A Linux kernel maintainer has proposed a kill switch that would let administrators disable vulnerable kernel functions before patches arrive. The idea, backed by Red Hat, has divided the security community. Critics warn it may become a crutch that delays actual patching and creates new operational risks.
Sasha Levin, a distinguished engineer at Nvidia and co-maintainer of the Linux long-term support kernel trees, has proposed a mechanism that lets privileged administrators disable vulnerable kernel functions before patches arrive. When a zero-day is found, fleets stay exposed during the gap between disclosure and a deployed patch. For most users, Levin argues, temporarily losing access to a socket family costs far less than running a known vulnerable kernel.
The proposal arrives during an unusually turbulent stretch for Linux security. We recently reported on Copy Fail (CVE-2026-31431), a logic bug that lets unprivileged users gain root access. It is now actively exploited, with CISA adding it to its Known Exploited Vulnerabilities catalog and setting a federal remediation deadline of May 15. Shortly after, Dirty Frag emerged, combining two vulnerabilities in Linux’s IPsec ESP subsystem and the RxRPC protocol, with a public proof-of-concept released on May 7.
Linux kernel CVEs jumped from around 300 in 2023 to over 5,500 this year, a surge partly attributed to greater use of AI-powered vulnerability research tools. Patching at a high enough pace, across distributed enterprise fleets, is perhaps not practical. But a kill switch is not a patch.
Concerns do often arise around the validity of all these reported bugs. Indeed, AI hallucinating vulnerabilities remains a distinct possibility. However, recent findings from Mozilla suggest the latest crop of security-focused LLMs hardly finds false positives. Still, some have argued that Claude Mythos, a model reportedly too dangerous on cybersecurity grounds to release to the public, has been an elaborate marketing stunt.
A divided community
Critics argue admins will reach for the switch instead of actually patching. Technical objections surfaced too. The proposed code disables a highest-level entry point already handling failure states, potentially going further than intended. As vastly different debates around Linux kernel development have shown, the community takes a dim view of changes that trade correctness for convenience. A radical notion as proposed here will continue to meet stiff resistance if pursued.
Red Hat backs the idea
One of the space’s heavyweights, Red Hat, is supportive. “We’re supportive of incorporating kill switch capabilities into the kernel, especially as the pace and severity of exploits expand due to LLM-driven scanning,” said Mike McGrath, vice president for core platforms at Red Hat. He noted that patches are frequently disruptive at scale, and that non-disruptive mitigations are vital for in-the-moment protection until a permanent patch lands.
Others are more cautious. A more critical executive quotes by NetworkWorld noted that few admins can assess the business impact of disabling a kernel function without first testing it in non-production environments, which still takes time and effort.
The proposal remains open for community review within the open-source Linux project.