Kernel: nftables, exploiting NVIDIA's GPU Linux driver, and Landlock-ing Linux

posted by Roy Schestowitz on Dec 01, 2025

• Michael Kjörling ☛ Fast bulk loading of nftables IP (IPv4, IPv6) address sets with timeouts

  One of the nicer features of Linux nftables in my opinion is named sets. A named set allows referring to a set of values, such as IP addresses, from one or more rules without embedding those values directly into the rule itself.

  Even nicer, set elements can have individual timeouts. This is a convenient way to make self-cleaning sets, which I already used in my nftables port knocking example from years ago.

• Quarkslab ☛ Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers

  This article details two bugs discovered in the NVIDIA Linux Open GPU Kernel Modules and demonstrates how they can be exploited. The bugs can be triggered by an attacker controlling a local unprivileged process. Their security implications were confirmed via a proof of concept that achieves kernel read and write primitives.

• LWN ☛ Landlock-ing Linux (prizrak.me)

  The prizrak.me blog is carrying an introduction to the

  Landlock security module.

  Landlock shines when an application has a predictable set of files

  or directories it needs. For example, a web server could restrict

  itself to accessing only /var/www/html and /tmp.

  Unlike SELinux or AppArmor, Landlock policies don't require

  administrator involvement or system-wide configuration. Developers

  can embed policies directly in application code, making sandboxing

  a natural part of the development process.