oss-sec mailing list archives
Re: Copy Fail 2 / Dirty Frag — n-day from public commit, not embargo break
From: Sam James <sam () gentoo org>
Date: Fri, 08 May 2026 11:05:37 +0100
SiCk <sick () afflicted sh> writes:
Hi, I'm _SiCk
Hi,
(afflicted.sh, 0xdeadbeefnetwork on GitHub). The May 7 LWN piece on "Dirty Frag" raises the question of how the bug surfaced before Hyunwoo Kim's May 12 coordinated disclosure. At least one of the public artifacts in circulation — my "Copy Fail 2: Electric Boogaloo" repo — is an n-day built from the public netdev fix commit, not a break from inside the embargo. Timeline on my end: - Steffen Klassert's fix landed publicly on netdev/net.git as commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4. Brad Spengler (@spendergrsec) publicly called the commit copyfail-class. - I read the commit, recognized the xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW path against shared pipe pages as an LPE primitive, and built a PoC. - Published to GitHub and afflicted.sh on May 7. The repo credits Kim and Chen (discovery, upstream fix), Klassert (maintainer fix), Spengler (public call-out), and Theori/Xint (original Copy Fail, CVE-2026-31431) directly in the README. I had no contact with anyone on the linux-distros embargo, no awareness of the May 12 disclosure date, and no access to Kim's write-up or PoC. The work is n-day weaponization from a public upstream commit, which is standard practice once a security-relevant fix lands in a public tree. Flagging this so parallel n-day work isn't characterized as a leak from inside the coordinated process.
Thank you for stating this clearly. I've seen a few people confused by this and it's important to correct the record. It's also important because it tells us a lot about how folks are quickly going from fixes -> exploits.
[...]
sam
Attachment:
signature.asc
Description:
Current thread:
- Copy Fail 2 / Dirty Frag — n-day from public commit, not embargo break SiCk (May 07)
- Re: Copy Fail 2 / Dirty Frag — n-day from public commit, not embargo break Sam James (May 08)
