[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-fragnesia-kernel-bug-root-shell-access-zh":3,"article-related-fragnesia-kernel-bug-root-shell-access-zh":35,"series-research-8e1c78ca-667a-482e-92a9-7d0f3d9e5067":86},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":18,"translated_content":10,"views":19,"is_premium":20,"created_at":21,"updated_at":21,"cover_image":11,"published_at":22,"rewrite_status":23,"rewrite_error":10,"rewritten_from_id":24,"slug":25,"category":26,"related_article_id":27,"status":28,"google_indexed_at":10,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":29,"topic_cluster_id":33,"embedding":34,"is_canonical_seed":20},"8e1c78ca-667a-482e-92a9-7d0f3d9e5067","Fragnesia 把內核洞變成 root 權限","\u003Cp data-speakable=\"summary\">我把 Fragnesia 這個 Linux 內核漏洞拆成可執行的補丁與偵測清單，直接拿去做主機風險處理。\u003C\u002Fp>\u003Cp>我最近一直在看 Linux 內核的漏洞公告，看久了真的會有一種很煩的熟悉感：每次都不是那種「哇，超戲劇化」的故事，反而是這種最討厭的類型。Fragnesia 這個洞，我一看到 \u003Ca href=\"https:\u002F\u002Fwww.securityweek.com\u002Fnew-linux-kernel-vulnerability-fragnesia-allows-root-privilege-escalation\u002F\">SecurityWeek\u003C\u002Fa> 的整理就先皺眉。不是因為名字很帥，是因為它聽起來就是那種會讓你整台 Linux 主機從「還行」直接掉到「怎麼又是我」的本地提權洞。\u003C\u002Fp>\u003Cp>我最不爽的地方在於，它不是\u003Ca href=\"\u002Fnews\u002Fwhy-microsoft-ai-is-wrong-to-sell-trust-as-the-main-product-zh\">什麼\u003C\u002Fa>很顯眼的外網 RCE，也不是那種一眼看得出來的爆炸型漏洞。它是本地的，這種最容易被低估。很多團隊會說「我們那台機器又沒對外開放」，然後就把風險往後拖。問題是，只要攻擊者先拿到一般使用者權限，內核一出事，root 就可能被拉出來。這種洞最會偷時間，等你想起來要修，通常已經有人開始玩你的主機了。\u003C\u002Fp>\u003Cp>這篇我不是要寫成新聞稿，我是要把這種漏洞的處理邏輯拆給你看。你不用記住 Fragnesia 這個名字，你要記住的是：本地提權洞在營運上不是「小問題」，它常常是把前面那個小破口，直接接到整台主機失守。\u003C\u002Fp>\u003Ch2>先講結論：這不是單一 CVE，是主機接管路線\u003C\u002Fh2>\u003Cblockquote>這個問題在 Linux 內核的 XFRM ESP-in-TCP 子系統裡，讓未授權的本地攻擊者有機會透過覆寫敏感系統檔案拿到 root。\u003C\u002Fblockquote>\u003Cp>翻譯一下就是：攻擊者不需要先打穿外網服務，只要能在機器上站穩一個一般帳號，就可能用內核洞把權限一路往上抬，最後變成 root。這不是理論課，是 Linux 權限邊界被硬生生戳破。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779207288976-fjb6.png\" alt=\"Fragnesia 把內核洞變成 root 權限\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>我看這類洞最怕的不是技術細節，而是團隊反應太慢。很多人一聽「本地」就鬆懈，覺得不算急。但本地提權的可怕之處，就是它常常是後面那一段。前面可能是釣魚、弱密碼、容器逃逸、開發機被偷 \u003Ca href=\"\u002Ftag\u002Ftoken\">token\u003C\u002Fa>，後面接上這個洞，整台機器就被補成 root shell。\u003C\u002Fp>\u003Cp>實操上，我會直接把它當成主機接管事件來排優先級，不會當成單純 kernel patch。只要你的環境裡有一般使用者、共享主機、CI runner、跳板機、開發者工作站、或多租戶 Linux 環境，這洞都應該往前排。短命 VM 也不要自我安慰，短命不等於沒窗口。\u003C\u002Fp>\u003Cul>\u003Cli>先盤點所有允許本地登入的 Linux 主機。\u003C\u002Fli>\u003Cli>把「外網風險」和「本地提權風險」分開看，不要混在一起。\u003C\u002Fli>\u003Cli>有 shell 的主機先補，沒有 shell 的主機後補。\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>XFRM ESP-in-TCP 很冷門，但冷門不等於安全\u003C\u002Fh2>\u003Cp>這次最值得注意的技術面，是它落在 XFRM ESP-in-TCP 這個內核面。老實說，這種東西大多數團隊平常根本不會碰，除非你在做 VPN、\u003Ca href=\"\u002Fnews\u002F10-layer-2-crypto-marketing-strategies-2026-zh\">加密\u003C\u002Fa>封裝、或比較底層的網路堆疊。也因為冷門，大家才容易放過它。內核從來不在乎某個功能熱門不熱門，只要有 bug，就能變成攻擊面。