Security patches, hardening configurations, and pre-built custom kernel for Linux. Focused on critical vulnerabilities discovered in 2025-2026. Compatible with Debian-based distributions (ParrotOS, Kali, Ubuntu).
Pre-built, hardened Linux kernel with 27+ security mitigations enabled, Dirty Frag LPE patched, and 20+ CVE mitigations applied.
| Package | Size | Download |
|---|---|---|
| linux-image | 292 MB | Releases |
| linux-headers | 11 MB | Releases |
| linux-image-dbg | 1.3 GB | Releases |
sudo dpkg -i linux-image-6.19.13-parrot.custom+2.0-cachyos-g372c9ba96bd4-dirty_6.19.13-g372c9ba96bd4-8_amd64.deb \
linux-headers-6.19.13-parrot.custom+2.0-cachyos-g372c9ba96bd4-dirty_6.19.13-g372c9ba96bd4-8_amd64.deb
sudo update-grub
sudo reboot| Category | Options |
|---|---|
| Memory Safety | INIT_ON_FREE_DEFAULT_ON, ZERO_CALL_USED_REGS, SHUFFLE_PAGE_ALLOCATOR, SLAB_FREELIST_HARDENED, RANDSTRUCT_PERFORMANCE |
| Module Security | MODULE_SIG_FORCE, MODULE_SIG_ALL, MODULE_SIG_SHA512 |
| Kernel Lockdown | LOCK_DOWN_KERNEL_FORCE_INTEGRITY |
| CPU Mitigations | SLS, RETBLEED, SRSO, GDS, RFDS, Spectre BHI, MMIO Stale Data |
| Scheduler | BORE + CachyOS optimizations |
| Access Control | SECURITY_DMESG_RESTRICT, STRICT_DEVMEM, IO_STRICT_DEVMEM |
| Attack Surface | NET_SCH_QFQ disabled (CVE-2026-22976), INET_DIAG_DESTROY disabled |
| CVE | CVSS | Type | Mitigation |
|---|---|---|---|
| Dirty Frag (no CVE) | ~9.0 | LPE via xfrm-ESP + RxRPC page-cache write | Module blacklist + kernel patch (SKBFL_SHARED_FRAG) |
| CVE-2026-22976 | 5.5 | NULL deref in sch_qfq | Module disabled (NET_SCH_QFQ=n) |
| CVE-2025-37916 | 7.8 | UAF in pds_core | Module build (depends on hardware) |
| CVE-2025-38179 | 7.8 | OOB in cifs | CIFS_SMB_DIRECT not set |
| CVE-2026-23171 | 7.8 | UAF in bonding | Module build |
| CVE-2026-23198 | 7.8 | UAF in KVM | Module build |
| CVE-2026-23336 | 7.8 | UAF in cfg80211 | Module build |
| CVE-2026-31494 | 7.8 | OOB in macb | Module build |
| CVE-2026-31431 | 7.8 | Copy Fail LPE | ✅ Patched |
| CVE-2026-31589 | 9.8 | UAF in folio_unmap | ✅ Patched |
| CVE-2026-31649 | 9.8 | Integer underflow stmmac | ✅ Patched |
| CVE-2026-31533 | 7.8 | UAF in TLS | ✅ Patched |
| CVE-2026-31408 | 5.5 | UAF in Bluetooth SCO | ✅ Patched |
Full CVE tracking: kernel-6.19-custom/CVE-TRACKING.md
# Get kernel source
wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.19.tar.xz
tar xf linux-6.19.tar.xz
cd linux-6.19
# Apply our hardened config
cp configs/defconfig .config
make olddefconfig
# Apply NVIDIA compat patch (if using NVIDIA proprietary driver)
patch -p1 < ../nvidia-compat-mutex_destroy.patch
# Build
make -j$(nproc)
sudo make modules_install
sudo make install
sudo update-grubHow our custom kernel compares against major distro kernels:
| Hardening Option | Our Kernel 6.19 | Solus LTS 6.18 | Debian 6.12 |
|---|---|---|---|
| CPU Mitigations (24) | ✅ All | ✅ All | ✅ All |
| Struct Randomization | ✅ PERFORMANCE | ❌ NONE | ❌ NONE |
| Module Signing (Force) | ✅ SHA-512 | ❌ | ❌ |
| Kernel Lockdown | ✅ INTEGRITY | ❌ | ❌ |
| INIT_ON_FREE | ✅ Zero on kfree | ❌ | ❌ |
| ZERO_CALL_USED_REGS | ✅ | ❌ | ❌ |
| DMESG_RESTRICT | ✅ | ❌ | ❌ |
| IO_STRICT_DEVMEM | ✅ | ❌ | ❌ |
| Dirty Frag LPE | ✅ Patched | ❌ Vulnerable | ❌ Vulnerable |
Solus comparison based on PR #8790 (linux-lts 6.18.28).
