Government
European Commission public sector
European Commission public sector Some of the software the world depends on most is maintained by people most users will never know by name. The project might be sitting inside Linux distributions, enterprise software, cloud platforms, and government systems without most users ever realizing it is there. . The problem is not difficult to find. Critical software components can end up supporting thousands of products and services while being maintained by small teams with limited resources. By the time a vulnerability,...
Jun 19, 2026 
Server Securitysecurity advisory privilege escalation
security advisory privilege escalation The recent Keystone advisory is unusual because the vulnerabilities are scattered across several features but keep affecting the same class of security controls. Application credentials, trusts, RBAC enforcement, project ownership validation, token expiration. Different code paths. Similar failures. . Most require authentication already. The concern is what happens after access exists. Several of the disclosed vulnerabilities affect how Keystone validates identity, ownership, delegation, and...
Jun 19, 2026 Security Vulnerabilities security advisory authentication bypass
security advisory authentication bypass Fortinet has confirmed active exploitation of three FortiSandbox vulnerabilities . One allows attackers to bypass login controls, while the other two enable command execution directly on the appliance. Combined, they create a path from unauthenticated access to direct interaction with a system many organizations trust to analyze suspicious content. . In many environments, FortiSandbox sits between incoming content and the systems responsible for making security decisions about it. Before a...
Jun 18, 2026 
Security Vulnerabilities security advisory critical
security advisory critical The Joomla Content Editor (JCE), one of the most widely deployed editor extensions for Joomla websites, is currently under active attack due to a critical vulnerability. . The issue, tracked as CVE-2026-48907 , affects JCE versions earlier than 2.9.99.5 and carries a CVSS score of 10.0. Because JCE is installed on a large number of public-facing Joomla sites, the vulnerability has quickly become a high-priority target for attackers and automated scanning campaigns. CISA has added the flaw to...
Jun 17, 2026 
Security Trends security advisory open-source
security advisory open-source At least 15 malicious plugins and nearly 70,000 installs later, developers are being reminded that trusted marketplaces can become supply-chain attack vectors overnight. . How Malicious Plugins Steal API Credentials It’s simple. The user installs a plugin. It asks for API credentials. The developer clicks "Apply." A short time later, those keys could be sent to a third-party server. Think of an API key like a valet key to your house. It doesn't give them the deed to the property, but it lets...
Jun 17, 2026 
Refine news
X Clear Filters Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found -3 articles for you...
79
security advisoryimportantkernelLinux 6.17 AVC Introduction: Revolutionizing CPU Security Management
Linux isn’t exactly famous for keeping things simple, especially when it comes to security. Any admin managing CPU mitigations knows how messy it can get. You’re installing patches for speculative execution vulnerabilities, tweaking system performance, and second-guessing whether disabling something could open the floodgates for another attack. It’s a delicate balancing act, and frankly, it’s exhausting. That’s where Attack Vector Controls (or AVC ) comes in—a much-needed feature landing in Linux 6.17 that aims to make the process more manageable. . AVC isn't just another fancy option tucked away in the kernel settings . It’s an entirely new way to think about CPU security mitigations, grouping them into categories based on actual threat scenarios. No more micromanaging individual mitigations. Instead, you decide what’s relevant to your environment: Are you running systems with trusted users? Virtual machines spun up by random guest accounts? High-performance computing workloads? AVC lets you focus on those scenarios and apply (or disable) mitigations accordingly. Let's take a closer look at ACV and the significance of its integration in the kernel for improved security and administrative workflows. Understanding The Nuts and Bolts of AVC Let’s break it down. Attack Vector Controls organizes CPU mitigations by attack vector classes. These aren’t arbitrary groupings—they’re based on the real-world vulnerabilities admins typically face, like user-to-kernel attacks, thread-to-thread abuse, or VM-related exploits. Here are the key classes: User-to-Kernel Attacks: Think privilege escalation vulnerabilities, where an unprivileged user tries to wriggle their way into the kernel's security sandbox. User-to-User Attacks: Cross-process exploits involving malicious user code targeting adjacent processes (e.g., stealing sensitive data from neighboring applications). Guest-to-Host Attacks: Crucial for anyone running virtualized workloads. Attackers are exploitingthe hypervisor to compromise the host system. Guest-to-Guest Attacks: For multi-tenant environments, this addresses VM isolation vulnerabilities where one guest slips into another’s memory space. Cross-Thread Attacks: Similar concerns arise in multithreaded environments, but targeting host system multithreading rather than VMs. Now, rather than turning mitigations on or off individually based on each vulnerability, you configure security policies based on these categories. It’s a smart shift that makes fine-tuning security much less labor-intensive. Why Does This Matter? If this feels like a breath of fresh air, you’re not alone. CPU mitigations have historically forced admins to make decisions that were both complicated and incredibly specific. Take speculative execution vulnerabilities like Spectre and Meltdown : some mitigations cripple performance, others are irrelevant to your setup, and keeping track of what’s active and why often feels like playing whack-a-mole. AVC changes the conversation entirely. Instead