\u003C\u002Fp>\u003Cp>我看到 \u003Ca href=\"https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F\">Microsoft 安全部落格\u003C\u002Fa> 的相關說法時，最在意的是它提到這個原語像是內核中的記憶體寫入，接著能去破壞 \u003Ccode>\u002Fusr\u002Fbin\u002Fsu\u003C\u002Fcode> 的 page cache。這種鏈條我很熟：先拿到寫入能力，再去污染一個你本來以為可信的東西，然後借它把權限升上去。很土，但很有效。\u003C\u002Fp>\u003Cp>更麻煩的是，\u003Ca href=\"\u002Ftag\u002Fmicrosoft\">Microsoft\u003C\u002Fa> 的說法還提到不只 \u003Ccode>\u002Fusr\u002Fbin\u002Fsu\u003C\u002Fcode>，任何使用者可讀的檔案都有可能被改。這句話很重要，因為它把偵測思路整個往外拉了。你不能只盯著 su，有可能連 \u003Ccode>\u002Fetc\u002Fpasswd\u003C\u002Fcode> 這種東西都要看。換句話說，這不只是權限問題，還是檔案完整性問題。\u003C\u002Fp>\u003Cp>實操上，我會先問三件事：你的主機有沒有真的需要這個功能、你的檔案完整性監控有沒有覆蓋到可讀系統檔、你的 EDR 能不能抓到異常寫入行為。很多團隊監控做得很努力，但只盯一個符號檔，這種範圍太窄了。\u003C\u002Fp>\u003Cul>\u003Cli>檢查哪些主機真的需要 XFRM 相關功能。\u003C\u002Fli>\u003Cli>把可讀系統檔納入完整性監控，而不是只看 \u003Ccode>su\u003C\u002Fcode>。\u003C\u002Fli>\u003Cli>把異常寫入、權限跳升、root shell 這三件事串起來看。\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>它跟 Dirty Frag、Copy Fail 同一掛，這才是重點\u003C\u002Fh2>\u003Cp>SecurityWeek 提到 Fragnesia 跟 Dirty Frag、Copy Fail 類似。我覺得這個比喻很有價值，因為它不是在幫漏洞取綽號，而是在提醒你：這不是孤立事件，是一種重複出現的內核失敗模式。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779207287330-i0iy.png\" alt=\"Fragnesia 把內核洞變成 root 權限\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>我自己對這種家族型漏洞的反應會比較直接。只要同一類本地提權洞開始連著出現，防守策略就不能再每次都重新發明一次。你要的是一套固定流程：先補、再看、再追。本地提權洞的核心從來不是「會不會 crash」，而是「能不能把低權限變成 root」。\u003C\u002Fp>\u003Cp>我以前待過一個環境，每次 kernel CVE 都像獨立專案。A 主機歸 A 團隊，B 主機歸 B 團隊，大家都說自己很忙，最後就是最重要的機器一直卡在待排程。那種狀態我看過一次就夠了。你越把每個洞當特例，越容易讓真正危險的主機躺著等。\u003C\u002Fp>\u003Cp>實操上，我會把這類洞做成一個共用 runbook，不要每次都重寫。只要是內核本地提權，預設動作就是先修補，再做追查。你不需要先把每個 exploit 細節研究到像寫論文，先讓主機不要繼續裸奔比較重要。\u003C\u002Fp>\u003Ch2>有 PoC 就是開始倒數，不是「還沒爆」就安全\u003C\u002Fh2>\u003Cp>這次報導也提到有 proof-of-concept exploit，但目前沒有看到明確的實際攻擊證據。很多人看到這句就會鬆一口氣，我倒是相反。只要 PoC 已經公開，時間就開始往下走了，不是往上走。\u003C\u002Fp>\u003Cp>「還沒有證據」不等於「沒事」。通常只是代表攻擊者還沒大規模出手，或是防守方還沒把線索串起來。PoC 一出來，從公告到被拿去濫用的距離通常只會越來越短，不會越來越長。\u003C\u002Fp>\u003Cp>我自己會把 PoC 當成 SLA 的縮短器。以前你可能還能說「下個維護窗再修」，現在不行。只要有可用 PoC，這就是能被複製貼上的攻擊腳本，很多人會拿來測、拿來改、拿來打。你不應該假設外面沒人在試。\u003C\u002Fp>\u003Cp>實操上，我會用「有 shell 的主機」和「有延後補丁的主機」兩個條件去排優先級。不是照部門喜好排，也不是照誰聲音大排。誰有機會被提權，誰就先修。\u003C\u002Fp>\u003Cul>\u003Cli>每個高影響內核漏洞都標記是否已有 PoC。\u003C\u002Fli>\u003Cli>只要有 PoC，補丁 SLA 直接縮短。\u003C\u002Fli>\u003Cli>有本地登入權限的主機，一律往前排。\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>偵測不要追爆點，去追結果\u003C\u002Fh2>\u003Cp>我很喜歡這類報導的一點，是它沒有把重點放在很炫的 exploit 細節上。這樣才對。大部分防守者根本不需要那種像密碼學論文一樣的步驟，他們需要的是結果：檔案被改了、權限跳了、root shell 出現了、正常管理行為不見了。\u003C\u002Fp>\u003Cp>很多團隊會犯一個很常見的錯：等 exploit 特徵。這很累，也很不穩。因為內核洞的手法可能變，但結果通常很像。你看到一個一般使用者突然長出 root session，這比你硬追某個脆弱字串更有用。\u003C\u002Fp>\u003Cp>我之前在一個案子裡就碰過這種情況，真正有價值的不是 payload 長\u003Ca href=\"\u002Fnews\u002Fwhy-ripple-is-losing-payment-narrative-layer2-hype-zh\">什麼\u003C\u002Fa>樣，而是使用者登入後，幾分鐘內就出現不合理的檔案變動和權限轉換。那才是你應該抓的東西。不要把自己綁死在 exploit 指紋上，結果很多事根本看不到。