All KDE Linux images older than kde-linux_202605080254 are vulnerable to local privilege escalation.
An unprivileged local user can obtain a root shell by exploiting a memory fragmentation bug in the esp4/esp6/rxrpc kernel modules. The bug has existed in the Linux kernel since 9 years. A proof-of-concept and more information is publicly available at GitHub - V4bel/dirtyfrag · GitHub. It requires compilation and is approximately 2000 lines of C, but a more portable and dangerous version may appear at any time.
Mitigations (do this)
Update to kde-linux_202605080254 or newer via Discover, or run:
updatectl update
Then reboot.
Can’t update or reboot right now?
Block the vulnerable modules and flush the page cache:
sh -c "printf 'install esp4 /usr/bin/false\ninstall esp6 /usr/bin/false\ninstall rxrpc /usr/bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
echo 3 > /proc/sys/vm/drop_caches
This is a workaround only so update as soon as possible.