No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. copy.fail/#timeline
They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.
It technically follows the industry standard rules (and companies who have been exploited have 30 days to disclose breaches in the U.S. so there’s probably similar “best practice” stuff with these kinds of disclosures)
threaded - newest
www.cve.org/CVERecord?id=CVE-2026-31431
They released the vulnerability without disclosing it to the vendors first? Am I understanding this right?
It got me wondering as well. Normally I find out afterwards that my system is already patched since a couple of days.
No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. copy.fail/#timeline
They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.
It technically follows the industry standard rules (and companies who have been exploited have 30 days to disclose breaches in the U.S. so there’s probably similar “best practice” stuff with these kinds of disclosures)
It’s technically still a dick move unless it’s seen in the wild and distros are dragging their heels.
Sometimes it’s best to use logic instead of best practices.
Do the sysctl mod and you’re good until the patch comes out. Such hype.