Another Linux kernel vulnerability has been published under number CVE-2026-43284, nicknamed Dirty Frag.
Fixed kernels compiled by the Debian community have already been published for Debian 12 and 13, onto which YunoHost 12 and (testing) 13 are based.
We highly recommend to upgrade your system packages ASAP, for example, from the web admin. You should get an update for a linux-image-... package.
Raspberry Pi users, or probably users with hardware that requires a specific kernel build, check your provider’s usual software release channels for information about CVE-2026-43284.
You must reboot your system after the upgrade. If you do not reboot, the old linux kernel could stay in use.
You can check your current kernel version with the uname -a command, and compare it with the fixed kernels versions on the next link.
Fetch available update
All system packages are up to date
thanks in advance
Powered by YunoHost 12.1.39 (stable).
I see thi later at the bottom on Web Admin Page:
Fetching available upgrades for system packages…
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php bookworm InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 62D54FD4003F6525
W: Some index files failed to download. They have been ignored, or old ones used instead.
Something went wrong while updating the cache of APT (Debian’s package manager). Here is a dump of the sources.list lines, which might help identify problematic lines:
sources.list:deb Index of /debian bookworm main contrib
sources.list:deb-src Index of /debian bookworm main contrib
sources.list:deb [signed-by=/usr/share/keyrings/yunohost-bookworm.gpg] Index of /debian/ bookworm stable
sources.list:deb Index of /debian-security bookworm-security main contrib non-free non-free-firmware
sources.list:deb-src Index of /debian-security bookworm-security main contrib non-free non-free-firmware
sources.list:deb Index of /debian bookworm-updates main contrib non-free non-free-firmware
sources.list:deb-src Index of /debian bookworm-updates main contrib non-free non-free-firmware
sources.list.d/extra_php_version.list:deb Index of /php/ bookworm main
sources.list.d/yarn.list:deb [signed-by=/etc/apt/trusted.gpg.d/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main
Read instructions again, especially around the uname -r command.
Open a dedicated support thread for the Sury errors. Do not forget to specify the hardware of your server.
I upgraded. After the upgrade/restart, the Samba credentials need to be refreshed. I tested the YNH applications and everything is working fine. Thank you very much.
Thank you! A quick reminder that the server can be rebooted straight from the administration interface under the Tools section. I didn’t know this at first and frantically went to SSH only to find out later about the convenient menu
thank you, I upgraded with yunohost tools upgrade system and it did update a linux-image package but after reboot the version i see is # uname -r 6.1.0-47-amd64
which doesn’t match the debian page, do I need to do a dist-upgrade or something?
Tu ne parviens pas à trouver de correspondance, car sur la page Debian dédiée au CVE-2026-43284 ce n’est pas la version du noyau qui est publié, c’est la version de la distribution Debian.
uname -r ne te donne que la version du noyau actuellement en exécution;
uname -a te donne aussi la version de la distribution Debian.
Après mise à jour des paquets sur ta Yunohost, uname -a devrait t’afficher:
# uname -a
Linux mon.domaine.fr 6.1.0-47-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.170-3 (2026-05-08) x86_64 GNU/Linux
Ce numéro Debian 6.1.170-3 apparait bien sur la page Debian dédiée au CVE-2026-43284:
bookworm (security) 6.1.170-3 fixed
La difficulté que tu rencontrais vient de ce que la commande donnée par l’auteur du premier billet, sans doute sous l’effet du stress dû à la précipitation, n’utilisait pas la bonne option (-r au lieu de -a).
=================================
Base system (basesystem)
=================================
[ERROR] System package 'kernel' is currently in version '6.1.0-48-amd64', which is vulnerable to a MAJOR security issue: CVE-2026-31431, 31433, 43284 and 43500 a.k.a 'Copy Fail' and 'Dirty Frag' / CRITICAL Privilege escalations from any local user account. It is recommended to upgrade AS SOON AS POSSIBLE to version '{'bookworm': '6.1.170-3', 'trixie': '6.12.86-1'}'. More infos: https://copy.fail/, https://github.com/V4bel/dirtyfrag, https://security-tracker.debian.org/tracker/CVE-2026-31431, https://security-tracker.debian.org/tracker/CVE-2026-31433, https://security-tracker.debian.org/tracker/CVE-2026-43284, https://security-tracker.debian.org/tracker/CVE-2026-43500
=> Confusion release et version dans le diagnostique automatique, à corriger.
Unfortunately I panicked. I backed up my entire server and downloaded it and reinstalled 12 and 13 multiple times assuming I was doing something wrong on my end.
Now I have to attempt to restore from my backup. No idea how that’s gonna go since documentation is stating that’s not possible.
Unfortunately i have to reinstall everything all over again. Thank god nothing was lost since I have not only my backups and backups of backups but also local copies of the actual files i need to reupload.
Suggestion: Communicate mistakes and new updates more properly so things like what I went through wont happen.
Raspberry Pi users, or probably users with hardware that requires a specific kernel build, check your provider’s usual software release channels for information about CVE-2026-43284.
