Here's something that should give you pause: a fully autonomous robotaxi detected a flooded road ahead of it — and drove into it anyway. That's the incident at the center of Waymo's latest recall, which affects 3,791 vehicles running its fifth and sixth generation autonomous driving systems.
According to documents filed with the National Highway Traffic Safety Administration, an unoccupied Waymo vehicle came across a flooded stretch of road posted at 40 mph, correctly identified the hazard, and then proceeded forward at a reduced speed regardless. Nobody was hurt, but the fact that the car essentially shrugged at a danger it had already spotted is the kind of thing that keeps regulators and safety advocates up at night.
Waymo has issued a software update in the meantime, tightening weather-related constraints and refreshing the maps its vehicles rely on. A longer-term fix is still in development. The company hasn't shared a specific timeline for when that will be ready.
What makes the timing especially awkward is that this marks the first recall of Waymo's sixth generation autonomous driving system — the one it launched earlier this year and positioned as its platform for high-volume production. The system is supposed to be the future of the company, designed to work across multiple vehicle models including the rebranded Zeekr RT minivan (now called the Ojai) and the Hyundai Ioniq 5. Waymo is also in talks with Toyota about future integrations. A recall right out of the gate is not the debut anyone was hoping for.
The older fifth generation system, which powers Waymo's current fleet of Jaguar I-Pace vehicles, has now been recalled five times since it launched in 2020. Previous incidents include a vehicle driving past a stopped school bus and another crashing into a stationary object. By comparison, most legacy automakers would face serious public scrutiny with that recall history. For a company built entirely around the promise of safer-than-human driving, it's a complicated record to carry.
The deeper issue here isn't just one car driving through a puddle. Waymo has spent most of its operational life in places like Phoenix, Los Angeles, and Austin — cities chosen in part because their weather is predictable and mild. That strategy has insulated the company from exactly this kind of edge case.
But Waymo isn't planning to stay in the Sun Belt forever. It has publicly identified Boston, New York City, and Washington, D.C., as targets for its next wave of expansion. Those cities get ice storms, flash flooding, and heavy snow — conditions that would stress-test any autonomous system far beyond what Waymo's fleet has faced commercially.
Handling adverse weather isn't a nice-to-have for a robotaxi company eyeing the Northeast. It's the whole ballgame. And right now, a flooded road in a dry-climate city was enough to trigger a federal recall. That gap between where Waymo is and where it wants to go is worth watching closely.
SECURITY
Linux Hit by Second Critical Vulnerability in Two Weeks
Two weeks. Two severe Linux vulnerabilities. Zero patches available to most end users when the exploit code went public. If you manage Linux servers, this has been a rough stretch — and it's not over yet.
The latest threat is being called Dirty Frag, and it's genuinely nasty. It allows low-privilege users, including those operating inside virtual machines, to escalate their access all the way to root on affected servers. That means someone with a basic foothold on a shared server — the kind that cloud platforms run by the hundreds of thousands — could potentially take complete control of the underlying machine. Microsoft has already reported seeing early signs of hackers experimenting with the exploit in real environments.
What makes Dirty Frag particularly uncomfortable is how clean it is as an attack. The exploit is deterministic, meaning it behaves the same way every single time, across virtually every major Linux distribution. It also produces no system crashes, which strips away one of the most common signals defenders use to detect something has gone wrong. Quiet, reliable, and widely applicable is about the worst combination you can describe in a piece of malware.
The vulnerability chains together two separate kernel flaws — CVE-2026-43284 and CVE-2026-43500 — both rooted in how the Linux kernel handles page caches stored in memory. Researcher Hyunwoo Kim discovered and disclosed the bugs late last week. Shortly after that disclosure, someone else leaked critical technical details before most Linux distributions had incorporated the upstream kernel patch. That effectively turned it into a zero-day, and Kim responded by publishing his own proof-of-concept exploit code. At that point, the information was already out — withholding it would have helped no one on the defensive side.
As of this writing, Debian, AlmaLinux, and Fedora have released patches. Users on other distributions should check directly with their providers, because the window between public exploit availability and widespread patching is exactly when attacks tend to spike.
This all lands just one week after a separate critical privilege escalation bug, dubbed CopyFail, was disclosed with no end-user patches available at the time. CopyFail shares the same core characteristics as Dirty Frag — deterministic execution, no crashes, works across distributions — because it stems from the same class of kernel flaw: improper handling of page caches. Security researchers have drawn comparisons to Dirty Pipe, a 2022 vulnerability that exploited the same underlying mechanism and caused widespread concern across enterprise Linux environments.
The pattern here is worth naming directly. This isn't just two isolated bugs showing up in the same news cycle. It's two vulnerabilities from the same bug family, disclosed within days of each other, both going public before patches reached the systems that needed them most. For organizations running shared infrastructure — cloud providers, universities, managed service providers — the risk window is real and the urgency to patch is not theoretical.
Check your distributions. Apply the patches. Then check again next week, because at this pace, the streak may not be done.
Source: Ars Technica
The latest threat is being called Dirty Frag, and it's genuinely nasty. It allows low-privilege users, including those operating inside virtual machines, to escalate their access all the way to root on affected servers. That means someone with a basic foothold on a shared server — the kind that cloud platforms run by the hundreds of thousands — could potentially take complete control of the underlying machine. Microsoft has already reported seeing early signs of hackers experimenting with the exploit in real environments.
What makes Dirty Frag particularly uncomfortable is how clean it is as an attack. The exploit is deterministic, meaning it behaves the same way every single time, across virtually every major Linux distribution. It also produces no system crashes, which strips away one of the most common signals defenders use to detect something has gone wrong. Quiet, reliable, and widely applicable is about the worst combination you can describe in a piece of malware.
The vulnerability chains together two separate kernel flaws — CVE-2026-43284 and CVE-2026-43500 — both rooted in how the Linux kernel handles page caches stored in memory. Researcher Hyunwoo Kim discovered and disclosed the bugs late last week. Shortly after that disclosure, someone else leaked critical technical details before most Linux distributions had incorporated the upstream kernel patch. That effectively turned it into a zero-day, and Kim responded by publishing his own proof-of-concept exploit code. At that point, the information was already out — withholding it would have helped no one on the defensive side.
As of this writing, Debian, AlmaLinux, and Fedora have released patches. Users on other distributions should check directly with their providers, because the window between public exploit availability and widespread patching is exactly when attacks tend to spike.
This all lands just one week after a separate critical privilege escalation bug, dubbed CopyFail, was disclosed with no end-user patches available at the time. CopyFail shares the same core characteristics as Dirty Frag — deterministic execution, no crashes, works across distributions — because it stems from the same class of kernel flaw: improper handling of page caches. Security researchers have drawn comparisons to Dirty Pipe, a 2022 vulnerability that exploited the same underlying mechanism and caused widespread concern across enterprise Linux environments.
The pattern here is worth naming directly. This isn't just two isolated bugs showing up in the same news cycle. It's two vulnerabilities from the same bug family, disclosed within days of each other, both going public before patches reached the systems that needed them most. For organizations running shared infrastructure — cloud providers, universities, managed service providers — the risk window is real and the urgency to patch is not theoretical.
Check your distributions. Apply the patches. Then check again next week, because at this pace, the streak may not be done.
Enjoyed this?
Get stories like this delivered every Tuesday — free.