oss-sec mailing list archives

Re: Copy Fail 2 / Dirty Frag — n-day from public commit, not embargo break


From: Sam James <sam () gentoo org>
Date: Fri, 08 May 2026 11:05:37 +0100

SiCk <sick () afflicted sh> writes:

Hi, I'm _SiCk

Hi,


(afflicted.sh, 0xdeadbeefnetwork on GitHub).

 The May 7 LWN piece on "Dirty Frag" raises the question of how the bug surfaced before Hyunwoo Kim's May 12 
coordinated
disclosure.

 At least one of the public artifacts in circulation — my "Copy Fail 2: Electric Boogaloo" repo — is an n-day built 
from
the public netdev fix commit, not a break from inside the embargo. 

Timeline on my end: - Steffen Klassert's fix landed publicly on netdev/net.git as commit 
f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4.   

 Brad Spengler (@spendergrsec) publicly called the commit copyfail-class. - I read the commit, recognized the xfrm
ESP-in-UDP MSG_SPLICE_PAGES no-COW path against shared pipe pages as an LPE primitive, and built a PoC. 

- Published to GitHub and afflicted.sh on May 7. The repo credits Kim and Chen (discovery, upstream fix), Klassert
(maintainer fix), Spengler (public call-out), and Theori/Xint (original Copy Fail, CVE-2026-31431) directly in the
README.

 I had no contact with anyone on the linux-distros embargo, no awareness of the May 12 disclosure date, and no access 
to
Kim's write-up or PoC. The work is n-day weaponization from a public upstream commit, which is standard practice once 
a
security-relevant fix lands in a public tree. Flagging this so parallel n-day work isn't characterized as a leak from
inside the coordinated process.

Thank you for stating this clearly. I've seen a few people confused by
this and it's important to correct the record.

It's also important because it tells us a lot about how folks are
quickly going from fixes -> exploits.

[...]

sam

Attachment: signature.asc
Description:


Current thread: