alt Hacker NewsIt seems there was some kind of confusion during the disclosure process, because the vendors aren't treating this vulnerability as serious and it remains unpatched in many distros.
https://access.redhat.com/security/cve/cve-2026-31431 "Moderate severity", "Fix deferred"
https://security-tracker.debian.org/tracker/CVE-2026-31431
Replies
wangman • yesterday at 10:14 PM
RedHat has also changed it to "Important severity" and "Affected" now.
Tuna-Fish • yesterday at 7:50 PM
Yeah, by ubuntu's own guidelines linked on that page, this should be priority: high, but instead it's marked as medium.
Seems like distros consider it a medium risk because it doesn't involve remote code execution and requires local access. Though it allows local root privilege escalation which is considered high priority.
https://ubuntu.com/security/cves/about#priority
> Medium: A significant problem, typically exploitable for many users. Includes network daemon denial of service, cross-site scripting, and gaining user privileges.