id summary reporter owner description type status priority milestone component version severity resolution keywords cc 5900 util-linux v2.42 (Security Update) Bruce Dubbs SecurityAdvisory "New minor version. util-linux 2.42 Release Notes Security fixes: CVE-2026-27456 - mount(8) TOCTOU symlink attack via loop device. The SUID mount follows symlinks when resolving loop backing file paths. On systems where non-root users are permitted to mount loop devices (via 'user' option in fstab), this allows access to arbitrary files. CWE-190 - Integer overflow in libblkid parse_dos_extended(). A crafted MBR disk image can cause uint32_t wraparound in EBR chain processing, causing reported partitions to not match the on-disk layout. Tools like udisks may then register a partition at logical sector 0. Release highlights: The NTFS mount type (kernel FS driver) can be changed by the compile option --with-ntfs-mounttype=, the default is ntfs3. login(1) now uses the original FQDN (as specified by ""-h "") to configure the PAM RHOST item. All previous versions used the hostname without domain. This may affect users who use login(1) for remote access (rlogin, rsh) and pam_access to define access rules. (Don't worry, if you still use rlogin then security is already irrelevant for you.) login(1), if configured with LOGIN_SHELL_FALLBACK in login.defs, can fall back to another valid shell from /etc/shells if the user's configured shell is inaccessible due to administrative errors. agetty reads issue file(s) in a way compatible with libeconf and systemd, hermetic-usr and drop-ins are now supported. For more details see https://uapi-group.org/specifications/specs/configuration_files_specification/ agetty uses netlink to get network interface information for issue file output. The libsmartcols-based tools with JSON support can now produce additional JSON formats. The output format may be changed by LIBSMARTCOLS_JSON={lines,compact} environment variable. column(1) now supports colors. New command copyfilerange(1) to copy file ranges using the copy_file_range() syscall. New command getino(1) to print the unique inode number associated with a process file descriptor or namespace for a given PID. fadvise(1) now supports --fd to address a file by file descriptor rather than by path. fallocate(1) now supports --report-holes to scan the file and report the distribution of holes. A significant performance regression has been fixed in hardlink(1). hardlink(1) now supports FIEMAP-based sparse file optimization. kill(1), waitpid(1) and nsenter(1) now support the PID:INO convention to precisely address processes. mount(8) now supports --beneath to atomically replace a filesystem at a mountpoint. mount(8) now supports --exclusive to ensure that the filesystem is mounted as a unique instance and that the superblock is not reused by the kernel. libmount now reads filesystem information from udevd (with fallback to classic libblkid-based detection). This feature can be disabled by --disable-libmount-udev-support. setarch(8) now supports --pid to show the personality of a specified process. The pager support for tools like ""dmesg -H"" has been improved to work better with signals. losetup(8) now supports --remove to remove a loop device node from the system. lsblk(8), lslocks(8), lsmem(1) and lsclocks(1) support _COLUMNS environment variable to specify output columns as an alternative to --output. lsfd(1) now supports new UNIX.IPEER, PACKET.PROTOCOL.RAW and TUN.DEVNETNS columns. setpriv(1) now supports landlock via --landlock-access and --landlock-rule options." enhancement closed high 13.1 Book git normal fixed