LWN.net

A large set of stable kernel updates

corbet — Sat, 23 May 2026 13:55:30 +0000

The 7.0.10, 6.18.33, 6.12.91, 6.6.141, 6.1.174, 5.15.208, and 5.10.257 stable kernel updates have all been released. The first four are huge (the 7.0.10 review version had 1,146 commits) while 6.1.174, 5.15.208, and 5.10.257 are small updates for the "Fragnesia" vulnerability.

[$] Custom page-cache policies with BPF

corbet — Fri, 22 May 2026 14:37:10 +0000

The kernel's page cache is charged with maintaining pages (or, more correctly, folios) containing copies of data from files in the filesystem; its performance has a big effect on the performance of the system as a whole. One of the key decisions the kernel must make is when to evict folios from the page cache. At the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Tal Zussman ran a memory-management-track session on how the page cache could be better customized for specific workloads. It will not be much of a spoiler to say that it involves BPF.

[$] Toward better handling of major page faults

corbet — Fri, 22 May 2026 13:50:29 +0000

A major page fault occurs when a process attempts to access a page that is not currently present in RAM; satisfying such faults usually involves I/O, and can thus take some time. When many threads sharing an address space are generating page faults, the result can be significant lock contention while that I/O takes place. During the memory-management track at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Barry Song led a session to try, yet again, to find an enduring solution to this problem.

Security updates for Friday

corbet — Fri, 22 May 2026 13:07:35 +0000

Security updates have been issued by AlmaLinux (firefox), Debian (chromium, nss, openvpn, and thunderbird), Fedora (cockpit, kernel, and linux-firmware), Oracle (gdk-pixbuf2, kernel, and libsndfile), SUSE (container-suseconnect, cpp-httplib, dnsmasq, firefox, glibc, GraphicsMagick, java-1_8_0-openj9, kernel, mozjs115, php8, python-urllib3, rekor, rootlesskit, rsync, tiff, ucode-intel, util-linux, and xz), and Ubuntu (bind9, bubblewrap, libarchive, linux-intel-iot-realtime, postgresql-14, postgresql-16, postgresql-17, postgresql-18, and xdg-desktop-portal).

Vulnerabilities in various GTK-based PDF readers

corbet — Thu, 21 May 2026 21:05:20 +0000

Michael Catanzaro has disclosed a command-injection vulnerability affecting a number of GTK-based PDF readers; exploits included:

They contain a script for building malicious polyglot PDFs that are simultaneously both valid PDF files and also valid ELF binaries. When the user opens the PDF in the PDF viewer and clicks on a malicious link embedded in the PDF, the PDF abuses the command injection vulnerability to load itself as a GTK module using the `--gtk-module` command line flag. It can then execute arbitrary code via its library constructor. That flag was removed in GTK 4, which is why the vulnerability is much less serious for Papers than it is for Evince, Atril, and Xreader.

[$] BPF support in GCC 16 and beyond

daroc — Thu, 21 May 2026 14:52:28 +0000

José Marchesi and the GCC-BPF developers opened the BPF track at the 2026 Linux Storage, Filesystem, Memory-management, and BPF Summit with a 90-minute summary of what has changed for GCC's BPF support in the past year. This kind of session has become something of a tradition. There were similar updates in 2025 and 2024. This time around, GCC seems to be closing in on feature parity with the LLVM toolchain — as the slides detail.

OpenBSD 7.9 released

corbet — Thu, 21 May 2026 14:27:38 +0000

The OpenBSD 7.9 release is out, right on schedule. There is the usual long list of new features, including improved architecture support, CPU scheduling on heterogeneous systems, the ability to hibernate a suspended system after a configurable delay, socket splicing, a __pledge_open() system call giving special access to the C library, and much more. See the announcement and the full changelog for details.

[$] Support for private memory nodes

corbet — Thu, 21 May 2026 13:22:05 +0000

Gregory Price started his session in the memory-management track of the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit by saying that, in current kernels, if a NUMA node has memory, the assumption is that anybody can make use of it. He is trying to implement the opposite policy — to make some memory off-limits for all processes except those designed specifically to use it. The session was used to present his goals and to discuss how they might be implemented.