\u003C\u002Fp>\u003Cp>實操上，我會把偵測重點放在三塊：權限跳升、系統檔變更、異常 root session。你有 audit log 就串 audit log，有 EDR 就串本機行為與檔案寫入。如果你兩個都沒有，那不是「先觀察看看」，那是該補基礎能力了。\u003C\u002Fp>\u003Ch2>補丁順序，比你補得漂不漂亮更重要\u003C\u002Fh2>\u003Cp>Microsoft 建議盡快套用可用修補，我同意，而且我想把話講得更白一點：補丁順序比補丁完美更重要。你不需要等一個看起來很體面的變更流程才開始降風險。你需要的是先把最危險的主機拉下來。\u003C\u002Fp>\u003Cp>所以順序應該是：靠近外部的 Linux 伺服器、共享跳板機、CI runner、開發者工作站、允許多使用者登入的主機，全部先排前面。這些地方本來就比較容易有一般帳號存在，也比較容易被拿來當提權跳板。你如果把補丁排程拖到下個維護週期，很多時候就是在幫攻擊者爭取時間。\u003C\u002Fp>\u003Cp>我不太吃那種「等各家發行版公告一致再說」的做法。內核不會因為你的工單流程很漂亮就晚一點被打。你只要知道風險存在，而且有可用修補，就可以開始動。\u003C\u002Fp>\u003Cp>實操上，我會先列一份最小清單：哪些主機最值錢、哪些主機最容易有本地帳號、哪些主機一旦被 root 就能橫向移動。先修這些，其他再談。\u003C\u002Fp>\u003Cul>\u003Cli>先補高風險 Linux 主機，不要平均用力。\u003C\u002Fli>\u003Cli>有本地使用者的主機優先。\u003C\u002Fli>\u003Cli>不要等所有維護窗口都對齊，先止血。\u003C\u002Fli>\u003C\u002Ful>\u003Ch2>可抄的模板\u003C\u002Fh2>\u003Cpre>\u003Ccode># Fragnesia 事件處理模板（Linux 主機版）\n\n## 1. 影響範圍\n- 允許本地登入的 Linux 主機\n- 共享伺服器、CI runner、開發者工作站\n- 可能受影響的內核版本主機\n\n## 2. 立即動作\n- 第一時間套用供應商釋出的修補\n- 需要重開機就重開，不要硬撐\n- 先處理有 shell、多人共用、或權限較寬的主機\n\n## 3. 偵測重點\n- 是否出現不合理的 root shell\n- 是否有可讀系統檔被異常修改\n- 是否有 `\u002Fusr\u002Fbin\u002Fsu`、`\u002Fetc\u002Fpasswd` 等檔案完整性警示\n- 是否有本地使用者登入後短時間內出現權限跳升\n\n## 4. 威脅狩獵問題\n- 某個本地帳號在提權前是否有異常讀檔行為？\n- 是否出現 kernel 警告、異常 crash、或 page cache 異常？\n- 同一台主機上是否有不合理的管理行為痕跡？\n\n## 5. 控制與隔離\n- 若懷疑已被利用，先把主機隔離\n- 暫時停用不必要的本地帳號\n- 重新輪替受影響主機上的憑證\n- 若完整性無法信任，直接重建主機\n\n## 6. 作業原則\n- 這不是單純 kernel bug，這是主機接管路線\n- 不要等到確認有實際攻擊才修\n- 只要有 PoC，就應該縮短 SLA\n\u003C\u002Fcode>\u003C\u002Fpre>\u003Cp>這段模板我故意寫得很直，因為事故處理時最怕花俏。你不需要先把文件修到像對外公告，先讓值班的人能照著做，比什麼都重要。你可以直接把它貼進 runbook、ticket、或值班 SOP。\u003C\u002Fp>\u003Cp>原始來源是 \u003Ca href=\"https:\u002F\u002Fwww.securityweek.com\u002Fnew-linux-kernel-vulnerability-fragnesia-allows-root-privilege-escalation\u002F\">SecurityWeek 的 Fragnesia 報導\u003C\u002Fa>。我上面的拆解有一部分是沿著這篇報導延伸出來的防守思路，模板則是我把 Linux 主機處理流程重新整理成可直接使用的版本。\u003C\u002Fp>\u003Cp>如果你要補上下游脈絡，我會順手看 \u003Ca href=\"https:\u002F\u002Fwww.kernel.org\u002F\">kernel.org\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F\">Microsoft Security\u003C\u002Fa>，以及你自己發行版的公告頁，例如 \u003Ca href=\"https:\u002F\u002Fubuntu.com\u002Fsecurity\u002Fnotices\">Ubuntu Security Notices\u003C\u002Fa> 和 \u003Ca href=\"https:\u002F\u002Faccess.redhat.com\u002Fsecurity\u002Fsecurity-updates\u002F\">Red Hat Security Updates\u003C\u002Fa>。我這篇是衍生整理，不是原始爆料。\u003C\u002Fp>","我把 Fragnesia 這個 Linux 內核漏洞拆成可執行的補丁與偵測清單，直接拿去做主機風險處理。","www.securityweek.com","https:\u002F\u002Fwww.securityweek.com\u002Fnew-linux-kernel-vulnerability-fragnesia-allows-root-privilege-escalation\u002F",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779207288976-fjb6.png",[13,14,15,16,17],"Linux 內核","本地提權","root 權限","檔案完整性","PoC","zh",1,false,"2026-05-19T16:14:24.533343+00:00","2026-05-19T16:14:24.513+00:00","done","2042d4b0-e0ba-430f-89a1-0ac5523e0949","fragnesia-kernel-bug-root-shell-access-zh","research","6bef1751-4ed9-4a46-aad5-47808b26d308","published",[30,31,32],"本地提權洞要當成主機接管事件處理，不是一般補丁任務。","有 