Mastodawn

@cadey god, kill me

I’m trying to find mitigations somewhere or if it’s just kernel update time (again)

2d ago

@tyler it's kernel update time once patches percolate out

@cadey y’all got any of those precedented times we could have for a bit because I’m tired, boss

Diane 2d ago

@tyler @cadey

I sure hope there's a finite set of severe vulnerabilities.

Bret Towe 2d ago

@cadey @tyler read right to left

@brettowe @cadey it’s turtles putting up under_construction.gif pages all the way down

@tyler Setting sysctl kernel.yama.ptrace_scope=2 (or 3) seems to work. [EDIT: This is insufficient; see thread.]

@jrenken dang dude you’re the GOAT, thank you for this, first mitigation I’ve seen

@tyler Unfortunate update: A Gentoo dev, who knows better than me, says the vuln is not exclusive to ptrace. So, my sysctl workaround only breaks that one public proof-of-concept exploit, not others. https://www.openwall.com/lists/oss-security/2026/05/15/3

oss-security - Re: Logic bug in the Linux kernel's __ptrace_may_access() function

zyxhere💭2d ago

@jrenken @tyler @thesamesam has been like awake for a week straight finding fixes for these I swear

Alexander Bochmann 1d ago

@jrenken @tyler A different post in that oss-security thread backs the claim that setting yama.ptrace_scope=[23] is sufficient (for now): https://www.openwall.com/lists/oss-security/2026/05/15/10

oss-security - Re: Logic bug in the Linux kernel's __ptrace_may_access() function

Alexander Bochmann 1d ago

@jrenken @tyler @cadey There's also an update by the Gentoo dev in https://www.openwall.com/lists/oss-security/2026/05/15/11, saying "What I got mixed up with was that in Gentoo, for some reasons I won't bore readers with, =2 and =3 aren't an option yet [..]", so that's currently a Gentoo-specific limitation.

oss-security - Re: Logic bug in the Linux kernel's __ptrace_may_access() function

Eashwar 2d ago

@jrenken @tyler does this require the system to have the Yama LSM enabled? Is that common?

@e_nomem @tyler Yes. I think so: it seems to be enabled by default in Debian & Ubuntu. But it turns out this isn't a sufficient workaround; see thread.

Eashwar 2d ago

@jrenken @tyler better than nothing until the patches are out 🤷‍♂️

@e_nomem @tyler I just recompiled my most exposed hosts' kernel with the official patch; seems to work. https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a.diff

Chapter 4. Common kernel-related tasks

@e_nomem @tyler And by "just" I mean "just now," not "simply." 😭

Eashwar 1d ago

@jrenken @tyler The debian kernel images with the patches are up

noodle 2d ago

"Reported by Qualys, fixed by Linus 2026-05-14. Jann Horn flagged the FD-theft shape in October 2020. Six years"

babble encat 2d ago

@cadey My dedicated "SSH off button" is looking tasty

Krutonium://2d ago

@babble_endanger @cadey Luckily it's not that bad. They need access to your machine before they can own it.

ARGVMI~1.PIF 2d ago

Is responsible disclosure just not a thing any more, or what? Why is every f**king thing a 0-day all of a sudden?

Edit: Apparently it's because commits are being monitored by LLMs and rapidly turned into working exploits, so all #Linux vulnerabilities are 0-days from now on. Wonderful. https://lobste.rs/s/wskhre

#security

ssh-keysign-pwn: Read root-owned files as an unprivileged user

0 comments

Lobsters

Marsh Ray 2d ago

@argv_minus_one @cadey ‘Responsible disclosure’ was a brief attempt at language engineering by Microsoft which was largely abandoned 15-20 years ago.

Turns out that finger-pointing during a crisis is almost never helpful or appreciated.

maryjane

2d ago

@argv_minus_one @cadey Next step is to say humans can't keep up so they need to let AI in. Create your own demand

ARGVMI~1.PIF 2d ago

@maryjane

Nah, the vulnerability only became known when the patch was committed. Fixing the bug isn't the problem. Distributing the fix is the problem, and I don't see how AI can help with that.

CaptainMalu 2d ago

@argv_minus_one @maryjane @cadey let the AI on the system so it can install the fix in the minute it gets released.

⚠️ Don't do that! ⚠️
But it seems like there could be someone pushing this idea.

Well to be nice on that case, then let the thingy run loose on devs branches to check PR before merged...

Likely some issues in implementing depending on projects workflows etc. But if you actually want to use it to improve security, then use it to catch stuff before merge.