The physical and virtual address at which the kernel image is decompressed is randomized to deter exploit attempts that rely on knowing the location of the kernel internals.

The Kexec feature, which allows faster rebooting or automatically booting a new kernel after a crash, now incorporates support for allowing only signed Kexec kernels for use with UEFI secure booting.

The kexec_load_disabled sysctl parameter can be used to disable Kexec, which allows a system to be better protected against privilege escalation.

An exe field has been added to the auditing log to record the pathname of executables that produce core dumps.

An audit_backlog_wait_time configuration option has been added to the auditing subsystem so that if auditd cannot keep up or is blocked, callers are not blocked.

If the value of the audit_backlog_limit parameter is set to zero, the length of the backlog queue is limited only by the amount of system memory.

By default, errors on AUDIT_NEVER rules are now logged.

The auditing subsystem now logs task information when the state of a feature is changed.

A netlink multicast socket has been added to read-only user-space clients such as systemd to allow read-only access to the audit logs.

Secure generation of random numbers with the getrandom system call. Linux systems traditionally obtained their random numbers from /dev/[u]random. This interface is vulnerable to file descriptor exhaustion attacks, where the attacker consumes all available file descriptors, and is also inconvenient for use in containers. The getrandom system call, which analogous to the getentropy call in OpenBSD overcomes these problems.

SELinux now reports permissive mode in avc: denied messages.