Hi, On Wed, May 13, 2026 at 07:35:10PM +0200, Solar Designer wrote: > Hi, > > Here's analysis by the Dirty Frag researcher: > > On Thu, May 14, 2026 at 12:45:31AM +0900, Hyunwoo Kim wrote: > > I'm attaching my current analysis, so if anyone could post it to > > oss-security on my behalf, I would greatly appreciate it. > > > > Here is the analysis: > > > > This vulnerability is a path that was accidentally activated _after_ the > > introduction of f4c50a4034e6 (2026-05-05), the patch for CVE-2026-43284 in > > the Dirty Frag chain. > > > > In other words, the effective vulnerability window is from f4c50a4034e6 > > (2026-05-05) to upstream -- approximately 9 days. > > > > Exploitation requires the attacker to have permission to create user > > namespaces, unless chained with a separate vulnerability. > > > > Another important point: the patch[1] they attached addresses the > > skb_try_coalesce path, but does not resolve the vulnerability because it > > misses other variant paths. > > > > For now, a patch[2] that also covers the currently-analyzed > > __pskb_copy_fclone path has been submitted. Once the additional analysis is > > finalized, a v2 patch may be submitted. > > > > At least for the time being, I recommend keeping the Dirty Frag mitigation > > in place: > > ``` > > sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall > > rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc > > 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true" > > ``` > > > > [1]: https://lore.kernel.org/all/[email protected]/ > > [2]: https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/
FWIW, there was another variant posted via https://lore.kernel.org/netdev/agVpIsaSherjHTYg@sultan-box/ for review of the v2 patch. A v3 of the patch has in meanwhile been posted as well as: https://lore.kernel.org/netdev/agW4vC0r8QOUKtRT@v4bel/ Regards, Salvatore
