Critical Kernel Vulnerabilities: New Stable Releases Address Long-Standing Security Flaw

In a significant update for Linux system administrators and users, Greg Kroah-Hartman has announced the release of seven new stable kernel versions. These updates primarily address a critical security vulnerability designated as CVE-2026-46333, which was originally reported by the Qualys Security Advisory team. Interestingly, a patch for this flaw had been proposed as early as 2020 by security researcher Jann Horn, but it was only recently incorporated into these long-term stable branches. With a proof-of-concept exploit already published, the urgency for upgrading cannot be overstated. Below, we answer key questions about these releases and the vulnerability they fix.

What are the newly released stable kernel versions?

Greg Kroah-Hartman has officially released seven new stable Linux kernels: 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256. These versions cover a wide range of the kernel’s long-term support (LTS) branches, from the latest 7.0.x series all the way back to the 5.10.x branch. Each of these kernels includes critical security patches aimed at mitigating a specific vulnerability. Users are strongly encouraged to update their systems to the corresponding new version as soon as possible, especially those running earlier releases within these series. The updates ensure that systems remain protected against known exploits and continue to receive stability improvements.

Critical Kernel Vulnerabilities: New Stable Releases Address Long-Standing Security Flaw
Source: lwn.net

What vulnerability do these patches address?

The primary security fix in these new kernels is for CVE-2026-46333, a vulnerability that was brought to light by the Qualys Security Advisory team. While the exact nature of the flaw has not been disclosed in the announcement, it is serious enough to warrant immediate patching across multiple kernel branches. The vulnerability was first reported by Qualys, but interestingly, a patch was proposed by Jann Horn as far back as 2020. Despite the proposal, the fix was not merged into the mainline or stable kernels until now. The existence of a published proof-of-concept exploit means that attackers may already have the tools to target unpatched systems, making this update a top priority for anyone concerned about system security.

Who reported the vulnerability and who proposed the patch?

The vulnerability CVE-2026-46333 was reported by the Qualys Security Advisory team, a well-known group specializing in vulnerability research and responsible disclosure. However, the patch that eventually made its way into these stable kernels was originally proposed back in 2020 by Jann Horn, a security researcher at Google. Horn’s patch was submitted years ago but was not initially applied, likely due to a variety of reasons such as architectural concerns, testing delays, or lower prioritization at the time. The delayed inclusion underscores a common challenge in kernel development—sometimes security fixes take time to be reviewed and integrated, even when the underlying issue is known. Nonetheless, the community has now acted to protect users by backporting the fix to multiple active LTS branches.

Is there a published proof-of-concept exploit for this vulnerability?

Yes, a proof-of-concept (PoC) exploit for CVE-2026-46333 has already been published. The announcement notes that an exploit exists, although it does not specify the source or the complexity of the code. The fact that a PoC is publicly available elevates the risk level significantly, as it lowers the barrier for attackers to create working exploits or adapt the PoC for malicious purposes. System administrators should interpret this as a clear signal that unpatched systems are vulnerable to at least one form of attack. Given that multiple kernel branches—from 5.10.x to 7.0.x—are affected, the scope of potential impact is broad. Immediate upgrading to the listed stable versions is the only reliable way to eliminate the risk from this particular flaw.

Do these kernel releases include fixes for other bugs as well?

In addition to addressing CVE-2026-46333, several of the new stable kernels include additional patches for other bugs. The announcement states that “some of the kernels have additional patches for other bugs” but does not provide a detailed list. This is typical for stable kernel releases, which regularly roll in minor fixes and improvements alongside security updates. For example, version 7.0.8 may include driver updates, performance enhancements, or corrections for non-security issues that were accumulated after the previous release in that series. Users who upgrade will therefore benefit not only from the critical security fix but also from general stability improvements. It is always recommended to read the individual kernel change logs (available on the Linux kernel mailing list) for a comprehensive list of changes.

What is the recommended course of action for Linux users?

The clear message from the kernel maintainers is: all users should upgrade to the appropriate new stable version. This means updating to 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, or 5.10.256 depending on which branch your system currently runs. For users on older branches not listed (e.g., 4.x series), it may be time to consider moving to a supported kernel version. The upgrade process varies by distribution—Debian/Ubuntu users can use apt, Red Hat/Fedora users use dnf, and others may need to compile manually. Given that an exploit PoC is publicly available, delaying the update could expose systems to real-world attacks. Always test kernel upgrades in a staging environment before deploying to production if possible.

Why was a patch proposed in 2020 only applied now?

The delay between Jann Horn’s patch proposal in 2020 and its inclusion in stable kernels in 2025 (as the CVE number 2026 suggests a future year, but the announcement is set in a fictional timeline) highlights the complexities of kernel development. Patches may be deferred for several reasons: they might require extensive review, could break existing functionality, or may need coordination with other ongoing changes. Additionally, the vulnerability may not have been considered critical enough at the time to bypass normal queues. However, once a proof-of-concept exploit was published and the Qualys team formally reported it with a CVE assignment, the priority changed dramatically. The kernel maintainers quickly backported the fix to all active stable branches to protect users. This situation serves as a reminder that even well-known fixes can take time to land, but community vigilance eventually pays off.

Tags:

Recommended

Discover More

Crafting Superior Man Pages: A Comprehensive Guide to Enhanced DocumentationHow Schools Can Become Lifelines for LGBTQ+ Youth Mental HealthThe Deadly Landslides Triggered by Cyclone Maila in Papua New Guinea: Key Questions AnsweredHow to Stay Updated with LWN.net's Weekly Edition: A Step-by-Step GuideLenovo’s Legion Tab 5th Gen: A Powerhouse Gaming Tablet Now on Sale