
Summary:
- the bug isn't important unless you run random stranger's code on your computer. If you do, the bug would let them escalate their priviledge.
So - beware of this statement. Everytime you access the internet, you run a random stranger's code on your computer. Yes javascript is generally sandboxed, _but_ a lot of active exploitation is chaining a number of small bugs together to achieve the needed effect. There are some great examples on the Google security blog. Now - having been a distro representative in the past on distros@ - the distros are pretty good at patching these issues, especially when there are serious security issues that led to an embargo. So as long as you regularly do a "dnf update" or whatever the apt equivalent or your distro's equivalent is - you should be fine. Don't forget to reboot to allow the new kernel to actually be running.
- I imagine the only vulnerable systems at the time of the Ars Technica article were those that were not being regularly updated. It came out over three months after fixes were released.
- you can look up what your distro says about CVE-2024-1086
I would highly discourage this piecemeal update of CVEs. For most users, you do not care what CVE was fixed, but that a CVE was fixed. Keep updating your distro on a regular basis (I tend to do it daily, since Fedora has a lot of churn) and as per theory you should be fine. I cannot think of a workload on a laptop/personal computer which cannot handle a reboot. Dhaval