Security updates for Thursday

corbet — Thu, 21 May 2026 13:19:13 +0000

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and libsndfile), Debian (bind9, evince, firefox-esr, openjpeg2, pdns, and rsync), Fedora (erlang-cowlib, evince, expat, firefox, kernel, mingw-expat, mysql8.0, mysql8.4, nss, opencryptoki, pgadmin4, proftpd, python-django5, python-django6, python-dotenv, rsync, rust-nu, rustup, and strongswan), Oracle (nginx, nginx:1.24, ruby, ruby:3.3, and squid), Slackware (bind and rsync), SUSE (buildah, distribution, distribution-registry, docker, firefox-esr, helm, libpainter0, libsdb2_4_2, postgresql-jdbc, runc, and vim), and Ubuntu (gnutls28, gst-plugins-good1.0, jq, linux-nvidia, linux-nvidia-lowlatency, openvpn, rsync, and unbound).

[$] LWN.net Weekly Edition for May 21, 2026

corbet — Thu, 21 May 2026 02:27:57 +0000

Inside this week's LWN.net Weekly Edition:

Front: OpenSUSE site age restrictions; Lots of LSFMM+BPF coverage; The tenth OpenPGP email summit.
Briefs: Firefox 151.0; pgBackRest funding; RIP Peter G. Neumann; Quotes; ...
Announcements: Newsletters, conferences, security updates, patches, and more.

[$] What is to be done about MGLRU?

corbet — Wed, 20 May 2026 13:14:51 +0000

"Reclaim" is the task of finding memory that can be taken away from its current user and put to better uses within the system; it is a core part of the memory-management picture. The addition of the multi-generational LRU (MGLRU) was meant to provide a better reclaim implementation than the "traditional LRU" that preceded it, but MGLRU has complicated the situation instead. No fewer than three memory-management-track sessions at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit were focused on MGLRU, with an eye toward integrating it more fully, improving its performance, and addressing some problems encountered with Android systems.

Security updates for Wednesday

corbet — Wed, 20 May 2026 13:04:17 +0000

Security updates have been issued by AlmaLinux (kernel, libpng, nginx, nginx:1.24, ruby, and ruby:3.3), Debian (gnutls28 and linux-6.1), Fedora (dnsmasq, kernel, keylime-agent-rust, perl-Net-CIDR-Lite, python-pysam, python-urllib3, rust-cargo-vendor-filterer, rust-ingredients, rust-oo7-cli, rust-rpki, rust-sevctl, and rust-tealdeer), Mageia (bind), Oracle (bind, giflib, gimp:2.8, kernel, libpng, rsync, ruby, and vim), Slackware (haveged and mozilla), SUSE (cockpit, dnsmasq, erlang26, freeipmi, git-bug, glibc, GraphicsMagick, haveged, ImageMagick, iproute2, kernel, openssh, perl-CryptX, perl-HTTP-Tiny, postgresql14, postgresql15, postgresql16, python-Pillow, rsync, tiff, and traefik), and Ubuntu (Highlight.js, linux, linux-aws, linux-aws-5.15, linux-aws-fips, linux-fips, linux-gcp, linux-gcp-fips, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-fips, linux-bluefield, linux-fips, linux-gcp, linux-gcp-5.4, linux-gcp-fips, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-fips, linux-fips, linux-gcp-4.15, linux-gcp-fips, linux-kvm, linux-oracle, linux, linux-aws, linux-aws-fips, linux-gcp, linux-gcp-fips, linux-gke, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-raspi, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, linux, linux-aws, linux-hwe-6.17, linux-oem-6.17, linux-oracle, linux-raspi, linux-realtime, linux-realtime-6.17, and smarty3).

[$] The tenth OpenPGP email summit

jzb — Wed, 20 May 2026 11:00:15 +0000

The OpenPGP Email Summit is an annual meeting for those who work on encrypted email and related topics. The tenth installment of this meeting took place in March 2026 and the minutes have now been published. As usual, a wide range of topics were discussed. Highlights included support for post-quantum cryptography (PQC) with multiple actors planning rollouts within this year, a promising new approach for making email signatures ubiquitous with the plan of making OpenPGP signed email a default, a new draft that brings reliable deletion (or "forward secrecy") features to OpenPGP, as well as a plan for transferring ownership of the OpenPGP.org domain.

Firefox 151.0 released

corbet — Tue, 19 May 2026 16:10:38 +0000

Version 151.0 of the Firefox browser has been released. Significant changes include the ability to clear and restart a private-browsing session, better fingerprinting protection, control over the apparent location when using the Firefox VPN, and more.

[$] openSUSE "terms of site" raise complaints about age restrictions

jzb — Tue, 19 May 2026 15:27:08 +0000

Many people in the Linux community began using the operating system—and contributing to open source—at a tender age, often well before their 16th birthday. Thus, a recent change in openSUSE's terms of site (ToS) that required users of the project's web site to be "at least 16 years of age or the age of majority" in their jurisdiction has raised objections. The terms have since been modified, though users must still have parental approval to create accounts if they are younger than 16.