zo0@programming.dev
on 01 May 2026 08:58
nextcollapse
They released the vulnerability without disclosing it to the vendors first? Am I understanding this right?
poinck@lemmy.world
on 01 May 2026 09:54
nextcollapse
It got me wondering as well. Normally I find out afterwards that my system is already patched since a couple of days.
borari@lemmy.dbzer0.com
on 01 May 2026 10:14
collapse
No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. copy.fail/#timeline
They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.
semperverus@lemmy.world
on 01 May 2026 20:37
collapse
It technically follows the industry standard rules (and companies who have been exploited have 30 days to disclose breaches in the U.S. so there’s probably similar “best practice” stuff with these kinds of disclosures)
WhatAmLemmy@lemmy.world
on 01 May 2026 23:36
collapse
It’s technically still a dick move unless it’s seen in the wild and distros are dragging their heels.
Sometimes it’s best to use logic instead of best practices.
corsicanguppy@lemmy.ca
on 01 May 2026 09:34
collapse
Do the sysctl mod and you’re good until the patch comes out. Such hype.
threaded - newest
www.cve.org/CVERecord?id=CVE-2026-31431
They released the vulnerability without disclosing it to the vendors first? Am I understanding this right?
It got me wondering as well. Normally I find out afterwards that my system is already patched since a couple of days.
No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. copy.fail/#timeline
They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.
It technically follows the industry standard rules (and companies who have been exploited have 30 days to disclose breaches in the U.S. so there’s probably similar “best practice” stuff with these kinds of disclosures)
It’s technically still a dick move unless it’s seen in the wild and distros are dragging their heels.
Sometimes it’s best to use logic instead of best practices.
Do the sysctl mod and you’re good until the patch comes out. Such hype.