What’s New

• Upgraded OpenLiteSpeed to v1.9.0

• Includes upstream stability improvements and bug fixes

This release incorporates fixes from the official OpenLiteSpeed 1.9.x branch, focusing on performance improvements, security fixes, and more.

For full upstream details, refer to the OpenLiteSpeed 1.9.x release log.

Deployment Information

• Automatic updates will roll out to all compatible servers within 72 hours
• No action required from users for the update process

What’s New

• Improvement: Upgrade the agent's cron job storage mechanism for better stability.

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

What’s New

• RC Agent has been updated to support the RunCache (Native) beta. RunCache (Native) is currently available by invitation only as part of our beta testing program (more details coming soon). 

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

What’s New

• Fixed: Firewall-related errors when modifying rules. 
• Improvement: Agent health reporting to eliminate false error alerts during server restarts. 

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

This release updates Apache HTTP Server to v2.4.67, addressing multiple security vulnerabilities and shipping dependency upgrades.

Security Fixes

• CVE-2026-34059: Heap over-read and memory disclosure in mod_proxy_ajp via ajp_parse_data()
• CVE-2026-34032: Heap buffer over-read in mod_proxy_ajp due to missing null-termination check in ajp_msg_get_string()
• CVE-2026-33857: Off-by-one out-of-bounds reads in AJP getter functions (mod_proxy_ajp)
• CVE-2026-33523: HTTP response splitting via malicious status line forwarding across multiple modules
• CVE-2026-33007: Crash in mod_authn_socache via NULL pointer dereference (forward proxy configurations)
• CVE-2026-33006: Timing attack bypass against mod_auth_digest authentication
• CVE-2026-29169: Crash via NULL pointer dereference in mod_dav_lock (indirect lock handling)
• CVE-2026-29168: Unrestricted OCSP response processing in mod_md (resource exhaustion)
• CVE-2026-28780: Heap-based buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
• CVE-2026-24072: Privilege escalation via ap_expr in mod_rewrite (.htaccess)
• CVE-2026-23918: Double free and possible RCE in HTTP/2 on early stream reset

Module updates:

• mod_md updated to v2.6.10 (fixes ARI compatibility, OCSP handling, and certificate renewal reliability)
• mod_http2 updated to v2.0.39 (removes custom memory allocator that caused issues with third-party modules; fixes double-free on stream purge)

Fixed

• Resolved missing ${SRVROOT} entries in conf\extra\httpd-ssl.conf

What’s New

• Fix: Auto-healing is logging uninstalled PHP services, causing logs to consume excessive storage.
• Fix: Symlink sorting issue in the file manager.

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

This release patches CVE-2026-42945 ("NGINX Rift") and includes updated extensions to address a heap memory corruption issue.

What's New

• Security: Patched CVE-2026-42945 ("NGINX Rift"), a critical vulnerability affecting NGINX.

Deployment Information

This update is rolling out to all compatible servers. 

Servers with automatic updates enabled will be patched during the regular rollout window.

Important Notes

• ⚠️ If you have disabled automatic updates, we recommend updating manually as soon as possible.
• If you experience any issues after the update, please open a support ticket, and our team can revert your server to the previous version (v1.27.1). We're actively monitoring the rollout. If you notice anything unusual, please let us know so we can investigate. 
• No action is required unless you've disabled automatic updates

RunCloud Agent v2.17.5 (Patch)

What’s New

• Fix: Resolved an issue where symlinks could not be opened with the file manager.

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

RunCloud Agent v2.17.1 (Patch)

What’s New

• Fix: Resolved an auto-healing issue that caused a "database is locked" error.
• Fix: Addressed a File Manager error that occurred in certain edge cases.

Deployment Information

• This update will roll out automatically to all compatible servers within 72 hours.
• No action is required. The update installs seamlessly in the background.
• If your server does not receive the update within this timeframe, please get in touch with our support team for manual assistance.

One week after Copy Fail, another Linux kernel vulnerability has been publicly disclosed. The exploit, called "Dirty Frag", chains two kernel bugs to give any unprivileged user with shell access full root on your server.

The embargo was broken early, so there is no official patch yet, no CVE number, and a working exploit is already public.

Dirty Frag targets three kernel modules: esp4, esp6, and rxrpc. Ubuntu is particularly exposed because rxrpc loads automatically on Ubuntu, while most other distributions do not ship it by default. The Copy Fail fix from last week does not protect against this. Dirty Frag is a completely different attack path and requires its own fix.

What We Decided

Unlike Copy Fail, we did not push this mitigation automatically through the RunCloud agent. This fix disables three kernel modules and could impact servers running IPsec VPN tunnels or AFS. We did not want to risk breaking production servers without the owner's knowledge.

The fix needs to be applied manually. It takes one command and under a minute.

How to Apply the Fix

Before applying, run the pre-check commands to confirm the modules are not actively in use. Full pre-check steps and the one-command fix are in the community post linked below.

The mitigation blocks all three modules from loading, unloads them immediately, and survives reboots. NGINX, PHP, MySQL, SSH, and SSL are unaffected. The only services impacted are IPsec VPN tunnels using ESP mode and AFS.

If anything breaks after applying, the fix is fully reversible with three commands to restore the modules.

Permanent Patch

No official Ubuntu kernel patch is available yet. The embargo broke early, and Ubuntu has not had time to ship one. We are watching their tracker and will update the community thread as soon as a patch lands. Once it does, apply the kernel update, reboot, and remove the mitigation file.

Full Details and Next Steps

For pre-check commands, the full fix, verification steps, and reversal instructions, see our full write-up on our community forum.