The Linux kernel has recently been facing a series of discovered privilege escalation vulnerabilities, starting with the Copy Fail vulnerability and followed by subsequent vulnerabilities in the same spirit (Dirty Frag, Fragnesia). This development is part of a general trend where vulnerabilities are being found - and disclosed - faster than before. We expect it to continue, at least for the short-term.

The Gentoo Linux Kernel and Distribution Kernel teams are doing their best to keep Gentoo kernels secure. This includes both packaging the latest upstream releases as soon as possible, and backporting additional vulnerability fixes or mitigations whenever they become available. As example, while upstream kernel releases are still vulnerable to Fragnesia, the respective Gentoo kernels feature fixes from day one. At the time of writing, all supported Gentoo kernels feature the latest Fragnesia v5 patch. Please expect more updates. We recommend exploring ways to automate upgrading your kernel.

Please note that only sys-kernel/gentoo-kernel, sys-kernel/gentoo-kernel-bin and sys-kernel/gentoo-sources packages are security-supported. The vanilla kernel packages are vulnerable at the moment. Other kernel packages may carry fixes, but they usually are slower to be updated. Additionally, we recommend running the latest kernel version (~arch or latest stable LTS), as upstream does not reliably backport security fixes to older versions.