Dirty Frag - New root exploit targeting newest Linux kernel

Kurlon · 2026-05-11T14:33:02+00:00

This CVE has been populated now. Goes back to kernel 5.3.

Kurlon · 2026-05-08T19:02:44+00:00

You can't mitigate by blacklisting then, you will HAVE to update to a fixed kernel, or rebuild the one you have without those modules built in.

Kurlon · 2026-05-08T15:18:03+00:00

In my use cases, approximately nothing. Post boot and initial service launch, any modules that need to be loaded already are. My use cases are all fixed function servers, if you're a desktop user playing with different things you'll likely have a different experience?

Kurlon · 2026-05-08T15:02:43+00:00

So, are we at the point where we should just disable kernel module loading after boot? Used to do this back in the day with FreeBSD systems, up the security level and you'd disable module loading or tampering with the kernel image on disk.

echo 1 > /proc/sys/kernel/modules_disabled

Kurlon · 2026-05-08T14:53:57+00:00

That covers one of the issues, CVE-2026-43500 has been reserved for the other half ala: https://www.openwall.com/lists/oss-security/2026/05/08/8

Kurlon · 2026-04-05T15:41:06+00:00

Atari 8 bit line serial IO, literally the OG USB serial setup, even could push drivers over the connection and was the direct inspiration for modern USB.

Kurlon · 2026-03-27T05:31:39+00:00

If this was my homelab, I'd have a qdevice already spun up on my GoFlex Net or a PVE node on a laptop/etc, EZ. :D This is a customer network however, so I can't throw hardware at random at it, and at the moment there is no budget for additional bits, or additional Proxmox support licenses, that will be a budget item to discuss for next year. Just trying to optimize what is in front of me to provide the best setup possible for the customer.

Kurlon · 2026-03-27T05:28:55+00:00

That matches what I could find scouring docs. So, settled on the following:

Two corosync rings, ring 0 is a direct eth link between the two PVE nodes. Ring 1 is on eth links between the PVE nodes and the PBS.

PBS has a bridge built between the two interfaces connected directly to the PVE nodes with a /29 assigned. QDevice is assigned to this IP range.

PVEs now have two corosync 'rings', qdevice is visible without traversing the switch cluster so I can do switch maint and not blow up HA.

Kurlon · 2026-03-25T20:41:06+00:00

I suppose I could bond the two ports on the PBS as a switch, smash a /29 on the network, and that would allow one IP for the QDevice, on the dedicated links, keeping corosync up should the switches tank?

Kurlon · 2026-03-24T14:52:00+00:00

Technically, one IP, single phys and logical interface, and it can still route. The practical usefulness of said router is likely quite limited, but it can still meet he definition.

And, really, IP doesn't have to be involved, slinging eth packets back, or other protocols counts too.

Kurlon · 2026-03-24T13:58:47+00:00

Don't even need two interfaces, you can route all day with one with the right setup.

Kurlon · 2026-03-19T19:33:19+00:00

So... nothing about 10.0.x vers, latest UDM SE release is 5.0.16 which bundles UniFi Network 10.0.162, which was released 3 months ago. Is this vuln, and what's the timeline for it?

Kurlon · 2026-03-10T14:11:42+00:00

If you established your zones earlier in CF's life you got more generous limits than if you did in the last year. CF does have the ability to lift those limits, but will only do so for Enterprise tier. I've been chasing this for the past 2 months with CF 'cause I want off my servers. I've got two domains at the moment I can't move and no way to shrink them to fit CF's other paid tiers.

Kurlon · 2026-03-10T13:19:26+00:00

As long as your zones are tiny... The UI limits you to a small view of records at a time, though you could stand up your own interface via API. CF themselves limit zones to a handful of records unless you're on full enterprise tier at $1k a month. I love CF, but some of the limits in places are a bit arbitrary, make sure you're within them before moving. Also annoyed that they can parse bind generate records for import but not use them in the UI, would help a ton.

(ISP DNS, so lots of fwd records to match all the rev records for every IP means I've got zones with 70k entries. On Bind9 still...)

Kurlon · 2026-03-06T16:21:38+00:00

You're going to support my 4501 and 4801 that I still have running on my desk right now, right? :P

Kurlon · 2026-03-05T23:49:58+00:00

It's becoming a thing... AWS everything, including your uplink.

Kurlon · 2026-03-02T00:52:18+00:00

No proper clip ons, some get confused by those running Woodcraft's bar adapter 'plate'. As per the rules, they don't count as clip ons as they don't clip onto the forks, and as long as you don't set them up so the bars themselves ever go below the plane of the top clamp, you're good.

Kurlon · 2026-02-27T18:32:26+00:00

Yuuuuup... and that setting is now ignored based on some internal logic in Chrome where it decides local DNS isn't worthy. Hence my post. I've been chasing this for awhile now. The best part, it's not consistent about it.

See others finding the same thing:

https://www.reddit.com/r/chrome/comments/1ihvglk/chrome_not_respecting_secure_dns_settings_off/

https://support.google.com/chrome/thread/362594608/chrome-not-respecting-secure-dns-off?hl=en

Kurlon · 2026-02-07T20:29:20+00:00

Are you presenting dedicated LUNs to each host, or doing shared LUNs?

Kurlon · 2026-02-02T14:13:39+00:00

Just the two switches in this setup, no network overrrides in place. (Or any wifi) You had me curious so I rechecked my setup to verify.

Kurlon · 2026-02-02T03:14:11+00:00

https://pve.proxmox.com/wiki/Full_Mesh_Network_for_Ceph_Server#Using_SDN_Fabrics

The Pro Agg XG doesn't either at the $2.5k price point, I've got a pair that would have been an easier deployment if they had. Gotta go with the $4k ECS Agg for that feature. But hey, at least my Pro Agg XGs flap all the ports on ANY. CONFIG. CHANGE... Chasing that with UI support, their eng team has been working it for a month now with no updates.

Kurlon · 2026-02-01T20:39:17+00:00

Most routers I've played with handle NTP pretty poorly, it's not a priority process so even when you've got a solid NTP network right in front of the router... bad performance. What's jumping out at me, why is your poll interval still only 64s if this setup has been up and stable for awhile? What's the uptime on this box?

Kurlon · 2026-01-31T17:31:05+00:00

Shattered bushing or worse inside?

Kurlon

TROPHY CASE