Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
baggy_trough 3 hours ago

Disclosure Timeline

2026-04-29: Submitted detailed information about the rxrpc vulnerability and a weaponized exploit that achieves root privileges on Ubuntu to security@kernel.org.

2026-04-29: Submitted the patch for the rxrpc vulnerability to the netdev mailing list. Information about this issue was published publicly.

2026-05-07: Submitted detailed information about the vulnerability and the exploit to the linux-distros mailing list. The embargo was set to 5 days, with an agreement that if a third party publishes the exploit on the internet during the embargo period, the Dirty Frag exploit would be published publicly.

2026-05-07: Detailed information and the exploit for the esp vulnerability were published publicly by an unrelated third party, breaking the embargo.

2026-05-07: After obtaining agreement from distribution maintainers to fully disclose Dirty Frag, the entire Dirty Frag document was published.

flumpcakes 3 hours ago | parent [-]

7 days from disclosure to publishing a how-to guide to get root to the entire planet doesn't scream "responsible" disclosure to me.

bawolff 3 hours ago | parent | next [-]

Its not the reporter's fault that other people broke the embargo.

progval 2 hours ago | parent [-]

They don't have to publish a working exploit as soon as the embargo is broken, though.

throw0101c 2 hours ago | parent | next [-]

Perhaps, but if the exploit code is published folks can double-check that they implemented the mitigations properly.

If there's no PoC, how can you really be sure?

john_strinlai 2 hours ago | parent | prev | next [-]

anyone who will use the exploit maliciously will immediately and trivially be able to create a working exploit.

mike_d 2 hours ago | parent | prev [-]

Why not? There has already been a working exploit floating around, at least now it comes from an authoritative source.

firer 3 hours ago | parent | prev | next [-]

My immediate reaction was the same.

But this is very similar to Copy Fail, and I'm assuming there was an assumption that others might also discover this soon as well. Hence the urgency.

At least that's my charitable interpretation.

3 hours ago | parent | prev | next [-]
[deleted]
lofaszvanitt 2 hours ago | parent | prev [-]

WTF cares? Publish them without disclosure is the true way, otherwise noone would care about security and your data.