The Wire · Showcase
ARCH LINUX KERNEL PATCHES CLOSE PRIVILEGE ESCALATION WINDOW
By RepoJournal · Filed · About Arch Linux
Two kernel releases landed overnight with the same critical fix: a new sysctl that disables unprivileged namespace cloning, closing a known local privilege escalation vector.
Arch Linux kernel v7.1.2-arch1 [1] and v7.0.14-arch1 [2] both ship identical security patches addressing unprivileged CLONE_NEWUSER abuse and a udmabuf scatterlist corruption issue. The namespace isolation fix is the one that matters: it adds a sysctl knob to disable user namespace creation for unprivileged processes, a hardening measure against container escape and privilege escalation techniques. This is the kind of defensive patch that won't make headlines until someone publishes an exploit. The udmabuf fix [1] [2] prevents kernel memory corruption in GPU buffer handling, less critical but worth having. On the packages front, git-repair moved from staging to stable [3] [4], while the Haskell ecosystem continues its steady rebuild cycle with updates to pandoc-lua-marshal [5], hslua-module-zip [6], and hslua-module-path [7] all queued in staging.
Action items
- → Pull kernel v7.1.2-arch1 or v7.0.14-arch1 on your next reboot archlinux/linux [plan]
- → Review your sysctl configuration if you rely on unprivileged namespaces archlinux/linux [monitor]
- → Sync git-repair from stable repositories archlinux/svntogit-extra [plan]
References
- [1] Arch Linux kernel v7.1.2-arch1 ↗ archlinux/linux
- [2] Arch Linux kernel v7.0.14-arch1 ↗ archlinux/linux
- [3] update git-repair to 1.20230814-230 in extra-staging-x86_64 archlinux/state
- [4] move git-repair from extra-staging-x86_64 to extra-x86_64 archlinux/state
- [5] update haskell-pandoc-lua-marshal to 0.3.0-55 in extra-staging-x86_64 archlinux/state
- [6] update haskell-hslua-module-zip to 1.1.3-91 in extra-staging-x86_64 archlinux/state
- [7] update haskell-hslua-module-path to 1.1.1-161 in extra-staging-x86_64 archlinux/state
FAQ
- What changed in Arch Linux on June 28, 2026?
- Two kernel releases landed overnight with the same critical fix: a new sysctl that disables unprivileged namespace cloning, closing a known local privilege escalation vector.
- What should Arch Linux teams do about it?
- Pull kernel v7.1.2-arch1 or v7.0.14-arch1 on your next reboot • Review your sysctl configuration if you rely on unprivileged namespaces • Sync git-repair from stable repositories
- Which Arch Linux repositories shipped on June 28, 2026?
- archlinux/linux, archlinux/state