Copy Fail & Dirty Frag, Bazzite 44, CachyOS, Arch Linux & more Linux news

Added: 2026-05-16

[00:00:00]This week in Linux, we've got some new DRO releases. First up, we have Basite 44 based on the new Fedora 44. Then we've got some Arch Linux related releases with a new Cachios and a new ISO from Arch itself. Plus, we're going to take a look at an upcoming event called the Linux App Summit, as well as the recent vulnerability news that is making waves with Copy Fail and Dirty Frag. All of this and more on This Week in Linux, the weekly news show that keeps you up to date with what's going on in the Linux and opensource world.

[00:00:31]Now, let's jump right into your source for Linux good news.

[00:00:41]The Basite team has announced on the Universal Blue forum the release of Basite 44 for desktop users. And this is a major update for this gaming distribution based on Fedora Atomic. The release moves Basite forward to the Fedora 44 base and brings new desktop updates, a new gaming focused kernel version, a newer Mesa stack, stronger supply chain security work, and several practical gaming and creator focused changes. This update is currently for Basite desktop users. The Basite team says that deck builds or handheld builds will open for testing in the near future, but they are slow rolling that update because the amount of changes in this release. The biggest changes are the jump to KDE Plasma 6.6 6 Gome 50, the OGC kernel 6.19.x and Mesa 26.0.5.

[00:01:31]Basite says Linux kernel 7.0 is coming in the near future and the project says it will include Valve's VRAMm patch set when that happens. So for those unaware, the OGC kernel refers to the Open Gaming Collective project where many gaming related projects are working together, including Bazi. You can check out episode 334 of this week in Linux for more details on the OGC as I cover that project in depth in that episode. For the desktop environments, Basite is picking up the major Fedora 44 desktop stack. Gnome 50 is here for Gnome users while KD users get plasma 6.6 with a new plasma login manager and Fedora's atomic desktop update. Now for KDE users specifically, Basite also drops Pixus Puxus from its KDE images and switches to the new console terminal with container support. That matters because Pixus is more closely associated with the Gnome ecosystem while console is the native KDE terminal. It is a small change in general, but I like it because it makes the KDE image feel more aligned with KDE again. And Basite 44 also adds several release engineering and security pieces. The project says it now has Sbombs or software bill of materials powering change logs uh build at a station open SSA SSF security scanning and signed ISOs. This is important because Basi is an image-based operating system where users are trusting the project's built images. This gives users and contributors more information about what went into those builds and how they were produced. There's also a big change for Sunshine in this release. Instead of being pre-installed in the image, Badite now has a new homebrew installer for Sunshine through Ujust. So, the functionality is still available, but it is no longer included by default in the base image. And for those unfamiliar, Sunshine is a low latency streaming system. So, you can stream your games to other devices. Earlier in the topic, I mentioned that Fedora Atomic is what is the Basite is based on. And that's important because Basite is part of the Universal Blue ecosystem and it builds on top of Fedora Atomic. But there are some differences between Fedora atomic and the universal blue stuff and you know Basite specifically. So Fedora 44 Atomic Desktops removed fuse 2 libraries from images which means some older app images may not work anymore if they rely on the old app image runtime. Now, app images does work with Fuse 3, which is the new version, but some developers and app developers are using the old runtime of app images that are only using Fuse 2, which kind of causes some issues depending on the distribution. Now, Basite still supports app images that use Fuse 2, although that's likely to change in the future because Fuse 2 is being removed uh from most distributions. I've reached out to the app image developers to find out, you know, what kind of issue is happening with the Fuse 2 versus Fuse 3. And basically, it's that some app developers are just not updating their runtimes.

[00:04:22]So, they could update to Fuse 3, but some of them are not, and that's causing some headaches first- time users. So, if you run into that kind of issue, just kind of Google search or whatever for uh Fuse 2 and whatever distribution you're using, and that should help you. And there's probably some articles around that sort of thing if you're uh running into any issues. Well, that's Basite 44.

