Copy Fail, Dirty Frag & the Linux News That Matters
Bazzite 44, CachyOS April, Arch Linux's latest ISO, and two kernel vulnerabilities the internet is catastrophizing. Here's what actually matters.
Written by AI. Tyler Nakamura

Photo: AI. Kasper Winter
Michael Tunnell dropped his latest This Week in Linux roundup and there's genuinely a lot to unpack—two kernel vulnerabilities with horror-movie names, a big Bazzite release, CachyOS swapping out its package manager, and Arch Linux shipping a new ISO. Let's run through it.
Bazzite 44: Gaming distro gets a real stack upgrade
Bazzite 44 lands on a Fedora 44 Atomic base and it's a meaningful jump. The headline components are KDE Plasma 6.6 and GNOME 50 on the desktop side, an updated Mesa stack at 26.0.5, and a gaming-focused kernel. Valve's VRAM patch set is apparently coming when Bazzite moves to a newer kernel version down the road.
The KDE-specific detail that caught my eye: Bazzite drops Yakuake (the Tunnell transcript says "Pixus/Puxus" but this maps to a GNOME-adjacent terminal) in favor of Console, which is actually KDE's own terminal app. This isn't just a cosmetic swap—there's a texture difference to using a terminal that belongs to your desktop environment versus one that was clearly borrowed from next door. KDE users know the feeling: open an app that doesn't share your theme's font rendering, your panel's icon set, your right-click behavior, and it's like finding a sock that's almost the right color. Console fits. The borrowed one didn't. It's the kind of fix that doesn't make a changelog headline but you feel every time you open it.
Sunshine, the game-streaming tool, also moves out of the default image. Instead of being pre-baked in, it's now installable through ujust—Bazzite's homebrew-style installer. If you use Sunshine to stream to a Steam Deck or another device, you still get it. You just opt in now instead of having it sitting there for everyone, whether they need it or not. That's the right call for a base image.
On the supply chain side, Bazzite 44 brings SBOMs (Software Bill of Materials) to changelogs, OpenSSF security scanning, and signed ISOs. For an image-based OS where you're trusting what the project built and ships, having verifiable attestation of what went into those builds is the whole game. You can't audit source if you're not compiling from it, so this kind of transparency tooling is what fills that gap.
One friction point worth flagging: Fedora 44 Atomic dropped FUSE 2 libraries from its images, which means some older AppImages that rely on the old runtime may break. Bazzite is still holding FUSE 2 support for now, but Tunnell confirmed that won't last—and the root cause is developers who simply haven't updated their AppImage runtimes to FUSE 3. If you hit that wall, search your distro name plus "FUSE 2" and you'll find a path through.
CachyOS April: Shelly replaces Octopi, and it's actually interesting
CachyOS's April 2026 ISO refresh is headlined by a package manager swap: Shelly is now the default GUI, replacing Octopi. But Shelly isn't just a prettier face on pacman—it handles native Arch packages, AUR, and Flatpaks in a single interface.
That last part is the thing. If you've spent time on an Arch-based system doing actual package management, you know the rhythm: open Octopi for repo packages, bounce to an AUR helper in terminal for AUR stuff, then remember you wanted a Flatpak version of something else and now you're in GNOME Software or running flatpak install in yet another terminal window. By the time you've installed three packages from three different sources, you've touched four different tools. Shelly collapses that into one window. Whether it executes as well as it promises is something users will need to test in practice, but the design intent is sound.
The other CachyOS addition I find genuinely clever: a clean system snapshot is taken immediately after installation and kept permanently as a baseline. So if you torch your system six months in—and on a rolling release with AUR access, the odds aren't zero—you have a true factory-state restore point. Some distributions call this a factory reset feature; CachyOS is just building it in from day one.
Other changes include DNS-over-HTTPS support via Blocky with a redesigned DNS settings page, a VRAM management toggle for AMD and Intel GPUs, and NVMe IO scheduler switched from none to Kyber for better responsiveness under mixed workloads. The Nvidia fixes are extensive enough to suggest the team has been collecting pain reports for a while.
Arch Linux's May ISO: The rolling distro does its monthly thing
Arch's May 2026 ISO is out, and it ships with the latest available kernel at build time, along with updated base packages. That's how Arch ISOs work—they're not version releases in the traditional sense, just periodic fresh installation media for a rolling system.
The updated installer, Arch Install 4.3, adds font selection during setup, enables power management services post-install, fixes an encrypted partition selection bug, and includes a shell injection fix. The reproducible Docker image milestone is also worth noting: it means the container image can be independently rebuilt and verified to match what Arch published, which is a meaningful trust signal for anyone running Arch-based containers in infrastructure.
Tunnell's standing advice for newcomers: don't start with Arch. The manual installation path—the "Arch way"—is still there and still recommended by the dev team as a learning exercise, but it's not the only option anymore. Arch Install handles the guided path. The audience for Arch is people who want to understand exactly what they're running, which makes it a great second or third distro, not a first one.
