This release includes a lot of work related to the recently discovered “Copy Fail” and “Dirty Frag” kernel vulnerabilities. Here are the details of all the notable changes…

Kernel vulnerabilities

There is a new LCFG header – lcfg/options/cve_2026_43284.h – which can be used to block the loading of kernel modules affected by the “Dirty Frag” vulnerability (CVE-2026-43284 / CVE-2026-43500). This utilises the new LCFG_BLOCK_MODULE macro.

There is a new LCFG header – lcfg/options/cve_2026_31431.h – which can be used to block the loading of the kernel modules affected by the “Copy Fail” vulnerability (CVE-2026-31431). This utilises the new LCFG_BLOCK_MODULE macro.

Note that all sites have already had emergency live fixes applied for these vulnerabilities.

The LCFG hardware component provides a new kmod-module-blocked script which may be used instead of /bin/false in the modprobe config when blocking the loading of modules. As well as blocking loading, it will generate a useful syslog message which can be easily monitored.

There is also a new modprobe-wrapper script which may be used in place of the standard modprobe. The script will record all the details in syslog before passing on to the real modprobe command. Again, this allows the easy monitoring of attempts to load kernel modules.

There are two new macros provided for managing kernel modules: LCFG_BLOCK_MODULE and LCFG_LOAD_MODULE_AT_BOOT. The LCFG_BLOCK_MODULE macro will block loading of a module using the new kmod-module-blocked script. The LCFG_LOAD_MODULE_AT_BOOT will append a module name to the LCFG hardware component permmodules resource, that is used to configure systemd-modules-load.service(8).

Dell System Updater (dsu)

It is now possible to load at boot-time all kernel modules necessary for running dsu. This makes it possible to disable the loading of kernel modules at the end of the boot sequence. You need to define the ED_DSU_LOAD_MODULES macro before including the ed/options/dsu.h header, this is now the standard behaviour on DICE servers.

auditd

The default audit.rules now watches kmod for any attempts to load kernel modules. There is also a new extra_rules resource which can be used to add extra verbatim rules. This is helpful when you need to rapidly deploy different types of rules not specifically supported by the LCFG component, but should be used cautiously since it will be easy to break the generated config.

The lcfg-auditd package now provides a useful helper script to improve the rotation of log files.

DHCP

For systems relying on DHCP for all their network configuration, the default gateway resource will no longer be set in the netplan.

nvidia

The default nvidia series is now 580. Note that Ubuntu have made the latest updates for the older 570 packages depend upon the 580 series to force the upgrade.

rdisc routing daemon

On all DICE systems, the rdisc routing daemon will be disabled after this release. Static gateway configuration in the netplan will be used instead. We intend to remove all the remaining configuration and packages by the end of May.

Changes to headers and package lists

Members of the Informatics Computing team can browse all the changes to the headers and package lists.

Weekly Changes – 11/05/2026 / LCFG Project by blogadmin is licensed under a Creative Commons Attribution CC BY 3.0