[00:04:43]If you're a gamer or a creator or just looking for something that uses an atomic style, then you'll find links in the show notes to give it a try. Cashios has released their April 2026 ISO refresh and the main userfacing change is that Shelly is now the default graphical package manager, replacing octtopi. The release also includes installer changes, DNS over HTTPS support, fingerprint authentication for pseudo hardware detection improvements, and a new NVMeuler default. So, let's talk about Shelly because it's a very interesting project. Shelly is a visual package management solution that allows you to have a guey for handling Pac-Man stuff. So, it's still going to work with the Archbased ecosystem, but it does a little bit more than that. So it has support for the native lib alpm which is the arch linux package management. So it can interact with that uh natively but it also has support for the aur and even flat packs. So you can have all of that in one interface which is really interesting. The latest cache release also adds a clean snapshot immediately after installation and keeps that snapshot permanently. That gives users a baseline restore point after the system is first installed which is a really cool idea. A lot some distributions have that and it's called like a you know the factory reset and that sort of thing. So that's what you're going to get with this restore point. Also, Grub OS prob is now enabled by default which should help with detecting other operating systems on multiboot setups. Cash welcome now includes DNS over HTBS support using Blocky. The redesigned DNS page can test connection speed, automatically select the fastest server, or let users add custom DNS servers.

[00:06:24]There is also a new re VRAM management toggle. Cashios says it uses DMECG booster and on KDE it also installs the plasma foreground booster. This is basically a way to optimize graphics memory behavior on AMD and Intel GPUs especially on systems with limited VRAM.

[00:06:42]On the hardware side of things, Casio CHWD tool now has native USB device detection, chassis type detection, fingerprint reader integration for pseudo prompts and CPU family and model detection for Intel low power management support. Kasios switched the default NVME IO from none to Kyber and they say the goal is better overall responsiveness under mixed workloads.

[00:07:06]There are also some Nvidia related fixes. Cachios removed the KMS hook from the mkinitcpio.com file on non-portable desktops to fix Nvidia driver conflicts. Improved kernel search in Nvidia profiles are is also done in this release. And they removed a forced exorc session from Nvidia 470 profiles. And they also dropped some power management and vblank behavior because of Nvidia driver and VR issues.

[00:07:32]VeronX also reports that Cashios has rolled out a supercharged Linux 7.0 kernel, saying for those using Intel Core Ultra Series 3 Panther Lake laptops, their Linux 7.0 kernel is enabling Intel Fred by default. And the patch was upstreamed for Linux 7.1, but the enablement is straightforward and thus an easy backport for 7.0. Uh they say that their benchmarks show very nice performance with Intel Fred on Panther Lake and open the door for the Linux kernel enabling it by default. There's also patches carried by Cachios with its Linux 7.0 uh with MGLRU enhancements, scheduling improvements, and more. If you're an existing user of Cachios, you don't really need to do anything to get the new version. You just run regular updates and you'll be good to go. If you're thinking about becoming a user of Cachios, you'll find links in the show notes. Arch Linux's May 2026 ISO is now available, and the headline is that this is the first official Arch install image powered by the Linux 7.0 0 kernel series. For those unfamiliar with how these ISO updates work on Arch, Arch doesn't have traditional release cadence, but rather they have ISO updates that offer the latest kernel available at the time and updated base packages from the repositories and that sort of thing. So kind of a new release, but also kind of not uh because Arch is a rolling release system. So they do have updates constantly, but they do the ISO refreshes like monthly or something like that. Speaking of Arch update speed, there's this joke about that where, you know, when I used to run Arch and we were I was talking to people about Arch updates and a few times, actually many times, people would say that they wish that there was an update notifier on the desktop for when updates on Arch happens. And I would just say, well, have you updated in the last 24 hours? No. Well, then there's an update for you because that's how often it does it. It's even if you check right now, it probably has an update for you. But if you haven't done it in at least 24 hours, yeah, there's an update. So anyway, the Linux 7.0 part is the most visible milestone, bringing big changes, including uh more Intel Nova Lake enablement, new AMD graphics IP blocks, XFS self-healing work, performance optimizations, and standardized generic IO error reporting. If you want more information about the latest release of the Linux kernel with Linux 7.0, 0 then check out episode 342 of this week in Linux where I covered it in much more depth. The May ISO also includes Arch Install 4.3 which matters for users who want a guided Arch installation instead of doing everything manually. For those of you who are unaware, Arch Linux is known for being hard to install and it got the reputation over many many years of requiring users to install the system manually which was called the Archway.