PoC 就代表風險開始倒數，補丁 SLA 要立刻縮短。","偵測重點放在 root shell、系統檔變更與權限跳升結果。","0c35a120-52fc-41fc-afa3-d404eb934158","[0.024808938,0.00966154,-0.0063464846,-0.06115695,0.006600586,0.035582744,-0.006682017,-0.00045410744,0.024185335,0.022968624,-0.018432923,-0.025735075,0.0044972524,-0.0031614362,0.126116,0.014113414,-0.008154929,0.0398828,0.009874042,0.0068229362,-0.0021052046,-0.0010286989,-0.028945437,0.008530881,-0.0034032986,-0.04129821,0.018414143,-0.000833448,0.02883321,-0.027615188,0.014767141,0.022538824,0.0031941833,-0.011775532,0.019662177,0.014294414,0.030247182,-0.008676157,-0.030070644,-0.003900637,0.017118989,0.012380523,0.010958919,0.015211555,0.008878505,0.015186669,-0.012318742,-0.01042138,-0.016827218,0.006143435,-0.008999295,-0.010767688,-0.017708708,-0.16841996,0.015782809,0.01591929,-0.009319441,-0.034115005,0.023803748,0.0034790642,-0.022777556,0.02233916,0.0005592768,-0.022226596,-0.010928018,-0.025472125,0.022506252,0.008488197,-0.012901438,-0.0149757415,-0.0054806117,-0.0144105395,-0.021842403,-0.024990737,-0.005166392,0.0032475735,-0.0057458333,0.009817373,0.017523458,0.018735737,0.01168502,-0.027386138,0.015503891,-0.0015925851,-0.0002341991,-0.0046625747,-0.013638011,-0.012903653,0.025365537,0.024724308,-0.024148837,0.011819481,-0.0069472403,0.00011510217,0.0056280713,-0.0001706606,-0.004633253,0.0111415675,-0.01184987,0.0041164956,-0.010183561,-0.009876856,0.043389156,0.0063178814,-0.02748192,0.009495525,0.000110388406,0.015842594,0.032363746,0.014690785,0.01445525,0.0010948766,-0.013612974,-0.00034984757,-0.00094956154,-0.13651198,-0.004690669,0.021289974,0.0025462522,0.03237732,-0.0011196818,-0.0050584693,0.0023633111,0.038345702,0.0128719695,-0.01178712,0.0061818464,0.011385851,-0.0053284005,-0.0043457933,0.012093856,-0.0024104584,0.019476358,0.031510808,-0.0061560534,0.013573758,0.028990597,0.003709806,-0.013091557,-0.03404744,-0.0067537944,0.028149616,-0.0035251444,-0.013382107,-0.014681323,0.0070218896,-0.008319703,0.0033225329,0.039715715,-0.041503094,0.011188015,-0.02128798,-0.002189347,-0.037354924,0.0017039856,-0.050297868,0.0016525311,-0.0034575749,0.0033661553,0.002049062,-0.04514592,0.0077616577,0.006325589,-0.013635582,-0.009206062,0.040724393,0.0013275103,0.0011047093,-0.0017439482,0.026078144,0.0011032153,0.0009638425,-0.0071645575,-0.015376362,0.017565299,0.009935654,-0.02150237,-0.0040574637,-0.00262918,-0.0015334896,-0.009216175,-0.0141310515,-0.0011494946,0.0063267276,0.03905754,-0.0116169145,-0.0015129797,0.004199727,0.022605052,-0.012855743,-0.028168874,0.0056354282,0.0067626913,0.0052605923,0.001716331,-0.012699044,-0.03168951,-0.024339933,0.00065268,0.025241612,0.016243057,0.010370941,-0.022537958,-0.0030134923,0.010466664,0.010437132,0.00026806185,-0.035820846,0.0