Linus Torvalds does not enjoy giving talks, but he does consent to the occasional on-stage conversation with Dirk Hohndel at Linux Foundation events. The pair held the 30th of their fire-less fireside chats during a keynote session on May 20, at the 2026 Open Source Summit North America. Topics included 3D printing, guitar pedals, the recent 7.1-rc4 release of the kernel, and Torvalds's complicated relationship with AI tooling.

The OpenPGP Email Summit is an annual meeting for those who work on encrypted email and related topics. The tenth installment of this meeting took place in March 2026 and the minutes have now been published. As usual, a wide range of topics were discussed. Highlights included support for post-quantum cryptography (PQC) with multiple actors planning rollouts within this year, a promising new approach for making email signatures ubiquitous with the plan of making OpenPGP signed email a default, a new draft that brings reliable deletion (or "forward secrecy") features to OpenPGP, as well as a plan for transferring ownership of the OpenPGP.org domain.

Many people in the Linux community began using the operating system—and contributing to open source—at a tender age, often well before their 16th birthday. Thus, a recent change in openSUSE's terms of site (ToS) that required users of the project's web site to be "at least 16 years of age or the age of majority" in their jurisdiction has raised objections. The terms have since been modified, though users must still have parental approval to create accounts if they are younger than 16.

In April, David Steele, maintainer of the popular pgBackRest backup and restore project for PostgreSQL, announced that he had archived the project and it would no longer be maintained due to lack of sponsorship. On May 18, he announced that a number of sponsors have stepped forward to ensure its continued development:

Over the last few weeks, a coalition of sponsors has come together to fund ongoing development. Their support means the project is no longer reliant on a single sponsor, giving pgBackRest the stability it needs for the long term.

[...] I'm looking forward to getting back to work. There are features and optimizations in the pipeline that I'm excited to share in upcoming releases. Thank you to our sponsors for making this possible, and thank you to the community for your patience and support during this transition.

Thanks to Paul Wise for the tip.

Greg Kroah-Hartman has announced the 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, and 5.10.256 stable kernels. These kernels contain a patch for CVE-2026-46333 a vulnerability reported by the Qualys Security Advisory team, though Jann Horn proposed a patch in 2020. The vulnerability has a proof-of-concept exploit published already. Some of the kernels have additional patches for other bugs; as always, users are advised to upgrade.

Greg Kroah-Hartman has announced the release of the 7.0.7, 6.18.30, and 6.12.88 stable kernels. These kernels do not include a patch for the Fragnesia local-privilege-escalation exploit that came to light on May 13, but do include many other important fixes throughout the tree. Users are, as always, advised to upgrade.

A push by Red Hat employees to create a Fedora "AI Developer Desktop" with support for out-of-tree kernel drivers and AI toolkits has been met with objections from some long-time members of the Fedora community. After more than a month of sometimes heated discussion, the Fedora Council had voted to approve the initiative; however, a last-minute change to vote against the proposal by council member Justin Wheeler has (at least temporarily) sent it back to the drawing board.

Sam James has sent an announcement to the OSS Security mailing list about another local-privilege-escalation (LPE) exploit in the same class as Dirty Frag, called "Fragnesia". From the disclosure:

This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag.

It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.

James noted that there is a patch in the works, but it has not yet been pulled into Linus Torvalds's tree nor into any of the stable kernels. A proof of concept exploit is also available.

Daniel Stenberg has published a lengthy article on his thoughts on Anthropic's Mythos, which the company decided was too dangerous for wide public release.

My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing. I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos. Maybe this model is a little bit better, but even if it is, it is not better to a degree that seems to make a significant dent in code analyzing.

This is just one source code repository and maybe it is much better on other things. I can only tell and comment on what it found here.

But allow me to highlight and reiterate what I have said before: AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past. All modern AI models are good at this now. Anyone with time and some experimental spirits can find security problems now. The high quality chaos is real.

Greg Kroah-Hartman has released the 7.0.6 and 6.18.29 stable kernels with Hyunwoo Kim's patch for the second vulnerability (CVE-2026-43500) reported with Dirty Frag and Copy Fail 2. All users are advised to upgrade.

Greg Kroah-Hartman has released the 6.1.171, 5.15.205, and 5.10.255 stable kernels, quickly followed by 6.1.172 and 5.15.206 kernels. This is another round of stable kernels to provide fixes for one of the CVEs (CVE-2026-43284) assigned following the Dirty Frag and Copy Fail 2 security disclosures. There is not, yet, a stable kernel with a fix for CVE-2026-43500, though a patch to fix the second half is in the works.

An unusual, some might say hostile, approach to disclosing an alleged remote-code-execution (RCE) flaw in the Forgejo software-collaboration platform has sparked a multifaceted conversation. A so-called "carrot disclosure" in April has raised questions about the researcher's methods of unveiling a security problem, Forgejo's security policies, and the project's overall security posture.

Greg Kroah-Hartman has announced the release of the 7.0.5, 6.18.28, 6.12.87, and 6.6.138 stable kernels. These kernels contain a partial fix for the Dirty Frag and Copy Fail 2 security flaws. Kroah-Hartman has confirmed that a second patch is required, but it is still in development and has not yet been merged.

Hyunwoo Kim has announced the Dirty Frag security flaw, a local-privilege-escalation (LPE) vulnerability similar to the recently disclosed Copy Fail flaw:

Because the embargo has now been broken, no patches or CVEs exist for these vulnerabilities. After consultation with the linux-distros@vs.openwall.org maintainers, and at the maintainers' request, I am publicly releasing this Dirty Frag document.

As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions.

Kim, who discovered the flaw and had attempted a coordinated disclosure set for May 12, has released the code for an exploit, as well as a example script to remove the vulnerable modules. A full write-up, with the disclosure timeline, is also available. It's unknown at this time whether this is an example of parallel discovery or how the third party was able to disclose it prior to the end of the embargo. We will be following up as more information comes to light.