[00:10:18]It still has that method available and it's no longer required technically, but it is recommended by the dev team to do the Arch way at least once. So, you learn the ins and outs of the system.

[00:10:30]Once you do it though, Arch Install makes the process much easier. And the Arch Install 4.3 release adds an optional additional font selection in the applications menu, enables uh power management services after package installation, fixes encrypted partition selection, fixes a table column error, and includes a shell injection fix in installer user shell and ownership handling. Next, Arch also reached a bit of a milestone recently as Arch Linux now has a bit for-bit reproducible Docker image, which is pretty cool. Arch having a reproducible Docker interage is not really a flashy user feature, but it is important for trust. It means the container image can be independently rebuilt and verified to match, which helps prove that what people are downloading is actually what Arch intended to ship. Now, Arch Linux is great in a lot of ways, but if you're considering Arch for your first DRO, then please reconsider. Arch is not meant to be someone's first DRO. I mean, if you are really determined to do it anyway, knowing the downsides of Arch, you know, starting with a rolling release and no safety net, then okay, I guess have fun. But for everyone else, check out the video I made about picking your first DRO. I'll have that linked in the description and in the pinned comment. I think that's a much better way to get started. There have been two new Linux vulnerabilities that have been making the rounds on the news this week.

[00:11:51]Copy fail and dirty frag. I've seen coverage about this in many places. Most of it is overreacting to high degrees.

[00:11:59]Now, let's answer the most important question about this. Are these bad? And if so, how bad are they? Well, both copy fail and dirty frag are what is known as local privilege escalation bugs? This is not a good thing, but it also is not as scary as it sounds or as scary as some YouTubers or podcasters are trying to make it seem. These two are very similar kernel bugs that happen to be reported pretty close to each other. And both are serious once an attacker has local code execution, but for regular desktop users, this is mostly an update your system and reboot kind of situation. As long as you don't download random packages from somewhere or visit sketchy sites or click on links and emails that you shouldn't, these aren't that big of a deal to you. The reason is that the keyword in local privilege escalation is local. This means an attacker would need access to your system already before they can use this bug against you. As long as you don't do silly things like randomly download and run scripts from some sketchy forums you've just found, then it is very unlikely that you need to worry about this as a desktop user.

[00:13:06]The copy fail vulnerability has already been patched in many kernel versions.

[00:13:10]So, even though it does not let someone magically compromise your your laptop from the internet, you should still run updates for this patch as soon as they are available on your DRO. Now, if you are a CIS admin for some servers or maybe a fleet of workstations at a company, then yeah, you should be more worried. In fact, in that case, you should pause this episode and go do some updates as soon as possible. It's not doom and gloom, the sky is falling kind of thing, but at a bare minimum, you should apply mitigations as soon as possible. And the reason why desktop users and CIS admins are a different category is because with servers being accessed on the internet, they are already accessible. Whereas desktop users typically their computers are not accessible from the outside world or the outside internet, just in your local internet. So in that sense, you don't really have to worry about it because they have to get into your system first and then be able to do a privilege escalation. And as far as I know, I've tal I've looked around. I've talked to various developers from different distributions and as far as the remote code executions or rcees that exist, uh, they've all been patched as far as I could tell. So, there's really no way to get into your system unless you download some kind of malware or something like that that gives an attacker access to then do this as a secondary option. But as a CI assisted man with servers that are already on the internet, there's a bigger reason that you need to start patching and mitigations and that sort of thing. The first vulnerability is copy fail. This is a logic bug in the Linux kernel's ONC ccees cryptographic template chained through AFG and splice that can create a controlled four byte write into the p page cache of a readable file. In practical terms, their proof of concept could turn an unprivileged local user into root on many Linux distributions. Copy fail is still a big deal because the exploit is described as deterministic, small, and portable. And reports claim it can be done with just 732 bytes of a Python script across Auntu, Amazon Linux, Rail and SUSA test systems. And the 732 bytes is a big deal because one that's less than 1 kilobyte. So it's very small. The risk is highest in shared environments like multi-tenant Linux hosts, Kubernetes and container clusters, CI runners, build farms and cloud service that run user supplied code. Anyway, uh the reason is that these systems often give untrusted or semi-rusted code some level of execution on a local part and local privilege escalation can turn that limited access into root on the host.

