[ANNOUNCE] util-linux v2.42.2 and v2.41.5

Next message: Amit Machhiwal: "[PATCH v4 1/4] KVM: PPC: Introduce KVM_CAP_PPC_COMPAT_CAPS and wire up ioctl"
Previous message: Laurent Pinchart: "Re: [PATCH v5 03/10] media: rcar-csi2: Move {enable|disable}_streams() calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Karel Zak

Date: Tue Jun 16 2026 - 08:34:38 EST

The util-linux releases v2.42.2 and v2.41.5 are now available at

https://www.kernel.org/pub/linux/utils/util-linux/v2.42/
https://www.kernel.org/pub/linux/utils/util-linux/v2.41/

Both releases contain security fixes for libmount and libblkid:

CVE-2026-53613 - mount(8) TOCTOU race on target path
CVE-2026-53612 - mount(8) TOCTOU race on post-mount owner/mode change
CVE-2026-53614 - mount(8) SUID bypass via LIBMOUNT_FORCE_MOUNT2
libblkid use-after-free in nested partition probing

v2.42.2 additionally includes a follow-up fix for CVE-2026-27456
(loop device symlink attack) -- the v2.42.1 fix used O_NOFOLLOW
which only rejects symlinks at the last path component; this update
uses openat2(RESOLVE_NO_SYMLINKS) to reject symlinks at any component.

Note for v2.41 downstream maintainers: the same loopdev follow-up
fix for CVE-2026-27456 is available on the stable/v2.41 branch
(commit 2dacaf3ee) but did not make it into the v2.41.5 tarball.
Please cherry-pick it into your builds.

Release notes:
https://www.kernel.org/pub/linux/utils/util-linux/v2.42/v2.42.2-ReleaseNotes
https://www.kernel.org/pub/linux/utils/util-linux/v2.41/v2.41.5-ReleaseNotes

Feedback and bug reports, as always, are welcomed.

Karel

--
Karel Zak <kzak@xxxxxxxxxx>
http://karelzak.blogspot.com