of worrying about whether or not retpoline needs to be enabled, you can simply ask: Does my system need defense against user-to-kernel attacks? And if so, you’re covered. It’s also a game-changer for mixed environments. For example, let’s say you operate a cluster of VMs running workloads from both trusted and untrusted clients. Historically, you’d have to decide whether to disable mitigations to boost performance for trusted VMs, and that decision could expose others to guest-to-host vulnerabilities. With AVC, you’ll be able to set security classes to defend against these kinds of vector-specific risks without overshooting. Performance Meets Precision Another noteworthy benefit here is how AVC optimizes security without blindly taxing system resources. Security mitigations tend to come with inherent trade-offs—sometimes they’re vital, but oftentimes they’re just weighing your system down unnecessarily. High-performance computing (HPC)workloads especially come to mind. If you’re tuning for speed above all else, you now have the flexibility to disable security mitigations that don’t directly apply to your workload’s threat landscape. For instance, imagine an isolated HPC cluster crunching datasets with no external access points. In this scenario, user-to-user and guest-to-host mitigations might simply be irrelevant, and disabling them could directly improve system performance. AVC allows admins to move beyond blanket “on or off” toggles and make thoughtful mitigation choices that align with real-world conditions. Vendor-Neutral Control Now, before you assume this is just another AMD-specific trick, rest assured—it’s not. While AMD engineers spearheaded the development, AVC is built to support Intel processors, too. That’s a big deal for admins managing fleets of heterogeneous systems. Whether you’ve got Ryzen chips on your development servers or Xeons powering production environments, AVC’s role-based approach ensures consistent behavior across architectures. This cross-compatibility eliminates headaches around vendor-specific tweaks. Admins can focus on actual security requirements without worrying about mismatches between mitigations for AMD vs. Intel CPUs. The Path Forward Some groundwork for AVC already landed back in Linux 6.15, but Linux 6.17 is where the action really starts. The remaining implementation patches—including functionality to actually enable those mitigation selections—are set to be finalized within the 6.17 kernel merge window, likely toward the latter half of 2023. If you’re eager to follow its rollout in closer detail, you’ll want to dig into the kernel’s TIP branches ( specifically x86/bugs ) where these patches are actively tracked. Don’t expect wide adoption in production environments immediately—kernel-level changes tend to cascade slowly through distributions—but the framework itself is robust enough to start planning around. Our Final Thoughts on ThisExciting Development Attack Vector Controls in Linux 6.17 is more than just an incremental improvement—it's an entirely new way of thinking about security in the modern admin’s toolkit. As cyber threats grow increasingly diverse, grouping mitigations by attack vector classes is simply the logical step forward in reducing complexity without compromising protection. It’s not a complete solution—no singular security innovation really is—but it’s a seriously promising tool for anyone looking to streamline their workflows and fine-tune their security posture. Admins should take the time to familiarize themselves with the feature, even if Linux 6.17 isn't hitting their systems anytime soon. This isn’t just about making things simpler; it’s about enabling smarter decision-making across diverse environments, with the flexibility to prioritize performance where it matters and lock systems down when necessary. Security isn’t one-size-fits-all, and AVC finally seems to understand that. . The introduction of AVC in Linux 6.17 streamlines CPU defenses, enhancing the overall security framework and assisting administrators in tackling complex security challenges.. CPU Mitigation, Linux Kernel, Attack Vector Controls. . Brittany Day
Jul 14, 2025 •
Security Projects 79
security advisoryperformance optimizationcpu mitigationsStreamlining CPU Mitigations: Attack Vector Controls Overview
Staying on top of CPU security mitigations can feel like an ongoing challenge for us Linux admins—especially when balancing performance needs with robust security measures. The newly proposed "Attack Vector Controls" for the Linux kernel offers a promising way to simplify this balancing act. . Rather than managing individual mitigations for each specific vulnerability, this approach categorizes mitigations into broader classes based on the nature of exploits—user-kernel, user-user, guest-host, and so on. This shift could make your life easier by allowing you to focus on the particular security needs of your system's role, whether running untrusted public VMs or secure internal applications. One of the biggest benefits here is a potential improvement in system performance. Disabling unnecessary mitigations can free up valuable CPU resources, leading to faster and more efficient operations without compromising essential security. Plus, the enhanced documentation will give clearer guidance, making it simpler to implement these controls effectively. However, it’s crucial to carefully weigh the security implications of turning off specific protections. This more strategic management approach could be a game-changer, empowering you to better align your security posture with your system’s unique requirements. Let's take a closer look at this proposed kernel patch update and its potential implications for your Linux systems' security, manageability, and performance. Simplifying Mitigation Management Source: Phoronix One of the standout features of Attack Vector Controls is its ability to simplify the management of security mitigations. Traditionally, administrators have had to manage mitigations for each specific vulnerability individually. This often required a deep understanding of various vulnerabilities and the corresponding mitigations—no small feat considering