This was published the day after, with the title "Problems with the heap" but the URL makes the context clear: https://rachelbythebay.com/w/2025/03/26/atop/
This was published the day after, with the title "Problems with the heap" but the URL makes the context clear: https://rachelbythebay.com/w/2025/03/26/atop/
Yeah, I meant since that one.
A bug matching the details of the vaguepost was found by a third party with no help from Rachel: https://blog.bismuth.sh/blog/bismuth-found-the-atop-bug
> Given the vagueness, we were curious if Bismuth's bug scanning capabilities could find the bug so we let it rip on the code base. 10 minutes later, we had it. Or at least we had a bug which looked and behaved exactly like Rachel described.
> As soon as we figured this out and had something reproducible we moved to responsibly disclose the issue and we emailed Gerlof at 8pm on the 26th.
> Seeing this bug and how it's triggered, I understand Rachel's initial reaction to write a vague "get rid of it" post without going into detail. [...] That said, the internet loves to run wild with speculation and there's a reason we have the responsible disclosure process. For something that's installed as often as Nvidia GPU drivers, it would be prudent to spend the extra few days and have a controlled disclosure. Posting something like that can start off an arms race to find the bug, and if someone malicious were to reproduce and exploit it first, they get free reign to take over affected systems until it's patched. Yes, sounding the alarm might cause people to uninstall it, but there's plenty of places where it will remain, giving malicious actors incentive to go for it. But with a coordinated disclosure, the arms race never starts, and systems are patched before anyone realizes there was an issue.
The atop maintainer fixed the bug on March 29th, and also changed the behaviour of atop to _not_ connect to its helper daemons by default: https://github.com/Atoptool/atop/commit/542b7f7ac52926ca2721... ... and released it as atop v2.11.1 on April 5th: https://github.com/Atoptool/atop/releases/tag/v2.11.1
There has been nothing on Rachel's blog about this topic since the vaguepost and vaguepost followup.
The CVE (https://www.cve.org/CVERecord?id=CVE-2025-31160) is still incorrect, and there's no indication who requested it. It says that versions "0 - 2.11.0" are affected, this is untrue, because the atopgpud (and support in atop for reading from it) was introduced in version 2.4.0 ("The vulnerability is present since the introduction of 'atopgpud' in atop 2.4.0." per https://www.atoptool.nl/downloadatop.php)