- configs/defconfig — boot config (minimal, what ships in /boot)
- configs/defconfig-full — full config with all options
- configs/dirtyfrag.conf — module blacklist for Dirty Frag mitigation
| File | CVE | Severity | Description |
|---|---|---|---|
CVE-2026-31431-copy-fail.patch |
CVE-2026-31431 | HIGH (7.8) | Copy Fail - Local Privilege Escalation via page cache |
CVE-2026-31589-folio-unmap-uaf.patch |
CVE-2026-31589 | CRITICAL (9.8) | Use-after-free in folio_unmap_invalidate |
CVE-2026-31649-stmmac-integer-underflow.patch |
CVE-2026-31649 | CRITICAL (9.8) | Integer underflow in stmmac Ethernet driver |
CVE-2026-31533-tls-uaf.patch |
CVE-2026-31533 | HIGH (7.8) | Use-after-free in TLS subsystem |
CVE-2026-31408-bluetooth-sco-uaf.patch |
CVE-2026-31408 | MEDIUM (5.5) | Use-after-free in Bluetooth SCO |
nvidia-compat-mutex_destroy.patch |
N/A (compat) | — | Export mutex_destroy as non-GPL for NVIDIA DKMS |
git clone https://github.com/MethodWhite/kernel-security-patches.git
cd kernel-security-patches
# Download kernel source
apt-get source linux-image-$(uname -r)
# Apply patches
chmod +x apply-kernel-fixes.sh
./apply-kernel-fixes.sh /path/to/kernel/source
# Build and install
cd /path/to/kernel/source
make -j$(nproc)
sudo make modules_install
sudo make install
sudo update-grub
sudo rebootchmod +x apply-fixes-immediate.sh
sudo ./apply-fixes-immediate.shHardening applied:
- Disable ICMP echo (stealth mode)
- SSH hardening (key-based auth, no root login)
- Service lockdown (disable unused remote services)
- Network hardening (disable source routing, redirects)
- Kernel sysctl security (kptr_restrict, dmesg_restrict, bpf disabled)
uname -r # Should show 6.19.13+
cat /etc/modprobe.d/dirtyfrag.conf # Dirty Frag blocked
sysctl kernel.unprivileged_bpf_disabled # = 1
sysctl kernel.kptr_restrict # = 2
sysctl kernel.dmesg_restrict # = 1├── configs/
│ ├── defconfig # Kernel boot config (hardened)
│ ├── defconfig-full # Full kernel config
│ └── dirtyfrag.conf # Dirty Frag module blacklist
├── kernel-6.19-custom/
│ ├── CVE-TRACKING.md # Complete CVE audit for custom kernel
│ └── CHANGELOG.md # Build changelog
├── CVE-2026-31431-copy-fail.patch
├── CVE-2026-31589-folio-unmap-uaf.patch
├── CVE-2026-31649-stmmac-integer-underflow.patch
├── CVE-2026-31533-tls-uaf.patch
├── CVE-2026-31408-bluetooth-sco-uaf.patch
├── nvidia-compat-mutex_destroy.patch # NVIDIA DKMS compat (EXPORT_SYMBOL)
├── apply-kernel-fixes.sh # Kernel patch applicator
├── apply-fixes-immediate.sh # System hardening
├── apply-security-patches.sh # Security-only patcher
├── apply-system-hardening.sh # Full system hardening
├── system-security-analyzer.sh # Security analysis tool
├── INFORME_ANALISIS_SISTEMA.md # System analysis (ES)
├── INFORME_COMPLETO_VULNERABILIDADES.md # Vulnerability report (ES)
└── README.md
- NVD — National Vulnerability Database
- Linux Kernel Mailing List
- Dirty Frag Disclosure
- Kernel Self Protection Project
- CERT-EU Security Advisories
MIT License — Free to use, modify, and distribute.
Patches provided as-is. Always backup before applying kernel updates. Test in a VM/sandbox before deploying to production.
Last Updated: 2026-05-12 — Kernel: 6.19.13.parrot.custom+2.0-cachyos (hardened) · 6.12.x (patch series)