143412985,0.03081657,0.006929314,0.0074878098,0.0034644539,-0.010580508,-0.004122258,0.005140259,-0.015469862,0.017493289,0.011256513,-0.0002813315,0.014389516,-0.0005906659,-0.011103744,0.0053232526,0.0029776287,0.0048248125,0.005115739,-0.015180116,-0.028598493,0.036853764,0.025517773,0.0071579874,0.029597899,0.020201053,0.01758541,0.012390108,0.01275175,-0.002807886,-0.024399955,0.021659866,-0.021808399,0.006538165,-0.023743846,0.0077051567,0.01711368,-0.004809357,0.0022868079,0.016614625,-0.0074790195,0.00079284556,-0.008590568,0.00013250271,0.0035778128,-0.010651599,0.006779602,-0.0111298645,0.016476907,-0.008546554,-0.016674276,-0.0091430005,-0.008888777,-0.021093322,-0.010056543,-0.023329299,0.02510597,0.014118896,-0.011558099,0.0387772,-0.003644092,0.008335425,-0.0025549561,0.016472105,-0.01599528,-0.010242729,-0.0015356109,-0.0030578903,-0.07321376,0.026457727,0.016048359,-0.015520744,-0.012489938,0.022014266,0.0016597932,0.0011827853,-0.026934778,-0.010807248,-0.011151385,0.009227848,-0.009425323,-0.010897348,-0.008064192,-0.004768763,-0.01652811,-0.016171016,-0.010853135,0.004079437,0.024200737,-0.04025314,-0.0032343862,0.0028238131,0.030350577,-0.0007102364,0.035563435,0.04034089,0.02531634,0.017348297,0.005117908,0.014320246,0.0021735143,-0.004316406,0.002218681,0.012494406,0.019197723,-0.013774769,-0.00018296033,-0.0033575164,-0.005754084,-0.03520636,0.0011392146,-0.00091430085,0.00999567,-0.008987308,-0.011303133,-0.010295477,-0.04139274,0.012974913,-4.334454e-05,0.018164301,0.0043372945,-0.0033314624,0.019638026,0.043103892,-0.0072244275,0.017637338,-0.0009807784,0.01353586,0.021308798,-0.017529234,-0.012759542,-0.0035400896,-0.00038231714,-0.0019010458,-0.019947523,0.028670635,-0.006939237,0.0036384163,0.02340622,-0.022744134,0.0031968434,-0.008666754,0.013903551,-0.005816093,0.012304827,-0.008205596,-0.0011398509,0.026642716,0.0032307908,0.00065455056,0.016343804,0.025727058,0.014984039,0.004391706,0.004390529,0.020441966,0.032233886,-0.012578345,0.0028366037,0.0046468955,0.0063745324,0.0073540364,-0.026142664,-0.006323024,0.0115257185,-0.019930387,-0.028217098,0.023333533,0.0032288574,0.005576649,0.033354618,0.015050499,0.0021552122,0.011969507,-0.020670593,-0.013661467,-0.053394467,0.005422468,-0.0038334152,0.004524544,0.019093435,0.010072954,-0.012688378,0.012503555,-0.017091464,0.013770439,-0.027656883,-0.00688232,-0.02457256,0.009509144,0.0020556648,-0.006760484,-0.009696366,-0.008505512,-0.0059737847,0.019302977,-0.000414207,-0.0059612454,-0.03196061,-0.016005386,0.019995078,-0.005142681,0.0056578554,0.0008915258,-0.010734465,0.011178843,0.034216285,-0.014359113,-0.0014577389,-0.022211106,0.018201852,0.0033741046,-0.01625758,0.012011879,0.007407307,0.024662735,-0.0024596045,-0.010540109,0.0045631337,0.008537386,-0.02060292,-0.028408654,0.012272623,0.013606336,0.0055