Linus Torvalds released the stable Linux 7.1 kernel on June 14, 2026, half a day early because of his travel plans. The cycle closed with nearly 13,000 changes and more than 2,000 developers. Most of the coverage went to the new NTFS driver and the graphics speedups, but three areas matter directly to anyone running systems: the Landlock hardening, the Intel FRED switch, and a couple of networking changes that can leave a custom kernel unbootable.
Landlock now covers UNIX sockets
Landlock is the security module that lets an unprivileged process sandbox itself: it declares which paths and operations it may touch, and the kernel blocks the rest. Until now its rules covered files and a small set of network operations, but not pathname UNIX domain sockets (the ones that live on the filesystem, such as /run/something.sock).
7.1 adds a new access right, exposed through an LSM hook, to control access to those sockets by path. For a sandboxed process that means you can now spell out exactly which ones it may connect to. This is worth knowing if you run containers or sandboxed services that talk to local daemons (systemd, databases, agents) over UNIX sockets: it closes a path that used to sit outside the policy. It isn’t a fix for a specific bug, it’s a new capability your sandbox can take advantage of.
Intel FRED on by default
7.1 enables Intel FRED (Flexible Return and Event Delivery) by default on supported hardware. FRED replaces the old x86 mechanism for delivering interrupts and exceptions with a cleaner one. The immediate payoff is performance on Intel Panther Lake parts, and the same groundwork helps future Diamond Rapids and AMD Zen 6. Moving the interrupt and syscall paths to a new model also matters for security: it simplifies a part of the kernel that has historically been fertile ground for state-handling bugs. If you run machines with those chips, note that the default behaviour has changed.
Two networking changes that can break the upgrade
Here’s the practical warning. 7.1 drops UDP-Lite entirely and changes how IPv6 is built.
From this release IPv6 can no longer be compiled as a module: it has to be built directly into the kernel (y) or disabled (n). If you maintain custom kernels and had CONFIG_IPV6=m, fix that before you rebuild or you’ll hit a surprise. The same goes for anything that relied on UDP-Lite: the protocol is gone. If you run your distribution’s kernel this passes unnoticed, because the packager already handles it; the risk is for people who bake their own.
The cycle also removed more than 140,000 lines of legacy code, including support for some 486-era x86 sub-architectures and old networking and PCMCIA leftovers. Less old code means less surface to maintain and audit.
For the full rundown of new features beyond the security side, see the official Linux 7.1 release. You can also track kernel versions on its LinuxGratis page.
Source
- Phoronix — Linux 7.1 Released