The Rocky Linux project has always prioritized stability, compatibility, and trust within the Enterprise Linux ecosystem. Historically, this has meant waiting for official upstream Enterprise Linux releases before publishing updates to Rocky Linux systems.
Today, we are announcing a new capability designed specifically for exceptional security situations where immediate action is necessary to better protect our users and infrastructure operators.
Introducing the Rocky Linux Security Repository
We are introducing a new optional security repository for Rocky Linux.
This repository allows the Rocky Linux project to provide urgent security updates in situations where a critical vulnerability exists, public exploitation is available, and upstream Enterprise Linux releases may not yet be available.
This is an intentional and carefully considered departure from our long-standing policy of never releasing packages ahead of upstream Enterprise Linux. Rocky Linux remains fully committed to Enterprise Linux compatibility and alignment with upstream sources. However, we also recognize that certain security situations require a faster response to reduce risk for administrators and organizations operating critical infrastructure.
Because this represents a change from our traditional release approach, the security repository is NOT enabled by default. This preserves the predictable and stable behavior our users expect while giving administrators the flexibility to opt into accelerated security fixes when desired.
Using the repository is straightforward:
$ sudo dnf --enablerepo=security update
Administrators may also choose to enable the repository permanently through standard DNF repository configuration.
The security repository is intended to provide hot-fixes as a temporary solution for urgent circumstances involving critical security exposure and immediate risk mitigation. Versioning of these packages is designed such that the official upstream packages will always update our hot-fixes. It is not a replacement for the normal Rocky Linux release process and should not be interpreted as a broader change in our commitment to upstream Enterprise Linux compatibility.
Dirty Frag Security Update Available
With the introduction of the new security repository and with engineering assistance from CIQ, we are also announcing the immediate availability of a security update addressing the recently disclosed Linux kernel vulnerability known as “Dirty Frag”.
Dirty Frag is a serious local privilege escalation vulnerability affecting Linux kernel versions dating back to 2017. Public proof-of-concept exploit code is already available, and security researchers have described exploitation as highly reliable and deterministic.
Unlike many historical privilege escalation vulnerabilities, Dirty Frag does not rely on unstable race conditions or timing-sensitive behavior, making exploitation substantially more practical for attackers once local access has been obtained.
While exploitation requires local access to a system, environments with shared users, container workloads, CI infrastructure, HPC clusters, university systems, shell access environments, and multi-tenant systems should treat this vulnerability as especially urgent.
The public disclosure of Dirty Frag occurred before coordinated upstream fixes were broadly available, creating a narrow but important window where downstream vendors and distributions needed to evaluate how best to protect their communities.
After careful consideration, we determined that making a fix available immediately through the optional security repository was the responsible course of action.
Our Commitment
The Rocky Linux community remains committed to delivering a stable, predictable, and fully Enterprise Linux compatible platform.
In rare situations such as this, protecting our users may require accelerated action while still preserving administrator choice and operational flexibility.
The new security repository provides a mechanism for rapid response during exceptional security events while allowing the default Rocky Linux experience to remain aligned with the traditional upstream Enterprise Linux release model.
We appreciate the continued support of our community, contributors, partners, and the organizations helping strengthen the Rocky Linux ecosystem.
We would also like to extend our sincere thanks to CIQ for their continued investment in Rocky Linux, commitment to the open source community, and for providing engineering resources, infrastructure, testing, and rapid coordination that helped make this accelerated response possible. CIQ’s kernel team was instrumental in helping to remediate this vulnerability as quickly and responsibly as possible.