-vulnerability-mitigation
rm -f "${TMPFILE}"

When choosing 'manual', individual mitigations can be specified by their CVE number, e.g.:

TMPFILE="$(mktemp)"
cat > "${TMPFILE}" << EOF
linux-vulnerability-mitigation linux-vulnerability-mitigation/mode select manual
linux-vulnerability-mitigation linux-vulnerability-mitigation/mitigations multiselect CVE-2026-31431, CVE-2026-43284, CVE-2026-43500
EOF
cat "${TMPFILE}" | debconf-set-selections
dpkg-reconfigure -fnoninteractive -pcritical linux-vulnerability-mitigation
rm -f "${TMPFILE}"

Authors¶

linux-vulnerability-mitigation was written by Daniel Baumann <<daniel@debian.org>>.

linux-vulnerability-mitigation

Linux

Source file:	linux-vulnerability-mitigation.7.en.gz (from linux-vulnerability-mitigation 20260519.1-1)
Source last updated:	2026-05-22T05:43:26Z
Converted to HTML:	2026-06-06T14:39:01Z