Security Research by Kicksecure
Donate
This page tracks security research and vulnerability reports contributed by Kicksecure, including links to upstream bug reports and internal research notes.
Security Vulnerability Bug Reports
[edit]Security issue reports filed at other projects.
Related: Kicksecure Vulnerability Disclosure Policy
Public
[edit]Already published security bug reports and records of fixes.
| Project and report | CVE link | Assigned CVE score |
|---|---|---|
Debian: Local privilege escalation via zuluPolkit, caused by Debian patch 
|
CVE-2025-53391
|
9.3 Critical |
coreutils: cksum: use more defensive escaping for --check
|
None found. | None found. |
systemd: oss-security: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminals [1]
|
CVE-2026-40228
|
3.3 Low |
KDE: Dolphin: Improper handling of FileManager1.ShowFolders arguments allows sandbox escape
|
CVE-2026-41525
|
6.5 Moderate |
LXQt / PCManFM-Qt: oss-security: PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method
|
CVE-2026-48700
|
9.3 Critical |
wine: loader/wine.desktop enables programs to escape Flatpak sandboxes in many if not most situations / openwall: On the issue of MIME handlers that execute arbitrary code (e.g. Wine)
|
CVE-2026-48831
|
7.3 High |
mitigation: File Manager D-Bus shim
Fixing security issues with MIME handler registration in the Desktop Entry spec (on the freedesktop.org mailing list (Freedesktop.org Wikipedia))
Pending publication
[edit]Security bug reports pending publication due to responsible disclosure.
- bug A
- initial report date: 2026-05-18
- intended publication date: 2026-08-17
- no patch yet
Security Research
[edit]Practical defensive security research: hardening work, threat modeling, and attack surface analysis. Synthesis of Linux distribution maintainer oriented decision making, security engineering, and maintainability considerations.
| Page | Short summary | Type |
|---|---|---|
| Strong Linux User Account Isolation | Overview of Linux user and root separation, attack vectors, and default and optional hardening measures.
|
Research and implementation |
| Verified Boot | Explains verified boot and chain of trust goals, advantages, limitations, and implementation considerations. | Research |
| Sovereign Boot | Sovereign Boot helps you control what your computer trusts during startup. | Design |
| ram-wipe / Dev/RAM Wipe | Wipes RAM on shutdown. (dracut module)
|
Research and implementation |
| Entropy | Technical discussion of entropy sources and randomness topics. | Research |
| remount-secure | Hardening proposal for secure mount options and a maintainable way for a distribution to apply them. | Research |
| Compiler Hardening | Overview of compiler hardening flags and link time options for GCC and Clang, focusing on exploit mitigation and diagnostics. | Notepad |
| About Computer (In)Security | Broad background notes and examples about computer insecurity and related concepts. | Essay |
| Trusting Kicksecure | Trust model discussion (backdoors, signatures, image verification) and how to place trust in the supply chain. | Essay |
| Secure Boot | Critical discussion of Secure Boot design tradeoffs, threat model, and limitations for user controlled trust currently on Intel/AMD64. | Summary |
| Factory Reset, Stateless Systems, Anti-Hysteresis | Discussion of stateless and anti-hysteresis systems, upgrades and rollback risks, and links to related immutable approaches. | Notepad |
| apt-revoker | Proposal for tooling to revoke compromised APT signing keys. | Design |
| Stable vs Rolling Distributions - Security Analysis | Security analysis of stable and rolling release models. | Analysis |
| Permanent Takedown Attack Defender | Proposal to keep project metadata and update communication resilient against takedown, rollback, and freeze attacks, with Tor and signature considerations. | Design |
| Confidential Computing | Survey and threat model notes around encrypted RAM and remote attestation technologies for cloud and hardware trust. | Survey |
| vm-app-manager | Proposal for a virtualization based application sandbox with reduced VM escape surface and user controllable isolation features. | Notepad |
Pages marked "Notepad" are security relevant working notes or drafts that likely need more structure or completion before being presented as finished security research. Pages marked "Essay" are mostly conceptual discussion.
Privacy and Anonymity Research
[edit]See Whonix research
.
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2026 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 14 year success story and maybe DONATE!