On Thursday, April 30th, 2026 at 7:13 AM, Russell Senior <[email protected]> wrote:
> > > On 4/30/26 06:42, Ted Mittelstaedt wrote: > > Note that Ubuntu 26.04 was released on the 23rd of April, and its NOT > > vulnerable. I suspect that there is a connection here and that the 26.04 > > release date was > > Advanced. > > I don't think the Ubuntu 26.04 release schedule was advanced. The > release date is consistent with past releases, see here: > > https://documentation.ubuntu.com/project/release-team/list-of-releases/ > > The reason it isn't vulnerable is that the fix got into v7.0 and (I'm > not sure of the Ubuntu policy, but guessing) because v7.0 was released > before Ubuntu 26.04 was released, they went with it. > > The thing that kind of surprises me is that the major distributions > didn't have the fix in by the disclosure day. ArchLinux was also not > vulnerable, if you update reasonably regularly because they stay pretty > close to upstream stable kernels and so had the fix as a matter of > course. Debian and Ubuntu (and Fedora?) seem to have been caught a bit > flat footed. > > The thing I haven't seen reported yet is: "are non-x86/ architectures > also affected?" You would guess so, since this was apparently a logical > error, but the published python script exploit doesn't work on them to > test, and I haven't seen anyone say. An exploit tuned for ARM, might. > > -- > Russell Senior > [email protected] > The PoC script makes assumptions about system configuration that result in it failing on certain distributions. The algif_aead kernel module needs to be loaded and su needs to readable by non-root users. (-rwsr-xr-x). The python script is pretty simple so chances are some systems are not as directly vulnerable. It's still serious, since the exploit involves poisoning the page cache of a binary in order to trick users into running malicious code. Privilege escalation is a side effect of the exploit implementation, not the exploit itself. A more direct PoC demonstrating the bug on an arbitrary binary would be much better IMO. -Ben
