Linux May 8, 2026

This Week in Linux: Bazzite 44, Kernel Vulnerabilities, and the Linux App Summit

This week's episode of This Week in Linux packed a punch with major distro releases, critical kernel vulnerabilities, and a reminder of why the Linux community's collaborative spirit matters.

Bazzite 44: Fedora Atomic for Gamers

The Universal Blue team shipped Bazzite 44, moving the gaming-focused Fedora Atomic desktop to the Fedora 44 base. Highlights include KDE Plasma 6.6 and GNOME 50, the OGC (Open Gaming Collective) 6.19.x kernel with Mesa 26.0.5, and notable supply-chain security upgrades — SBOMs, OpenSSF scanning, and signed ISOs.

One practical change: Sunshine low-latency streaming moved from pre-installed to a Ujust homebrew installer. Bazzite also still supports legacy AppImages using Fuse 2 (Fedora 44 Atomic removed these libraries), though this will likely change as distributions deprecate Fuse 2.

If you want an immutable, gaming-focused desktop with strong security transparency, Bazzite 44 is worth trying.

CachyOS April 2026 Refresh

CachyOS, the performance-oriented Arch derivative, released its April ISO with a big package manager change: Shelly is now the default graphical package manager, replacing Octopi. Shelly supports native ALPM, AUR, and Flatpak in one interface — a rarity in the Arch ecosystem.

Other notable additions: a permanent post-install snapshot as a restore point, DNS over HTTPS via Blocky, VRAM management toggle for AMD/Intel GPUs, and the NVMe I/O scheduler switched from "none" to "Kyber" for better mixed-workload responsiveness. The Linux 7.0 kernel includes Intel Fred enablement on Panther Lake laptops.

Arch Linux May 2026 ISO

Arch's monthly refresh is now powered by the Linux 7.0 kernel — the first official Arch install image on the 7.0 series. Arch Install 4.3 adds optional font selection and power management services post-install. Arch also achieved a bit-for-bit reproducible Docker image — independently rebuildable and verifiable.

As always: Arch is a rolling release, so the ISO is a convenience, not a version boundary. And Arch is not a beginner distro — the "Arch way" (manual install) is still recommended at least once.

Security: Copy Fail & Dirty Frag

Two Linux kernel vulnerabilities made headlines this week. Both are local privilege escalation (LPE) bugs — serious, but not remotely exploitable.

Copy Fail is a logic bug in the kernel's ONC RPC cryptographic template that can create a controlled four-byte write into the page cache. The proof of concept is just 732 bytes of Python to escalate from unprivileged user to root. Dirty Frag involves kernel networking and memory fragment handling (ESP4, ESP6, RX RPC) and was disclosed after a broken embargo.

The practical risk:

  • Low: Desktop users who don't run untrusted code
  • High: Sysadmins with internet-facing servers, multi-tenant hosts, Kubernetes clusters, CI runners, and build farms

Action: Update your kernel and reboot. Desktop users should not panic — these are not remotely exploitable. Server operators should treat this as urgent.

Mesa 26.1

Mesa 26.1 is out with significant driver work: OpenGL 4.6 and Vulkan 1.4 conformance, Intel GPU virtualization improvements through VirtIO, PowerVR OpenGL ES 2.0 via Zinc, and VK_EXT_present_timing across RADV, NVK, Turnip, Honeycrisp, and PANVK for better frame pacing.

One note: VirtualGL is now unmaintained. Users should migrate to newer solutions. Stability-focused users should wait for Mesa 26.1.1.

Linux App Summit 2026

The Linux App Summit (LAS) is happening May 16-17 in Berlin, co-hosted by GNOME and KDE. Registration is free but required — both in-person and virtual attendance available.

Notable talks include Leonard Pottering's keynote on trust in Linux-based OSS, x86 gaming on ARM with FEX and Flatpak, local-first GNOME apps, KDE application development experience, and George Castro on why GNOME and KDE need operating systems. The pre-event interview with Sri (GNOME) and Aleix (KDE) drops May 11th on the Tux Digital channel.

The bigger story: LAS is about the plumbing around apps — packaging, portals, runtimes, hardware support, security models, and how desktop projects work with distributions and third-party developers.

Key Takeaways

  1. Update your kernel — Copy Fail and Dirty Frag are real, but the panic is outsized for desktop users. Server operators should treat this as urgent.
  2. Bazzite 44 is a solid gaming desktop — immutable, secure, and transparent about its build process.
  3. CachyOS continues to push performance boundaries — the Shelly package manager and Kyber I/O scheduler are meaningful improvements.
  4. Mesa 26.1 advances the graphics stack — Intel virtualization, PowerVR support, and present timing improvements matter for gaming and VM workloads.
  5. The Linux App Summit matters — GNOME and KDE co-hosting an app-focused event signals the desktop ecosystem is maturing beyond "just pick a side."
"If it says local privilege escalation, it's bad but it doesn't mean it's a catastrophic problem. If it is remote code execution — now that would be bad." — Michael Tunnell, This Week in Linux

Summary based on This Week in Linux episode 343. Original video: youtube.com/watch?v=zRqYZ7iiU7o.

Need Linux IT support?

We manage Linux servers, desktops, and infrastructure for small businesses across the Ozarks. See our IT Support services or book a free 30-minute consultation.

Book a Free Consultation