849263,-0.033836026,-0.0016811606,-0.0019067343,-0.052654594,0.045987036,-0.028447708,-0.014163274,0.011324974,0.01636143,-0.006093538,0.020456871,0.005529505,-0.010893359,0.0004197013,-0.015363506,-0.022538321,0.015246063,0.021082344,-0.009103311,0.012701318,0.0069435784,0.0044743833,0.01162501,-0.0057237623,-0.0024895824,-0.014505407,-0.031254597,-0.0044918153,-0.019568691,0.022469109,0.017728249,0.0030614259,-0.028454602,-0.0048430506,-0.022321865,0.0020171066,0.021350166,-0.019655492,-0.017447986,0.015900146,-0.0073891752,0.022954471,-0.0012122438,-0.01613305,0.031575665,0.0013776266,-0.014018883,-0.0062308013,-0.032115698,0.012570999,-0.007827501,0.008251107,0.026565766,-0.008889815,-0.01423693,0.019022917,0.028089678,-0.016058309,0.029286679,0.012009775,0.011802252,-0.010520473,-0.0061404775,-0.011752368,-0.016024413,-0.0038083529,0.02169996,0.0051627047,-0.0069763334,0.0060404455,-0.014015429,-0.002173052,-0.022790423,-0.010410011,0.022273129,0.021532537,0.025931172,-0.009516715,-0.035085246,-0.014188065,0.015488647,0.0010852474,-0.013010157,-0.0034582382,0.016157929,-0.02761055,-0.0041306503,0.0016081547,0.015741475,-0.011020195,0.02808573,0.0018424194,-0.016050924,0.025437323,0.001894664,0.006487802,0.010111805,-0.021003854,0.04461151,-0.012001055,0.018493108,0.024247002,0.0030417494,-0.006412175,-0.017046524,-0.0058454303,0.023254883,-0.023501258,-0.010487119,-0.004693295,-0.0003412083,0.027429026,-0.11012912,-0.002096376,-0.016416961,0.025891675,-0.02654316,-0.030293051,0.02320077,-0.012272447,0.001930357,0.0057927524,0.0007685757,-0.020240324,0.046698228,0.00874374,-0.01942899,-0.026980262,-0.0041089975,-0.010465895,0.04928808,-0.0254863,0.0340395,0.0042570923,0.021980219,0.0031647743,-0.01216995,-0.026781077,-0.0066393605,-5.8772926e-05,-0.028922789,0.015834268,-0.018122945,0.007434481,0.030932773,-0.0054572797,0.0118074,-0.0045125387,-0.011820438,-0.049195834,0.0047017313,-0.018912034,0.005195748,0.0057236436,0.0022498462,0.00048158373,0.003865537,0.0015284203,0.017770069,-0.01930305,-0.01288761,0.00072391564,-0.025358219,-0.011201032,-0.0059396964,-0.0032091956,0.009872478,-0.008769706,0.0006074283,0.009293627,-0.012813951,0.026698552,-0.013670139,0.0011908963,-0.034942232,-0.023164075,-0.008153208,0.015266258,0.0013923475,0.040021967,0.023147237,-0.015245521,0.0124931615,0.017355768,0.023761388,-4.7892143e-05,-0.0022768553,-0.0003938593,-0.03099868,0.029348636,0.0008902241,0.008896592,-0.0020392407,0.0055284556,-0.08424827,0.015255508,-0.0059544104,-0.016271332,0.0038150437,-0.012995184,0.024691973,0.0074598086,-0.014803943,-0.030614618,0.001323492,0.0002504631,-0.01057954,-0.018650312,0.03133706,-0.014609616,0.0017311836,0.011657427,-0.041387003,-0.0050988183,-0.047659718,0.019488866,-0.014447195,-0.0303352,-0.004417242,0.014278067,0.007412995,-0.008484409,0.009603304,-