RepoJournal
Arch Linux

@archlinux

The Arch Linux org — the rolling distro and the developers who run it

Pick a date

The Wire · Showcase

ARCH LINUX KERNEL PATCHES CLOSE PRIVILEGE ESCALATION WINDOW

By RepoJournal · Filed · About Arch Linux

Two kernel releases landed overnight with the same critical fix: a new sysctl that disables unprivileged namespace cloning, closing a known local privilege escalation vector.

Arch Linux kernel v7.1.2-arch1 [1] and v7.0.14-arch1 [2] both ship identical security patches addressing unprivileged CLONE_NEWUSER abuse and a udmabuf scatterlist corruption issue. The namespace isolation fix is the one that matters: it adds a sysctl knob to disable user namespace creation for unprivileged processes, a hardening measure against container escape and privilege escalation techniques. This is the kind of defensive patch that won't make headlines until someone publishes an exploit. The udmabuf fix [1] [2] prevents kernel memory corruption in GPU buffer handling, less critical but worth having. On the packages front, git-repair moved from staging to stable [3] [4], while the Haskell ecosystem continues its steady rebuild cycle with updates to pandoc-lua-marshal [5], hslua-module-zip [6], and hslua-module-path [7] all queued in staging.

Action items

References

  1. [1] Arch Linux kernel v7.1.2-arch1 ↗ archlinux/linux
  2. [2] Arch Linux kernel v7.0.14-arch1 ↗ archlinux/linux
  3. [3] update git-repair to 1.20230814-230 in extra-staging-x86_64 archlinux/state
  4. [4] move git-repair from extra-staging-x86_64 to extra-x86_64 archlinux/state
  5. [5] update haskell-pandoc-lua-marshal to 0.3.0-55 in extra-staging-x86_64 archlinux/state
  6. [6] update haskell-hslua-module-zip to 1.1.3-91 in extra-staging-x86_64 archlinux/state
  7. [7] update haskell-hslua-module-path to 1.1.1-161 in extra-staging-x86_64 archlinux/state

FAQ

What changed in Arch Linux on June 28, 2026?
Two kernel releases landed overnight with the same critical fix: a new sysctl that disables unprivileged namespace cloning, closing a known local privilege escalation vector.
What should Arch Linux teams do about it?
Pull kernel v7.1.2-arch1 or v7.0.14-arch1 on your next reboot • Review your sysctl configuration if you rely on unprivileged namespaces • Sync git-repair from stable repositories
Which Arch Linux repositories shipped on June 28, 2026?
archlinux/linux, archlinux/state

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.