[asinclair]

...while the vulnerabilities are serious, the silver lining is that both require an attacker to be a local authorized user.

No need for alarm for most people.

Two common uses of the Linux operating system are in WiFi access points and firewall appliances (I'm looking at YOU, Protectli and pfSense). As long as the Linux kernel is sufficiently robust enough to deny remote penetrations past a competently-configured firewall, computer users — including Microsoft OS users — are safe from penetration-based attacks.

To that end, I am designing a firewall for a fanless computing appliance that builds on more than 20 years of success in IPv4, and also provides the same protection of IPv6. Different realms that have different methods. For IPv6, instead of trying to use NAT, it protects a subnet of the IPv6 address space assigned to the site. Inside computers can "call out" and get responses, but outside entities can't "call in".

This scheme protects any computer or internet-capable device that asks for an IPv6 address using DHCP6, because most DHCP6 servers will allocate addresses from the low end of the pool. If a device wants a "public" address, and has been properly protected, the sysadmin can give that computer an unprotected address. (Or partially protected: the firewall will block a lot of Bad Stuff™.)

[zeugma]

To that end, I am designing a firewall for a fanless computing appliance that builds on more than 20 years of success in IPv4, and also provides the same protection of IPv6. Different realms that have different methods. For IPv6, instead of trying to use NAT, it protects a subnet of the IPv6 address space assigned to the site. Inside computers can "call out" and get responses, but outside entities can't "call in".

Have you looked at DD-WRT?