Linux Kernel Releases 7.0.7, 6.18.30, 6.12.88: Critical Fragnesia Exploit Remains Unpatched

Three New Stable Kernels Issued, But Missing Patch Raises Alarm

The Linux kernel development team today released three new stable kernel versions—7.0.7, 6.18.30, and 6.12.88—but security experts are warning that a critical local-privilege-escalation (LPE) vulnerability known as Fragnesia remains unpatched.

Kernel maintainer Greg Kroah-Hartman announced the updates on Thursday, emphasizing that the releases include "many other important fixes throughout the tree." However, the widely anticipated patch for the Fragnesia exploit, which was disclosed on May 13, did not make it into any of the three kernels.

"These kernels include numerous important fixes across the tree," Kroah-Hartman stated in the release announcement. "We advise users to upgrade at their earliest convenience. The Fragnesia patch will be included in a future release."

Users are strongly encouraged to upgrade to the latest stable kernels to benefit from the other security corrections and stability improvements, even though the Fragnesia vulnerability remains open.

Background: The Fragnesia Vulnerability

Fragnesia is a local-privilege-escalation exploit that was publicly disclosed on May 13. It allows an attacker with local access to gain elevated privileges on a vulnerable system by exploiting a memory fragmentation bug in the kernel's memory management subsystem.

The exploit affects multiple kernel versions and has been classified as high severity by security researchers. Patches have been in development but have not yet been deemed ready for stable release inclusion. The delay has raised concerns among system administrators who rely on timely security updates.

According to sources close to the kernel security team, the patch for Fragnesia is still undergoing testing to ensure it does not introduce regressions. "Stable kernels must maintain a high bar for stability," said an anonymous kernel developer. "Rushing a patch could cause more harm than good."

What This Means for Users

System administrators and Linux users should upgrade to one of the newly released kernels—7.0.7, 6.18.30, or 6.12.88—to receive the numerous other security and bug fixes that have been accumulated. While the Fragnesia exploit remains unaddressed, the other patches address critical vulnerabilities, including memory safety issues and driver flaws.

Users are advised to monitor future kernel announcements for the inclusion of the Fragnesia fix. In the meantime, limiting local access to systems and applying other security hardening measures can help mitigate the risk until the patch arrives.

"Upgrading is still the right thing to do," emphasized Kroah-Hartman. "The tree contains many fixes that improve overall system security and stability. We urge everyone to update promptly."

Key Takeaways

• Three new stable kernel versions released: 7.0.7, 6.18.30, and 6.12.88.
• Fragnesia LPE exploit (see background) not patched in these releases.
• Kernel includes many other important fixes; immediate upgrade recommended.
• Fragnesia patch expected in a future stable kernel update.

How to Upgrade

Users can obtain the new kernels from the official kernel.org website or through their distribution's package management system. For custom builds, source tarballs are available along with the patch files for incremental updates.

After upgrading, a system reboot is required to load the new kernel. As always, test the update in a staging environment before deploying to production systems.