Greg Kroah-Hartman: "If you look there are thousands of unfixed CVEs in the older LTS kernels right now, and if distros or users that rely on those older branches wish to see those resolved, they need to provide working backports to us to apply, as our first attempt did not work (which is why they are unfixed in those branches.)"

Really asking for a "Pray tell us", given that nobody actually bothered disclosing the problem to downstreams and that the commit message was hiding it.

Either way, apparently the great LLM-backed patch backporting process that #NVidia is so proud of doesn't really work. Upstream doesn't really care about #LTS branches, and they should be considered insecure by default.

https://lore.kernel.org/stable/2026050114-supernova-angler-2de1@gregkh/

#Gentoo #Linux #CopyFail #security

Have you ever wondered what happens with the LaTeX sources that you submit to arXiv?

In joint work with Jan, Johannes, David, and Joscha, we had a look at exactly that! Shout out to Johannes for taming 2.7 Million arXiv submissions. Jan will present the paper of our assessment of "hidden" information in arXiv source files at the IEEE Symposium on Security and Privacy 2026 (May 19, Session 3, Track 3), the leading venue for cybersecurity research (acceptance rate ~12.7%).

Our analysis highlights the prevalence of dangling files (unnecessary to create the final PDF), sensitive information in metadata (e.g., GPS locations), and a lot of irrelevant content in the form of LaTeX comments that reveals passwords, access tokens, credit card numbers, author conversations, profanity, and many more insights that were likely intended to remain private.

Many authors are unfortunately unaware that source files for arXiv submissions are in fact publicly accessible.Your submission may also be affected given that 88% feature some kind of unique details and 18% even simultaneously expose unique dangling files, unique metadata, and unique comments.

Since existing sanitization tools all have blindspots, we propose ALC-NG. It utilizes pdflatex's recorder option and a tree-sitter grammar to improve the cleaning reliability, providing a tool that helps combat "hidden" information in new arXiv submissions (or elsewhere).

Paper: https://arxiv.org/abs/2604.20927
Executive Summary: https://arxiv.comsys.rwth-aachen.de/
ALC-NG: https://github.com/COMSYS/ALC-NG/

A response to recent reporting in Germany, in service of clarity and accountability:

First, it’s important to be precise when it comes to critical infrastructure like Signal. Signal was not “hacked” — in that our encryption, infrastructure, and the integrity of the app’s code was not compromised. 1/

Hey speakers!

If you have some interesting app security story to share, consider submitting to the German OWASP Day CfP.

Nice community event run by fine volunteer people. This year, the OWASP Day is in Karlsruhe on September 24th. https://god.owasp.de/2026/en/cfp.html