0.037689827,-0.013780221,-0.103373274,-0.02749678,-0.009528204,-0.016423218,-0.004654978,0.021012513,0.024496622,-0.0015068533,-0.0042561083,0.012447831,0.0119452765,-0.02742787,-0.0044958005,-0.0057160025,-0.0144668445,0.121159874,-0.0052793613,-0.0033349567,-0.012591437,-0.0009111517,0.010693789,-0.02081242,-0.01143347,0.025878403,-0.015638856,-0.005131912,0.022529604,-0.02054494,-0.0046913186,-0.000643771,0.010894403,-0.019257108,-0.021182906,0.008658589,0.018949274,0.020444488,0.00049061264,0.0033746825,-0.023589132,0.034100085,0.02156882,0.01714623,-0.0037205992,-0.0026063612,-0.005712851,-0.00024684332,0.0132700475,-0.015576592,0.012396186,-0.013148288,-0.006016599,-0.073468015,0.051711615,-0.024643868,-0.0029964903,0.017578918,-0.011960724,-0.0055893995,0.011934266,-0.025320938,0.02314472,0.0027421073,-0.014116683,0.028600173,-0.00693567,0.00020212303,0.030344006,-0.003931598,0.013418974,0.017387342,-0.026593193,0.006522444,0.005081182,-0.017259179,-0.01310221,-0.024947237,0.0060405675,0.00025402772,0.014565518,0.024178904,-0.0025710037,-0.012235872,-0.0028700477,-0.016569693,0.0015194471,-0.005793914,-0.013501086,-0.009256164,-0.0023231697,-0.020817386,-0.00038725135,0.028718725,-0.018142315,-0.00415514,0.035020705,0.013029915,-0.034240454,0.021072604,0.031219466,-0.014255179,0.0023242861,-0.013353443,0.011792838,-0.023090562,-0.012980667,-0.005006471,0.013283995,0.02322872,-0.0054381154,0.006518804]",{"tags":36,"relatedLang":45,"relatedPosts":49},[37,38,40,42,44],{"name":14,"slug":14},{"name":17,"slug":39},"poc",{"name":13,"slug":41},"linux-內核",{"name":15,"slug":43},"root-權限",{"name":16,"slug":16},{"id":27,"slug":46,"title":47,"language":48},"fragnesia-kernel-bug-root-shell-access-en","Fragnesia turns a kernel bug into root shell access","en",[50,56,62,68,74,80],{"id":51,"slug":52,"title":53,"cover_image":54,"image_url":54,"created_at":55,"category":26},"a2527d1f-99c7-4f8b-86c3-26679b44ccce","copy-fail-human-ai-vulnerability-analysis-zh","Copy Fail 為何能挖出內核漏洞","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779207839846-wn4h.png","2026-05-19T16:23:35.825464+00:00",{"id":57,"slug":58,"title":59,"cover_image":60,"image_url":60,"created_at":61,"category":26},"d1c6850c-f832-471b-8beb-c0ebc809667d","peft-bench-fine-tuning-methods-benchmark-zh","PEFT-Bench 讓微調比較更公平","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779179048497-jm5y.png","2026-05-19T08:23:36.803043+00:00",{"id":63,"slug":64,"title":65,"cover_image":66,"image_url":66,"created_at":67,"category":26},"e24e6e7a-6181-476b-8583-339d854cec68","confident-ai-llm-evaluation-metrics-guide-zh","Confident AI 的 LLM 