Hi, With the help of several maintainers and developers, a v5 patch resolving the "publicly disclosed" Dirty Frag variants other than the CVE-2026-46300 (fragnesia) variant has been merged into netdev: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=48f6a5356a33dd78e7144ae1faef95ffc990aae0
Separately, the patch resolving CVE-2026-46300 alone has been split into its own patch: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f84eca5817390257cef78013d0112481c503b4a3 This 48f6a5356a33 patch addresses four "publicly disclosed" variants: 1. https://lore.kernel.org/all/agRhFtawP06hWyRa@v4bel/ (2026-05-13) 2. https://lore.kernel.org/all/agSx78pXBFCdn08p@v4bel/ (2026-05-13) 3. https://lore.kernel.org/all/agVpIsaSherjHTYg@sultan-box/ (2026-05-14) 4. https://github.com/v12-security/pocs/tree/main/fragnesia-5db89c99566fc (2026-05-15) Note that the fourth PoC was confirmed to be blocked as well by the v3 fix (skb_gro_receive) [1] that resolves the third PoC, and the v4 [2] and v5 [3] changes address potential issues. As long as the in-place path in esp remains, further variants of this kind are expected to be found in the esp module. As mentioned previously, I recommend keeping the mitigation in place for the time being. This patch has been verified against various selftests and stress tests without issues, but it would be appreciated if distro maintainers could additionally test whether this patch introduces any regressions. Best regards, Hyunwoo Kim [1]: https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/ [2]: https://lore.kernel.org/all/aga1VyHpHaUhnGZa@v4bel/ [3]: https://lore.kernel.org/all/ageeJfJHwgzmKXbh@v4bel/
