Rendered at 19:04:42 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
bestouff 2 hours ago [-]
Lots of privilege escalations these days. But are there that many multiuser Linux systems nowadays ? I'm under the impression the whole landscape is either servers or single-user desktops (and ofc Android phones).
dathinab 1 hours ago [-]
> many multiuser Linux systems nowadays
not relevant IMHO
we don't live anymore in a time where you can trust that local apps do not misbehave, and in such a context LPE is pretty bad even in a single user system
just thing about all the supply chain problems of recent times
riedel 37 minutes ago [-]
Many university HPC clusters are run multiuser. At least login nodes.
zahlman 2 hours ago [-]
I impersonate multiple users on my machine for organizational reasons.
LPEs also potentially make user-level malware into system-level malware, which is only marginally more impactful for a single person on a desktop, but considerably harder to clean up. (It also broadens the range of what such malware could exfiltrate from me.)
INTPenis 2 hours ago [-]
The idea is that you can exploit a service hosted on Linux to run these.
nubinetwork 2 hours ago [-]
At what point do we all start rolling our own microkernels? This is kind of getting silly now... 4 now in the past month?
craftkiller 2 hours ago [-]
I hate that the Qubes OS people were right.
itintheory 2 hours ago [-]
Sounds like this one is in the same kernel modules as dirtyfrag, so the existing mitigations (if in place) are sufficient.
not relevant IMHO
we don't live anymore in a time where you can trust that local apps do not misbehave, and in such a context LPE is pretty bad even in a single user system
just thing about all the supply chain problems of recent times
LPEs also potentially make user-level malware into system-level malware, which is only marginally more impactful for a single person on a desktop, but considerably harder to clean up. (It also broadens the range of what such malware could exfiltrate from me.)
https://access.redhat.com/security/vulnerabilities/RHSB-2026...
https://aws.amazon.com/security/security-bulletins/2026-027-...
That one also includes disabling user namespaces. Could be problematic if they're in use.