Copy Fail & Dirty Frag: Here's how scared you should actually be
Okay, the stuff everyone's talking about.
Two kernel vulnerabilities hit the news this week with names designed to trend: Copy Fail and Dirty Frag. Both are local privilege escalation bugs—meaning an attacker who already has code running on your system can potentially use them to become root. The coverage across YouTube and the broader tech press has been... a lot.
Tunnell's position on this is worth taking seriously: sysadmins on shared systems should prioritize patching immediately. Desktop users should update and reboot, but don't need to panic.
The distinction is load-bearing. "Local" in local privilege escalation means someone has to already be executing code on your machine before either of these bugs does anything. Your home Linux laptop sitting behind a router isn't internet-accessible. An attacker can't point Copy Fail at it from across the internet like a sniper. They'd have to get something malicious running on your system first—through malware you downloaded, a sketchy script you ran, something like that—and then use this as a second step to go from limited access to root.
The scale of attention these vulnerabilities are getting is itself interesting. Think about how the internet reacts when someone rear-ends another car versus when a bridge collapses. Both are accidents. One gets a local news segment; the other runs for a week. Linux vulnerabilities with names and dedicated websites are the bridge collapse version—rare enough that when one happens, everyone treats it like the whole road network is falling. That's not an accurate read of the risk profile.
Copy Fail is the more developed exploit: a logic bug in a kernel cryptographic template that can produce a controlled write into a page cache, potentially escalating an unprivileged local user to root. The proof of concept reportedly fits in 732 bytes of Python. It's been patched in multiple distributions already—Debian, Ubuntu, and others have pushed fixes.
Dirty Frag involves kernel networking and memory fragment handling across IPSec pathways. It was disclosed after a broken embargo, which created a chaotic news cycle where early coverage accurately noted there were no patches yet, and then patches started arriving almost immediately. As of Tunnell's recording, a second CVE for Dirty Frag was reserved but not yet addressed in a released kernel version—that was expected to change quickly.
The risk hierarchy: cloud infrastructure, Kubernetes clusters, CI runners, and any multi-tenant Linux environment where untrusted code executes—those are the actual targets. If a low-privileged container can become root on the host, that's catastrophic. If it's your personal laptop with a single user account and no untrusted code running, the path to exploitation is long and requires you to make several bad decisions first.
Module-blocking workarounds exist as a stopgap if patches aren't yet available for your distribution—with the caveat that they may interfere with IPSec or VPN workloads. Apply the workaround, note the dependency, revisit when the kernel update lands.
The reason Microsoft wrote a blog post about Copy Fail isn't because Linux is uniquely insecure. It's because a named, proof-of-concept kernel exploit is newsworthy regardless of platform, and Microsoft has a security research team that covers the Linux stack. The coverage volume is a function of how rarely this happens, not how bad this particular instance is.
Update your system. Reboot into the patched kernel. If you're a sysadmin, that was true an hour ago.
Tyler Nakamura is Buzzrag's Consumer Tech & Gadgets Correspondent. He reviews technology for people who want to make smart buying and usage decisions, not just read spec sheets.
We Watch Tech YouTube So You Don't Have To
Get the week's best tech insights, summarized and delivered to your inbox. No fluff, no spam.
More Like This
Penpot Wants to Fix Design Handoff—Does It Actually?
Better Stack demos Penpot, an open-source design tool that speaks CSS natively. We look at what it solves, what it doesn't, and who should care.
This Guy Fit 17TB of Enterprise Storage Into a Mini Rack
A home lab builder packed 17TB of NVMe storage into five mini PCs, ditching VMware for Proxmox and Ceph. Here's what actually worked—and what didn't.
C++ Range Algorithms Make Code Actually Readable
Intel engineer shows how C++ parallel range algorithms transform confusing word-counting code into something humans can actually understand.
Linux 7.0 Ships While AI Bug Hunters Reshape Security
Linux kernel 7.0 brings major file system improvements as Anthropic's AI bug-finding tool discovers decades-old vulnerabilities, changing cybersecurity forever.
Linux Defends Against AI Scrapers as Ubuntu Preps LTS
Debian blocks AI bots hammering its servers while Ubuntu locks in kernel plans. Plus: Nvidia finally brings GeForce NOW to Linux, six years late.
Firefox Gets AI Kill Switch While Discord Retreats on Verification
Firefox 148 adds an AI toggle as Discord delays biometric age verification after backlash. Plus: Linux LTS kernels extended, COSMIC Desktop evolves.
Anthropic's Claude Mythos Found Thousands of Zero-Days
Anthropic's new Claude Mythos AI discovered thousands of zero-day vulnerabilities, prompting a defensive security initiative before public release.
Async Rust Performance: What Most Developers Get Wrong
Code to the Moon breaks down async Rust and Tokio misconceptions that kill performance. Single-threaded concurrency vs parallelism explained.
RAG·vector embedding
2026-05-10This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.