[00:15:53]That also explains why this is less scary for a desktop user, even a multi-user desktop machine, because if you're the only user or your one of your family members are using the machine and you're not running untrusted code, then the practical risk is pretty low. But to be clear, low doesn't mean impossible because malware or other exploits, you know, something could happen in the future. You know, they could use this as like a second step to gain root. So you should still do some patches whenever they're available to you. Then there's dirty frag and it is very similar in impact but not the exact same bug. Dirty frag is described as a Linux local privilege escalation vulnerability involving kernel networking and memory fragment handling including ESP4, ESP6 and RX RPC. Alma Linux says it chains two issues uh for the IPSec ESP side and also has the other one for the RX RPC side. Dirty Frag was disclosed after a broken embargo which created a messy timeline. Early coverage accurately said there were no CVE and no DRO patches at the time, but this changed very quickly.

[00:17:04]Uh by recording this today recording, there's been a new CVE assigned and also some patch references that have been issued and listed. Uh and Linux said patched kernels were rolling out to production repositories. Now, the status of the dirty frag uh second CVE is more complicated. A Greg Crow Hartman said CVE 2026435000 was reserved for the second issue and at that moment it was not fixed in any released kernel version yet. It will be happening pretty soon. I mean, it's going to be fairly quickly as fast as possible. Uh but at the moment, at least of this recording, it's not happened yet. For users, the advice is basically the same. Update your kernel from your distribution. reboot into the fixed kernel and also prioritize any system where untrusted users like containers or CI jobs or exposed services can execute code for temporary mitigation. It is also possible to uh block both copy fail and dirty frag by having like the module blocking workarounds but those should be treated as a stop gap and then evaluated after the fact especially if you rely on IPSec or VPN features or other networking uh workloads. So you don't have to necessarily worry about the patches not being available. can mitigate these uh very quickly just by running a command or two and uh later on then installing the patches. So the practical takeaway is this. Desktop users should not freak out but they should update and reboot. CIS admins should treat these as urgent especially on shared systems like container infrastructure and that sort of thing and especially any Linux machine where a lowp privileged account becoming root would be catastrophic. So, uh, desktop users, it's not as big a deal that all the YouTubers and stuff are saying like, "Oh, Linux is, you know, have this big problem and you should avoid it or whatever."

[00:18:57]It's not that big a deal. Now, server people with systems, you should definitely address this as soon as possible. But for the majority of desktop users, well, all desktop users, you don't really have to worry about it.

[00:19:08]But these kinds of things, I just want to before I end this topic, I want to clarify something. A lot of people see these kinds of things on uh you know on news and they and they freak out about it because it sounds really bad and in some ways this is bad especially for servers and stuff. It is bad, but it's also so uncommon to hear Linux vulnerability, Linux virus, Linux malware, whatever, that sort of thing that anytime something like this happens, uh, it hits the news super big because I mean, even Microsoft wrote an article about this particular thing about about uh, copy fail. I'm not sure if they did dirty frag, but definitely copy fail. And there's a lot of articles, there's videos that talk about it. the amount of people who are referring or talking about this particular thing as if it is some horrible horrible thing is pretty high and most of the time they're not really accurate about what's going on. Uh so this is bound to happen in the future again and just I guess come to Twill and see if it's a big deal or not.

[00:20:17]I don't know. Usually if it's not just keep in mind if it says local privilege es escalation that means it's bad but it doesn't mean it's a catastrophic problem. If it is like remote code execution now that would be bad so you don't want that or what meltdown inspector were those were also really bad. Uh but yeah those are super rare super rare. So anyway I hope that clears up things. If you'd like for more information about this, you'll find links in the show notes. The Linux App Summit 2026 is happening on May 16th and 17th in Berlin, Germany, and registration is open now for both in person and virtual attendance. The event is free to attend, but the registration is required. The basic point of is to bring the Linux app ecosystem together.

