Rocky Linux Security Repository

Rocky Linux launches an optional security repository for critical hot-fixes as long as RHEL has no patch yet. First use case is Dirty Frag (CVE-2026-43284, CVE-2026-43500), a local privilege escalation in the Linux kernel with a working public PoC. The repo is not enabled by default and has to be switched on deliberately.

Update 2026-05-19: The repo is live and carries noticeably more than a single hot-fix. Currently in (Rocky 9): three kernel builds that together address CVE-2026-43284 (Dirty Frag, IPsec ESP), CVE-2026-46300 (Fragnesia, ESP-in-TCP) and CVE-2026-46333 (ssh-keysign-pwn, ptrace get_dumpable()). Rocky 8 and 10 run parallel hot-fix series. CVE-2026-43500 (rxrpc) was initially included; the patch was pulled after an upstream decision, only the kernel-modules-partner package from the unsupported devel repo is affected now.

What it is

Rocky Linux has always followed the policy of never shipping packages ahead of RHEL. The security repo softens this in narrowly defined emergencies: a critical vulnerability, a publicly available exploit, and no upstream patch yet. The regular release model stays unchanged; BaseOS and AppStream still follow upstream. The security repo is a supplement for emergencies, not a replacement.

First in line is Dirty Frag. The vulnerability affects Linux kernel versions back to 2017 and is described by the Rocky security team as "highly reliable and deterministic" to exploit, without race conditions or timing dependencies. Local access is enough. Multi-tenant hosts are particularly exposed: container platforms, CI infrastructure, HPC clusters, university systems, and anything with shell access for multiple users.

How to enable the security repo

Prerequisite: an up-to-date rocky-repos package:

$ sudo dnf update rocky-repos

A one-off update from the repo without enabling it permanently:

$ sudo dnf --enablerepo=security update
$ sudo systemctl reboot

Or enable the repo permanently (creates /etc/yum.repos.d/Rocky-Security.repo):

$ sudo dnf config-manager --set-enabled security
$ sudo dnf update
$ sudo systemctl reboot

Once upstream catches up, the hot-fix packages are automatically superseded by the official errata packages from BaseOS. The hot-fix versioning is set accordingly.

What the repo is not

• Not an extended stable update channel. The security repo only contains hot-fixes for narrowly scoped emergencies, not the full security errata range. Regular patches still come through BaseOS and AppStream once upstream ships them.
• Not enabled by default. If you want to use it, you have to switch it on deliberately. The default stays stability-focused as before.
• Not a permanent break with upstream fidelity. The maintainers stress that the previous policy stays in place. The repo is the explicitly bounded exception for critical cases.
• No guarantee for every CVE. Which vulnerabilities get a hot-fix is decided by the Rocky security team on a case-by-case basis. The announcement does not define a fixed scope.

Notes

• Rocky Linux 8, 9, and 10 are supported, each on the currently maintained minor release.
• From the forum discussion, not officially confirmed: on Rocky 8, GPG keys from Rocky 9 were imported in some cases. If you enable the repo on Rocky 8, briefly verify the key import.

Source

• Rocky Linux Forum: Security Repository and Dirty Frag Security Update

We can help

Need help with hot-fix rollouts or hardening your Linux servers? Have a look at our Service & Support plans and get in touch.