-
release v0.9.3: CVE metadata refresh (KEV 10→12) + dirtydecrypt bug fix
build / build (clang / debug) (push) Waiting to runbuild / build (clang / default) (push) Waiting to runbuild / build (gcc / debug) (push) Waiting to runbuild / build (gcc / default) (push) Waiting to runbuild / sanitizers (ASan + UBSan) (push) Waiting to runbuild / clang-tidy (push) Waiting to runbuild / drift-check (CISA KEV + Debian tracker) (push) Waiting to runbuild / static-build (push) Waiting to runrelease / build (arm64) (push) Waiting to runrelease / build (x86_64) (push) Waiting to runrelease / build (x86_64-static / musl) (push) Waiting to runrelease / build (arm64-static / musl) (push) Waiting to runrelease / release (push) Blocked by required conditionsleviathan released this
2026-05-24 05:17:58 +00:00 | 0 commits to main since this releaseCVE metadata refresh:
- Added 8 entries to core/cve_metadata.c for the v0.8.0 + v0.9.0 module
CVEs. Two are CISA-KEV-listed:- CVE-2018-14634 mutagen_astronomy (2026-01-26, CWE-190)
- CVE-2025-32463 sudo_chwoot (2025-09-29, CWE-829)
- Populated via direct curl when refresh-cve-metadata.py's Python urlopen
hung on CISA's HTTP/2 endpoint for ~55 min — same data, different
transport.
dirtydecrypt module bug fix:
- dd_detect() was wrongly gating 'predates the bug' on kernel < 7.0
- Per NVD CVE-2026-31635: bug entered at 6.16.1 stable; vulnerable
through 6.18.22 / 6.19.12 / 7.0-rc7; fixed at 6.18.23 / 6.19.13 / 7.0 - Fix: predates-gate now uses 6.16.1; patched_branches[] adds {6,18,23}
- Re-verified: dirtydecrypt now correctly returns VULNERABLE on mainline
6.19.7 instead of OK. Previously a false negative on real vulnerable
kernels.
Footer goes from '10 in CISA KEV' to '12 in CISA KEV'. Verified count
stays at 28 but dirtydecrypt's record is now a TRUE VULNERABLE match
(was OK match).Downloads
- Added 8 entries to core/cve_metadata.c for the v0.8.0 + v0.9.0 module