評估指標指南","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779178456675-x5m6.png","2026-05-19T08:13:46.193772+00:00",{"id":69,"slug":70,"title":71,"cover_image":72,"image_url":72,"created_at":73,"category":26},"adfa9b15-68b6-44cc-b34d-ebcb02c31210","code-becomes-the-agent-harness-zh","程式碼成了代理引擎","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779173040130-zcyg.png","2026-05-19T06:43:29.625994+00:00",{"id":75,"slug":76,"title":77,"cover_image":78,"image_url":78,"created_at":79,"category":26},"eda7a80a-b234-4ada-90d1-a37b144251dc","rrfp-readiness-driven-pipeline-training-zh","RRFP 讓管線訓練跟著就緒跑","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779172442474-n21q.png","2026-05-19T06:33:31.287772+00:00",{"id":81,"slug":82,"title":83,"cover_image":84,"image_url":84,"created_at":85,"category":26},"475844e6-3e2c-49a6-aea0-86a94945d2c2","dashattention-differentiable-adaptive-sparse-attention-zh","DashAttention 讓稀疏長上下文可微","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779171840613-dq1r.png","2026-05-19T06:23:32.886786+00:00",[87,92,97,102,107,112,117,122,127,132],{"id":88,"slug":89,"title":90,"created_at":91},"f18dbadb-8c59-4723-84a4-6ad22746c77a","deepmind-bets-on-continuous-learning-ai-2026-zh","DeepMind 押注 2026 連續學習 AI","2026-03-26T08:16:02.367355+00:00",{"id":93,"slug":94,"title":95,"created_at":96},"f4a106cb-02a6-4508-8f39-9720a0a93cee","ml-papers-of-the-week-github-research-desk-zh","每週 ML 論文清單，為何紅到 GitHub","2026-03-27T01:11:39.284175+00:00",{"id":98,"slug":99,"title":100,"created_at":101},"c4f807ca-4e5f-47f1-a48c-961cf3fc44dc","ai-ml-conferences-to-watch-in-2026-zh","2026 AI 研討會投稿時程整理","2026-03-27T01:51:53.874432+00:00",{"id":103,"slug":104,"title":105,"created_at":106},"9f50561b-aebd-46ba-94a8-363198aa7091","openclaw-agents-manipulated-self-sabotage-zh","OpenClaw Agent 會自己搞砸自己","2026-03-28T03:03:18.786425+00:00",{"id":108,"slug":109,"title":110,"created_at":111},"11f22e92-7066-4978-a544-31f5f2156ec6","vega-learning-to-drive-with-natural-language-instructions-zh","Vega：使用自然語言指示進行自駕車控制","2026-03-28T14:54:04.847912+00:00",{"id":113,"slug":114,"title":115,"created_at":116},"a4c7cfec-8d0e-4fec-93cf-1b9699a530b8","drive-my-way-en-zh","Drive My Way：個性化自駕車風格的實現","2026-03-28T14:54:26.207495+00:00",{"id":118,"slug":119,"title":120,"created_at":121},"dec02f89-fd39-41ba-8e4d-11ede93a536d","training-knowledge-bases-with-writeback-rag-zh","用 WriteBack-RAG 強化知識庫提升檢索效能","2026-03-28T14:54:45.775606+00:00",{"id":123,"slug":124,"title":125,"created_at":126},"3886be5c-a137-40cc-b9e2-0bf18430c002","packforcing-efficient-long-video-generation-method-zh","PackForcing：短影片訓練也能生成長影片","2026-03-28T14:55:02.688141+00:00",{"id":128,"slug":129,"title":130,"created_at":131},"72b90667-d930-4cc9-8ced-aaa0f8968d44","pixelsmile-toward-fine-grained-facial-expression-editing-zh","PixelSmile：提升精細臉部表情編輯的新方法","2026-03-28T14:55:20.678181+00:00",{"id":133,"slug":134,"title":135,"created_at":136},"cf046742-efb2-4753-aef9-caed5da5e32e","adaptive-block-scaled-data-types-zh","IF4：神經網路量化的聰明選擇","2026-03-31T06:00:36.990273+00:00"]