Sign in Subscribe
Catalog Updates

Elestio Catalog Updates: Linux 7.0 Lands, WordPress 7.0 Delayed, and 3 Critical CVEs (April 5-12, 2026)

Michael Soto

3 min read
Elestio Catalog Updates: Linux 7.0 Lands, WordPress 7.0 Delayed, and 3 Critical CVEs (April 5-12, 2026)

This was the week Linux jumped to version 7.0, WordPress 7.0 got delayed, and Jellyfin shipped a follow-up patch to fix regressions from last week's security release. A quieter week on the release front, but with some landmark moments. Here's what dropped.

Security Alerts

Three critical patches disclosed this week — apply them if you're running affected versions:

  • OpenCTI 6.9.5 — Patches CVE-2026-39980 (CVSS 9.1), an arbitrary JavaScript execution vulnerability allowing authenticated users to run code on the server.
  • Nix 2.34.5 (and backports across 6 versions) — Patches CVE-2026-39860 (CVSS 9.0), a privilege escalation via symlink following that lets local users overwrite arbitrary files as root.
  • Canonical LXD 6.8 — Patches CVE-2026-34178 (CVSS 9.1), a project restriction bypass during backup import that lets authenticated attackers escape project boundaries.

Hosting & Infrastructure

  • Linux Kernel 7.0 (April 12) — The stable release lands today, marking the first major version bump since Linux 6.0 in October 2022. Notable changes: Intel TSX defaults to "auto" mode on capable CPUs (performance boost out of the box), AMD EPYC scheduler scalability improvements, autonomous XFS self-healing, improved EXT4 concurrent direct I/O write performance, and driver enablement for Intel Nova Lake and AMD Zen 6. Ubuntu 26.04 LTS is expected to ship with this kernel.
  • OpenSSH 10.3 (April 2) — Patches 5 security vulnerabilities including a shell injection flaw. Agent listener sockets moved from /tmp to ~/.ssh/agent for hardened access control. New invaliduser penalty for brute-force protection.

Development

  • N8N (April 7) — Bug fix release addressing workflow execution issues.
  • WordPress 7.0 — DELAYED — Was scheduled for April 9 but postponed to mid-to-late May 2026. The real-time collaboration feature (Google Docs-style simultaneous editing) has a performance issue requiring deeper architectural work. A new schedule will be announced by April 22. Everything else in the 7.0 feature set is ready.

Applications

  • Jellyfin 10.11.8 — Stable bugfix release fixing regressions introduced in last week's security-focused 10.11.7 release. Improvements to subtitle saving, media language filtering, and folder handling. If you upgraded to 10.11.7 for the security patches, grab this follow-up to smooth out the rough edges.

What Stood Out This Week

1. Linux Kernel 7.0 is a milestone, even if Linus says it isn't. Yes, the version bump is cosmetic ("I'm running out of fingers and toes"). But practically, this kernel underpins the next generation of self-hosted AI infrastructure. Intel TSX defaulting to auto mode, AMD EPYC scheduler improvements, and EXT4 write performance gains all matter for production workloads. If you're running bare-metal GPU servers with Ollama or AI workloads, kernel 7.0 is the foundation to build on.

2. WordPress 7.0 delay is the right call. Real-time collaboration is the kind of feature that either works perfectly or destroys trust. Shipping it with known performance issues on a CMS that powers 40%+ of the web would have been reckless. The delay hurts, but it's better than a recall.

3. Three CVSS 9+ vulnerabilities in one week. OpenCTI, Nix, and LXD all got critical patches. The common thread? All three involve authenticated users escalating privileges — backup imports bypassing restrictions (LXD), symlinks overwriting root files (Nix), and JavaScript injection on the server (OpenCTI). If you self-host any of these, don't wait.

4. Jellyfin's patch-the-patch cycle. Releasing 10.11.8 to fix regressions from 10.11.7 (which was itself a critical security fix) is a healthy sign. The team prioritised getting security patches out fast and then cleaned up the fallout. That's the right approach.

Deploy Updated Versions on Elestio

All services on Elestio receive automatic updates, so security patches are applied without manual intervention. Browse the full catalog at elest.io/fully-managed-services.

That's a wrap for this week. Upgrade your kernels, patch your containers, and we'll see you next Sunday.

Thanks for reading ❤️ See you in the next one 👋

Sign up for more like this.

Enter your email
Subscribe