[00:21:08]The event is focused on developers, designers, product managers, user experience specialists, uh community leaders, and anyone interested in Linux application design and development. The Linux AppSummit is co-hosted by Gnome and KDE. And the focus of the event is specifically uh on growing the Linux application ecosystem with topics like packaging and distribution, design and usability, commercialization, platform work, gaming, and the broader Linux app ecosystem. That collaboration is the bigger story here. Gnome and KDE are often talked about as separate desktop worlds, but LA is built around the idea that Linux the Linux app ecosystem needs common ground. The goal is to give app creators a meeting point to collaborate on the best Linux user experience while also helping third-party app developers understand how to bring software to Linux. And speaking of that collaboration, I recently sat down with Shri from Gnome and Alish from KDE to talk about the Linux app summit and the overall Linux app ecosystem. It was a very fun and fascinating conversation that will be published on my YouTube channel this coming Monday, May 11th. If you are curious about that, be sure to subscribe to the channel. The schedule gives a good sense of what the event is about this year. Now, Saturday starts with a keynote from Leonard Pottering called adding trust to Linux-based OSS and what that means for desktop and apps. After that, the schedule includes talks about x86 gaming on ARM with fex flatpack and portals, local first gnome apps and KDE application development experience as well as open-source document stacks, sustaining app forks, and tux doctor for mobile Linux hardware diagnostics. Sunday continues the topics with stuff around risk 5 and the Linux app ecosystem buildstream and KDE software compilation flatpack next and a talk from friend of the show George Castro titled making our own fate why Gnome and KDE need operating systems and the common thread is that L is not only about apps and individual programs. It is also about the plumbing around apps, packaging, portals, runtimes, hardware support, security models, crash reporting, local first data, and how desktop projects work with distributions and thirdparty developers. For people watching from outside the event, remote participation is planned. And if you can't make it to Berlin or attend live, you can check out the recorded videos of talks shared on their YouTube channel.

[00:23:36]And remember to check out the interview I had with Alish and Shri from KDE and Gnome that is coming out on Monday. Mesa 26.1 is officially out as the newest feature release of the Mesa open source graphics stack, bringing a long list of driver updates, Vulcan improvements, OpenGL work, virtualization changes, and Linux gaming fixes across multiple GPU vendors. Now, Mesa 26.1 is an important release, but is also a new development release. The official Mesa release notes say people who care most about stability and reliability should stick with a previous release or wait for Mesa 26.1.1.

[00:24:12]So, if you're on a rolling dro, this is probably coming to you soon. If you're on a stable dro, your DRO maintainers will decide when and how to ship it. And if you manually install newer Mesa builds for gaming performance or something like that, this is probably not a release where everyone needs to rush in on day one. With that said, there is a lot of cool things to talk about with Mesa 26.1, like them implementing OpenGL 4.6 and Vulcan 1.4.

