AlmaLinux OS - CVE-2024-1086 and XZ (AlmaLinux blog) https://almalinux.org/ updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a use-after-free vulnerability in the kernel that could be exploited to gain local privilege escalation. This is notable because the fix marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL): In January of this year, a kernel flaw was disclosed and named https://nvd.nist.gov/vuln/detail/CVE-2024-1086 . This flaw is trivially exploitable on most RHEL-equivalent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (<a href="https://jonathanspw.com/posts/2024-03-31-dealing-with-cve-2024-1086/" rel="nofollow">Dealing with CVE-2024-1086</a>). In multi-user scenarios, this flaw is especially problematic. Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a <a href="https://access.redhat.com/security/cve/CVE-2024-1086" rel="nofollow">moderate impact</a>. The AlmaLinux project would also like to note that it is not impacted by the XZ backdoor. "Because enterprise Linux takes a bit longer to adopt those updates (sometimes to the chagrin of our users), the version of XZ that had the back door inserted hadn't made it further than Fedora in our ecosystem." https://lwn.net/Articles/968299/