Tails 7.4.2 Patches 169 Kernel Vulnerabilities

Tails 7.4.2 dropped today, February 11, 2026, and it's the second emergency release in the 7.4 series in just 12 days. The last one, 7.4.1 on January 30, dealt with critical OpenSSL vulnerabilities that a malicious Tor relay could have used to deanonymize users, and now the kernel itself needed patching with the same level of urgency.

The core of this release is a Linux kernel update from 6.12.63 to 6.12.69, which addresses Debian Security Advisory DSA-6126-1. That advisory covers 169 individual CVEs spanning from 2024 through early 2026, and the vulnerability categories include privilege escalation, denial of service, and information leaks. From what I found, the CVEs range across multiple kernel subsystems, so the attack surface here was wide and touched everything from memory management to network stack components.

Now the specific concern for Tails users is a chain attack scenario. The Tails team describes it like this: if an attacker managed to exploit some other unknown vulnerability in an application included in Tails, they could then use these kernel bugs to escalate privileges and take full control of the system. In practical terms, a compromised browser tab or a poisoned document opened in a Tails application could break out of its sandbox and own the entire operating system, which undermines the entire premise of running an amnesic system. The Tails team specifically notes that this kind of attack chain is within the capability of governments and professional hacking firms, and given the resources those groups have, that assessment tracks.

For context on the scale, DSA-6126-1 includes CVEs from at least four distinct numbering ranges: the CVE-2024-58xxx series, the CVE-2025-22xxx through CVE-2025-71xxx series, and a fresh batch of CVE-2026-22xxx through CVE-2026-23xxx entries. The 2025-dated CVEs dominate at 127 of the 169 total, with another 40 carrying 2026 dates, which tells you these are issues that kernel developers have been actively hunting down and patching throughout 2025 and into this year.

Beyond the kernel, Tails 7.4.2 also bumps Thunderbird to version 140.7.1 ESR, which patches CVE-2026-0818, a CSS-based data exfiltration vulnerability in OpenPGP email rendering. If you use Thunderbird inside Tails for encrypted email, and you should be if you're communicating anything sensitive, that bug allowed specially crafted CSS in an email to leak content from OpenPGP-encrypted messages, so this fix matters.

The release also patches three usability bugs that were making life harder for daily Tails users. Wi-Fi settings were inaccessible from the Tor Connection assistant, which forced users who needed to configure wireless before connecting to Tor to find workarounds. Electrum, the Bitcoin wallet, was refusing to reopen if it had been previously closed without a clean shutdown, and on a system that wipes RAM on power-off by design, an unclean shutdown is the norm. And language preferences saved to the persistent USB storage were being ignored by the Welcome Screen, forcing users to reconfigure their language every single boot.

Ok so the update path is straightforward. Automatic upgrades work from any Tails 7.0 or later, so if you're on 7.4.1, just boot up and let it pull the update. If automatic upgrading fails for whatever reason, manual upgrade instructions are available on the Tails site, and you can always do a fresh install onto a USB drive from Windows, macOS, or Linux.

Two emergency releases in 12 days is a pace that should make you pay attention. The first one patched OpenSSL bugs where a malicious Tor relay could deanonymize you, and this one patches kernel bugs where a compromised application could escalate to full system control. Both are exactly the kinds of vulnerabilities that state-level adversaries stockpile and chain together, and the Tails team pushing emergency releases within days of the upstream Debian fixes shows they take the threat model seriously.

If you're running Tails and you care about your operational security, update today. The whole point of using an amnesic operating system is to minimize your attack surface and leave no forensic trace, but running a kernel with 169 known vulnerabilities including privilege escalation paths undermines that entire premise. Your OPSEC is only as strong as your weakest unpatched component, and right now, for anyone still on 7.4.1 or earlier, the kernel is that component.