[00:24:35]Mesa 26.1 also improves the virtualization story for some Intel users. Intel, Iris, Crocus, and ANV now have Vert IO GPU native context support including a HASVK that has that should provide a thinner and faster path for Intel GPU para virtualization inside of virtual machines and at the same time uh Vil or V ver VGL is now considered unmaintained. Virtual has been used for accelerated graphics and virtual machines through uh virtual renderer, but the release announcement says users should start moving to other solutions unless someone steps up to maintain it long term. So, the virtualization story is a little bit mixed here. One older path is effectively being left behind while Intel GPU virtualization gets newer and more direct options. Another major item is OpenGLes 2.0 support on Power VR GPUs through zinc. Zinc is Mesa's OpenGL on Vulcan driver. So this continues the trend of using Vulcan as a foundation to provide OpenGL support and places where that approach makes sense for Linux gaming. One of the more interesting additions is VKXT present timing support across several Vulcan drivers including RADV, NVK, Turnipv, Honey Crisp, and PANVK. That matters because VK extent timing is about better presentation timing information and control. This can help get higher frame rates, but it can also help games and applications present frames more consistently, which matters for smoothness and frame pacing. And Feronx also highlights broader improvements for Linux gaming and driver development, especially around Intel and AMD Radeon SI and RADV hardware. The release also includes work on NVK, Rust, Rust ICL, Zinc, RADV, U Vulcan video, low latency encode and decode, experimental Intel Nova Lake P support, and more Cosmic Crisp work for Vulcan on metal. And of course, there is also some bug fixes in this release. Overall, Mesa 26.1 is a meaningful update to the open graphics stack, especially for Vulcan drivers, Linux gaming, GPU versilization, and more. Ghostb 26.1R15 is out now and this is a new major release. The headline change is that GhostBSD has moved from FreeBSD14 to FreeBSB 15 uh bringing in upstream improvements from FreeBSD including hardware support, security updates, and kernel advancements. The other major change is the display server. Ghostb 26.1 switches from the upstream XORG server to X Libre as a default display server for the Mate desktop. The X Libre move did not come out of nowhere. Back in February, the Ghostb team explained that Ghostban yet and that Mate XFCE in the newer Gershwin desktop are not ready for Whan in Ghostb's context either. The the basically the short version was that this is a technical decision and Monte is not ready for Whan and Exorg is you know kind of going backward for them. So uh they decided to switch to X Libre instead. Now, beyond X Libre, Ghostb 26.1 also changes the default shell to ZSH. That's not the biggest userfacing change compared to the FreeBSD 15b or the display server switch, but it does change the default command line experience for new installs. Network manager also gets new networking support, including enterprise WPA and WireGuard support. That matters because it expands Ghostb's built-in networking tools for people using uh enterprise Wi-Fi environments or WireGuard VPN setups. Update Station gets an important upgrade too. It now supports boot environments uh based major version upgrades for a BSD system. That is a meaningful safety feature because boot environments can give users a cleaner fallback uh you know when moving between major system versions. Software station also gets a performance improvement with faster bisecbased package search.

[00:28:35]There's also a visual refresh in the release including a new wallpaper, updated icon themes and a new theme variants. One important upgrade detail is if you are already using Ghostborg, upgrading does not automatically switch you to X Libre, the Ghostb announcement specifically says that your current display server stays the same after upgrading. And there's also various bug fixes in this release. So that's Ghostbased Ghostb 15, switches from Xorg to X Libre, moves the default shell to ZSH, adds stronger networking support, and a lot more. Now, yes, I know this show is called This Week in Linux and not This Week in BSD, and that was a BSD story. And while you know, my main interest is Linux, you know, sometimes it's interesting to check out what's going on in the BSD world. And I thought it might be interesting to some of you as well. And for those of you who don't find BSD topics interesting, well, there's like six other topics on this show, so enjoy.

[00:29:34]There's a lot more show to check out.

[00:29:36]And also, you know, it's my show, so I'll just do whatever I want.

[00:29:41]Thanks for watching this episode of This Week in Linux. If you like what I do here on this show and want to be kept up to date with what's going on in the Linux and opensource world, then be sure to subscribe. And of course, remember to like that smash button. And if you'd like to support the show and the Tux Digital Network, then consider becoming a patron by going to tuxigital.com/membership.

[00:30:00]We're getting a bunch of cool perks like access to patron only sections of our Discord server and much much more. You can also support the show by ordering the Linux t-shirt, which is a fantastic thing you can get at the Tux digital store. Uh, specifically like that the Linux is everywhere. If you don't know what that means, it's basically I have the Tux Penguin designed like blended into the background to kind of convey the message that whether you know Linux is there, it probably is. I also made the This is Linux t-shirt, which is kind of like this is Sparta but with Linux.

[00:30:32]So, I don't know. It was kind of fun idea I had and I think it's kind of cool. So check it out. Tuxigital store and uh yeah, tuxigital.com/store. Oh, also if you want to get the this weekend Linux shirt, you can get that at the store, too. So tuxigital.com/store.

[00:30:47]And while you're there, check out all the other cool stuff we have like hats, mugs, hoodies, and more.

[00:30:50]tuxigital.com/store.

[00:30:53]I'll see you next time for another episode of Your Source for Linux Canoes.

[00:30:56]Thanks again for watching. I'm Michael Tanell. I hope you're doing well. Be sure to ring the notification bell.

[00:31:01]Until next time, I bid you farewell.