You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Noyau Linux 6.6.137-ky pour Orange Pi RV2 (SoC KY X1, RISC-V 64-bit), basé sur les sources OrangePi 6.6.63 avec les correctifs de sécurité upstream backportés depuis le vanilla 6.6.137.
Correctifs de sécurité inclus
CVE-2026-31431 — Élévation de privilèges locale (LPE) via algif_aead
Détail
Valeur
Sévérité
CVSS 7.8 — Élevée
Composant vulnérable
crypto/algif_aead.c — interface AEAD du crypto API userspace (AF_ALG)
Impact
Un utilisateur local sans droits root peut écrire 4 octets contrôlés dans le page cache de n'importe quel fichier lisible → obtention des droits root
Fix upstream
Commit a664bf3d603d — revert de l'optimisation in-place (commit 72548b093ee3, 2017)
En plus de la CVE ci-dessus, ce noyau intègre l'ensemble des correctifs upstream appliqués entre les versions 6.6.63 et 6.6.137 sur les fichiers non modifiés par OrangePi, soit 6594 fichiers couvrant notamment :
net/ — stack réseau (IPv4, TCP, wireless)
fs/ — systèmes de fichiers
kernel/ — core, BPF, ordonnanceur
crypto/ — sous-système cryptographique
security/ — AppArmor, SELinux, Landlock
mm/ — gestion mémoire
include/ — headers kernel
Modules notables
Module
Description
zram (=m)
Swap compressé en RAM (compression zstd par défaut)
zsmalloc (=m)
Allocateur mémoire pour zram
rtl8852bs (=m)
WiFi Realtek RTL8852BS (PCIe)
rtl8xxxu (=m)
WiFi Realtek USB (RTL8192CU, RTL8187, etc.)
usb_rtl8152 (=m)
Ethernet USB Realtek RTL8152/8153
usb_dwc3_ky (=y)
Contrôleur USB DWC3 KY (natif RV2)
can_flexcan (=y)
Bus CAN FlexCAN
Configuration noyau
Paramètre
Valeur
Architecture
RISC-V 64-bit
SoC
KY X1 (CONFIG_SOC_KY_X1=y)
Préemption
PREEMPT=y (temps réel doux)
HZ
250
BPF JIT
Activé
cgroups
Activés (Docker/containers)
Namespaces
Activés (user, net, pid, ipc)
IO_URING
Activé
IKCONFIG
Activé (/proc/config.gz)
ZRAM
Module (=m) — compression zstd
FTRACE
Activé
Installation
# Copier les .deb sur le Orange Pi RV2
scp linux-*.deb user@orangepi-rv2:~# Installer dans l'ordre
sudo dpkg -i linux-dtb-current-ky_6.6.137_riscv64.deb
sudo dpkg -i linux-image-current-ky_6.6.137_riscv64.deb
sudo dpkg -i linux-headers-current-ky_6.6.137_riscv64.deb
sudo reboot
Activer ZRAM après installation
# Charger le module
sudo modprobe zram
# Créer un device zram de la taille de la RAM
TOTAL_MEM=$(grep MemTotal /proc/meminfo | awk '{print $2}')echo"${TOTAL_MEM}K"| sudo tee /sys/block/zram0/disksize
# Formater et activer comme swap
sudo mkswap /dev/zram0
sudo swapon /dev/zram0 -p 100
# Rendre permanentecho"zram"| sudo tee /etc/modules-load.d/zram.conf
Vérification post-installation
# Version du noyau
uname -r
# → 6.6.137-ky# CVE-2026-31431 neutralisée# L'exploit doit échouer (demande mot de passe ou retourne EPERM)
English
Description
Linux kernel 6.6.137-ky for Orange Pi RV2 (KY X1 SoC, RISC-V 64-bit), based on OrangePi 6.6.63 sources with upstream security fixes backported from vanilla 6.6.137.
Security Fixes
CVE-2026-31431 — Local Privilege Escalation (LPE) via algif_aead
Detail
Value
Severity
CVSS 7.8 — High
Vulnerable component
crypto/algif_aead.c — AEAD interface of the userspace crypto API (AF_ALG)
Impact
A local unprivileged user can write 4 controlled bytes into the page cache of any readable file → gain root privileges
Upstream fix
Commit a664bf3d603d — revert of the in-place optimization (commit 72548b093ee3, 2017)
In addition to the CVE above, this kernel includes all upstream fixes applied between 6.6.63 and 6.6.137 on files not modified by OrangePi — 6594 files covering:
net/ — networking stack (IPv4, TCP, wireless)
fs/ — filesystems
kernel/ — core, BPF, scheduler
crypto/ — cryptographic subsystem
security/ — AppArmor, SELinux, Landlock
mm/ — memory management
include/ — kernel headers
Notable Modules
Module
Description
zram (=m)
Compressed RAM swap (zstd by default)
zsmalloc (=m)
Memory allocator for zram
rtl8852bs (=m)
Realtek RTL8852BS WiFi (PCIe)
rtl8xxxu (=m)
Realtek USB WiFi (RTL8192CU, RTL8187, etc.)
usb_rtl8152 (=m)
Realtek RTL8152/8153 USB Ethernet
usb_dwc3_ky (=y)
KY DWC3 USB controller (native RV2)
can_flexcan (=y)
FlexCAN bus
Kernel Configuration
Parameter
Value
Architecture
RISC-V 64-bit
SoC
KY X1 (CONFIG_SOC_KY_X1=y)
Preemption
PREEMPT=y (soft real-time)
HZ
250
BPF JIT
Enabled
cgroups
Enabled (Docker/containers)
Namespaces
Enabled (user, net, pid, ipc)
IO_URING
Enabled
IKCONFIG
Enabled (/proc/config.gz)
ZRAM
Module (=m) — zstd compression
FTRACE
Enabled
Installation
# Copy .deb packages to Orange Pi RV2
scp linux-*.deb user@orangepi-rv2:~# Install in order
sudo dpkg -i linux-dtb-current-ky_6.6.137_riscv64.deb
sudo dpkg -i linux-image-current-ky_6.6.137_riscv64.deb
sudo dpkg -i linux-headers-current-ky_6.6.137_riscv64.deb
sudo reboot
Enable ZRAM after installation
# Load the module
sudo modprobe zram
# Create a zram device sized to total RAM
TOTAL_MEM=$(grep MemTotal /proc/meminfo | awk '{print $2}')echo"${TOTAL_MEM}K"| sudo tee /sys/block/zram0/disksize
# Format and activate as swap
sudo mkswap /dev/zram0
sudo swapon /dev/zram0 -p 100
# Make persistentecho"zram"| sudo tee /etc/modules-load.d/zram.conf
Post-installation check
# Kernel version
uname -r
# → 6.6.137-ky# CVE-2026-31431 mitigated# The exploit must fail (password prompt or EPERM)
Packages
Package
Description
linux-image-current-ky_6.6.137_riscv64.deb
Kernel image + modules
linux-dtb-current-ky_6.6.137_riscv64.deb
Device Tree Blobs (required for boot)
linux-headers-current-ky_6.6.137_riscv64.deb
Kernel headers (for out-of-tree modules)
Built with orangepi-build — SoC KY X1 / Orange Pi RV2 — RISC-V 64-bit