Hacker News new | ask | show | jobs
by itintheory 29 days ago
Sounds like this one is in the same kernel modules as dirtyfrag, so the existing mitigations (if in place) are sufficient.
1 comments
chasil 29 days ago
RedHat's mitigation is this:

  $ cat /etc/modprobe.d/dirtyfrag.conf
  install esp4 /bin/false
  install esp6 /bin/false
  install rxrpc /bin/false
Are those correct for this exploit?

https://access.redhat.com/security/vulnerabilities/RHSB-2026...

link
itintheory 29 days ago
Yep, that's the advice from AWS for the previous set of vulnerabilities:

https://aws.amazon.com/security/security-bulletins/2026-027-...

That one also includes disabling user namespaces. Could be problematic if they're in use.

link
LawnGnome 29 days ago
I don't know, but the problem with blocking esp4 and esp6 is that IPsec stops working, as I understand it.
link
cpach 27 days ago
For those who can I would recommend upgrading to Wireguard.
link