Skip to content

security: add SSB-2026-002 (Dirty Frag / Fragnesia)#3750

Merged
yanjost merged 2 commits into
masterfrom
feat/SECINC-157/SECINC-158/dirty-frag-fragnesia-ssb-2026-002
May 13, 2026
Merged

security: add SSB-2026-002 (Dirty Frag / Fragnesia)#3750
yanjost merged 2 commits into
masterfrom
feat/SECINC-157/SECINC-158/dirty-frag-fragnesia-ssb-2026-002

Conversation

@yanjost
Copy link
Copy Markdown
Contributor

@yanjost yanjost commented May 13, 2026

Security Bulletin SSB-2026-002

This PR adds the security bulletin for the Dirty Frag and Fragnesia Linux kernel local privilege escalation vulnerabilities.

Vulnerabilities covered

  • Dirty Frag (CVE-2026-43284, CVE-2026-43500) — disclosed May 7th 2026. LPE via write-what-where primitives in the xfrm-ESP and RxRPC kernel subsystems exploiting the shared page cache.
  • Fragnesia — disclosed May 13th 2026. Separate bug in the same XFRM ESP-in-TCP subsystem, same vulnerability class and same mitigation.

Scalingo response

  • Mitigation applied May 8th: esp4, esp6, rxrpc modules disabled across all hosting nodes by 10:02, covering both vulnerabilities.
  • Exploit path is additionally blocked by Docker's default seccomp profile, which prevents CLONE_NEWUSER in containers without CAP_SYS_ADMIN.
  • No customer impact. No evidence of exploitation.

References

  • SECINC-157 (Dirty Frag)
  • SECINC-158 (Fragnesia)

@yanjost
security: add SSB-2026-002 for Dirty Frag and Fragnesia
3f66483 
Add security bulletin SSB-2026-002 covering:
- Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Linux kernel LPE
  via page cache write primitives in xfrm-ESP and RxRPC subsystems,
  publicly disclosed May 7th 2026.
- Fragnesia: related LPE in the same XFRM ESP-in-TCP subsystem,
  publicly disclosed May 13th 2026.

Mitigation: esp4, esp6, rxrpc kernel modules disabled across all
hosting nodes on May 8th at 10:02, covering both vulnerabilities.
Exploit path is additionally blocked by Docker's default seccomp
profile which prevents CLONE_NEWUSER in containers without
CAP_SYS_ADMIN.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
leo-scalingo
leo-scalingo approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@leo-scalingo leo-scalingo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

leo-scalingo
leo-scalingo requested changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@leo-scalingo leo-scalingo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update

Comment thread src/_posts/security/bulletins/2026-05-13-SSB-2026-002.md Outdated
@yanjost @leo-scalingo
Change sentence on seccomp configuration
25b7fbd 
Co-authored-by: Léo Unbekandt <159253935+leo-scalingo@users.noreply.github.com>
@yanjost yanjost requested a review from leo-scalingo May 13, 2026 15:50
leo-scalingo
leo-scalingo approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@leo-scalingo leo-scalingo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yanjost yanjost merged commit e47df76 into master May 13, 2026
4 checks passed
@yanjost yanjost deleted the feat/SECINC-157/SECINC-158/dirty-frag-fragnesia-ssb-2026-002 branch May 13, 2026 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leo-scalingo leo-scalingo leo-scalingo approved these changes

@yannski yannski Awaiting requested review from yannski

@benjaminach benjaminach Awaiting requested review from benjaminach

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yanjost @leo-scalingo