Fwiw, I just tried the python exploit on Asahi Linux, which is based on
Fedora 42 at the moment, and it didn't drop me to a root shell, but
/usr/bin/su doesn't seem to work "normally". Fedora is weird.
--
Russell Senior
[email protected]
On 4/30/26 7:13 AM, Russell Senior wrote:
On 4/30/26 06:42, Ted Mittelstaedt wrote:
Note that Ubuntu 26.04 was released on the 23rd of April, and its NOT
vulnerable. I suspect that there is a connection here and that the
26.04 release date was
Advanced.
I don't think the Ubuntu 26.04 release schedule was advanced. The
release date is consistent with past releases, see here:
https://documentation.ubuntu.com/project/release-team/list-of-releases/
The reason it isn't vulnerable is that the fix got into v7.0 and (I'm
not sure of the Ubuntu policy, but guessing) because v7.0 was released
before Ubuntu 26.04 was released, they went with it.
The thing that kind of surprises me is that the major distributions
didn't have the fix in by the disclosure day. ArchLinux was also not
vulnerable, if you update reasonably regularly because they stay
pretty close to upstream stable kernels and so had the fix as a matter
of course. Debian and Ubuntu (and Fedora?) seem to have been caught a
bit flat footed.
The thing I haven't seen reported yet is: "are non-x86/ architectures
also affected?" You would guess so, since this was apparently a
logical error, but the published python script exploit doesn't work on
them to test, and I haven't seen anyone say. An exploit tuned for ARM,
might.