the complexity and number of existing vulnerabilities. With Attack Vector Controls, this complexity isconsiderably reduced. The new proposal categorizes mitigations into broader classes based on the nature of the exploits. These classes include user-kernel, user-user, guest-host, and cross-thread exploits. By focusing on these broad classes, admins can easily manage and toggle the mitigations according to the system’s intended role and vulnerability concerns. Enhancing Performance An attractive aspect of this new approach is the potential for significant performance improvement. Security mitigations, while essential, can sometimes come with a performance cost. This is particularly problematic for systems where performance is critical. Administrators can disable unnecessary protections and regain lost performance by categorizing and managing mitigations according to the system’s use. For example, a server running untrusted public guest VMs might require strong mitigations against guest-host and guest-guest exploits but could afford to relax mitigations intended for user-kernel exploits. Conversely, systems running secure internal applications might have different needs. The flexibility offered by Attack Vector Controls allows for a more tailored security posture, enabling performance optimization without compromising essential security measures. Improved Documentation and Guidance The introduction of Attack Vector Controls also comes with enhanced documentation, providing clearer guidance for administrators. This is a crucial aspect of this proposed update. Often, admins are well-versed in their systems' operational requirements and security needs but may not have the specific technical details on each vulnerability and its corresponding mitigation. The improved documentation will bridge this gap, helping administrators decide which attack vectors to enable or disable. The documentation is expected to be practical and accessible, providing step-by-step guidance on implementing these controls effectively. This should alleviate some of the burden on administrators, who can now focus more onstrategic decisions rather than getting bogged down in technical minutiae. Potential Security Trade-offs While the benefits of Attack Vector Controls are considerable, it’s essential to acknowledge the potential trade-offs. Disabling certain mitigations opens the door to specific vulnerabilities, even if overall security is maintained. This underscores the need for informed decision-making. Administrators must carefully evaluate their systems’ threat models and consider the security implications of turning off particular protections. This trade-off, however, is not necessarily a downside. It allows for a more nuanced approach to security, one tailored to each system's specific needs and risks. Administrators can strike a better balance between security and performance by understanding the potential risks and making conscious decisions about which mitigations to disable. Patch Availability and Ongoing Developments The Attack Vector Controls are still under development, with patches progressing to their third iteration . This indicates a commitment to refining the implementation, addressing bugs, and improving the overall approach. Tracking these developments can provide insights into how the controls evolve and when they might be ready for deployment in production environments. Practical Applications To illustrate the practical applications of Attack Vector Controls, consider a hypothetical scenario: A company runs a data center with various servers. Some servers handle sensitive internal applications, while others host public-facing services, including virtual machines for various clients. The primary concern for servers running sensitive internal applications might be protecting against user-kernel exploits. With Attack Vector Controls, the company can enable substantial mitigations for these exploits while potentially relaxing less relevant ones. This not only maintains security but also optimizes performance for these critical applications. On the other hand, the servershosting public-facing services would require a different approach. Given the higher risk of untrusted virtual machines, the focus would likely be mitigations against guest-host and guest-guest exploits. The company can ensure robust protection without unnecessarily impacting performance by tailoring its security posture to these specific needs. Our Final Thoughts on The Road Ahead for Attack Vector Controls The introduction of Attack Vector Controls marks a significant step forward in how CPU security mitigations are managed within the Linux kernel . By simplifying mitigation management, enhancing performance, providing better documentation, and allowing for informed security trade-offs, this approach empowers administrators to better align their security measures with their systems’ requirements. This is an exciting development for the Linux community, offering a more strategic way to handle security that can cater to the diverse needs of modern computing environments. However, as with any new technology, it will be essential to approach its implementation thoughtfully, considering the benefits and potential risks. As Attack Vector Controls continue to develop, staying informed and engaged with the ongoing patches and documentation will be key. For us Linux security administrators, this presents an opportunity to streamline our processes, enhance our systems’ performance, and maintain a robust security posture. With the right knowledge and tools, this innovative solution could become a cornerstone of future Linux security strategies. As these controls continue to evolve, the potential for improved manageability and optimized performance makes them an exciting development worth watching closely. . Attack vector controls (AVCs) streamline management of CPU mitigations in Linux, simplifying performance tuning while bolstering security against threats like Spectre.. CPU Mitigations, Attack Vector Controls, Performance Optimization, Linux Security. . Brittany Day
Jan 14, 2025 • Security Projects 
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More