After “Copy Fail” and now “Dirty Frag”, it feels increasingly likely that AI-assisted vulnerability discovery will start surfacing kernel bugs much faster than before.
A lot of these LPEs target obscure or rarely-used modules that are simply enabled by default almost everywhere.
The obvious answer is “just harden your systems properly”, but manually auditing and blacklisting dozens or hundreds of modules across large fleets of mixed Debian/RHEL/Ubuntu/Arch systems becomes painful very quickly.
ModuleJail is intentionally simple:
* scan loaded modules
* keep common/safe ones
* blacklist currently unused ones
* no reboot required
It’s not meant to replace proper hardening frameworks or kernel lockdown features. It’s more of a pragmatic “reduce attack surface quickly” tool for real-world environments, disabling thousands of unused kernel modules in 1 go.
If you have exotic drivers, they remain 'as is'. Just ensure all functionality is there prior to running the script.
And if you are using a laptop, and consider adding hardware; just remove the file, insert hardware and run ModuleJail again.
After “Copy Fail” and now “Dirty Frag”, it feels increasingly likely that AI-assisted vulnerability discovery will start surfacing kernel bugs much faster than before. A lot of these LPEs target obscure or rarely-used modules that are simply enabled by default almost everywhere.
The obvious answer is “just harden your systems properly”, but manually auditing and blacklisting dozens or hundreds of modules across large fleets of mixed Debian/RHEL/Ubuntu/Arch systems becomes painful very quickly. ModuleJail is intentionally simple:
* scan loaded modules * keep common/safe ones * blacklist currently unused ones * no reboot required
It’s not meant to replace proper hardening frameworks or kernel lockdown features. It’s more of a pragmatic “reduce attack surface quickly” tool for real-world environments, disabling thousands of unused kernel modules in 1 go. If you have exotic drivers, they remain 'as is'. Just ensure all functionality is there prior to running the script. And if you are using a laptop, and consider adding hardware; just remove the file, insert hardware and run ModuleJail again.