Howdy folks,

The last two weeks have been unusual, to put it mildly. Five separate high-severity disclosures that affect AlmaLinux have been announced since 2026-05-01: four local-root kernel flaws and one unauthenticated nginx RCE/DoS. If you have lost track of the running tally, you're not alone. Our build servers want a break.

Here is where each one stands as of today, where we still need help, and a brief word on what to expect going forward.

At a glance:

Copy Fail (CVE-2026-31431): in production
Dirty Frag (CVE-2026-43284, CVE-2026-43500): in production
NGINX Rift (CVE-2026-42945): in production
Fragnesia (CVE-2026-46300): testing, please verify
ssh-keysign-pwn (CVE-2026-46333): testing, please verify

To the community: thank you. The volume of testing reports we received on these rounds is the reason they moved from testing to production as quickly as they did. The Copy Fail rollout in particular was the highest-engagement community call for testing we have ever run. We do not take that lightly.

Two patches are still sitting in the testing repository and need community verification before we can move them to production:

Fragnesia (CVE-2026-46300) test builds in almalinux-testing were refreshed on 2026-05-14 with additional upstream patches.

ssh-keysign-pwn (CVE-2026-46333) is a __ptrace_may_access() logic bug that lets an unprivileged user lift open file descriptors out of a dying privileged process and read root-owned files like /etc/shadow and SSH host keys. Public exploits are already out.

The ssh-keysign-pwn build also carries the Fragnesia patches, so installing it gets you both fixes in a single reboot.  See the blog post for testing instructions.

A quick note on the pace. We are aware that "another week, another root" is becoming an actual schedule rather than a joke. Four local-root kernel disclosures in fifteen days is, statistically speaking, a lot.

Here is what is not changing:

1. We will keep shipping ahead of upstream when the severity warrants it. ALESCo has approved every one of these fast-track rollouts so far, and that bar has not moved. If a critical fix is sitting upstream and our users are exposed, we will build it.

2. We will keep our patches strictly compatible. Every kernel and every nginx package we have shipped during this run uses the upstream fix backported and adapted to the AlmaLinux branch, with the same NVR scheme, the same module ABI, and the same repository layout you would expect from a normal Red Hat security update. Drop-in compatibility is the contract, and we are not breaking it to ship faster.

3. We will keep asking you to test. Community verification is what lets us move from testing to production with confidence. The reason these patches have rolled out cleanly so far is that you have been there to catch the things we cannot reproduce in our lab.

Stay informed:

Blog: https://almalinux.org/blog/
Mattermost: https://chat.almalinux.org/
Announce: https://lists.almalinux.org/mailman3/lists/announce.lists.almalinux.org/
Security: https://lists.almalinux.org/mailman3/lists/security.lists.almalinux.org/

Is alma what I'm looking for if I'm tired of Fedora after 16+ years with it on desktop?

[skip this story, I couldn't stop writing. Just goto: relavent]
First thing I do to any notebook *(mostly thinkpads) and pc I get is installing Fedora, and it started somwhere in middle school, so 2006-2009.
I'm not even power user, because I'm not interested in staying stuck in dependency hell when wifi drivers already works.
However I guess that I'm "power user enough to make something bad", things that would hurt me in future? I'm constantly doing them.
When with Fedora 39 I found out that only with KDE one of few unnessesery features of KDE connect works, and Gnome version wouldn't handle it I decided to remove whole Gnome and dnf install kde-blahblah (the full version)
2 Upgrades later I had problems with bluetooth, and touchscreen of my yoga thinkpad.
I just started "it can be fixed" procedure, after which no usb, no wifi, no internet, no touchscreen, not even a red clitty button - nothing to move coursor was working ecool]
The most funny things? Somehow I couldn't even run usb live linux, becouse my family photos are portected with CryptSetup ❤️ And some process detected that I don't have usb disk, that I had, boom rapair some tables. (fu & ur tables dude, just boot, you are live usb fedora ment to just open encrypted disk so I can copy photos and documets, what dracula what initdsaporsadsasd)
However sorry, for this excended story, I'm facing stupid problems like that all the time, because I'm stupid and not afraid to play with things and brake them. It would make me awesome if I only could learn from it ❤️

:relavent
Most of things that I broke on Fedora, were things that were working, and fixed some problems for me, BUT broke after upgrade. Fedora have like upgrade every year, or something like that? Alma is same family but it's like server version, similar to RHEL, so it's not filled with "cutting edge" packages I didn't ever needed.
Tell me I'm wrong/right and I would read your opinions. Install it anyway to try it out, and then come back to this thread.