However, it is in the same surface and the mitigation is the same as for dirtyfrag.

phew

Where’s the CVE? Was there an attempt at responsible disclosure? Was confidentiality breached? Did they coordinate this release with the devs like the dirtyfrag people did? This “announcement” doesn’t answer any of these questions and I am frustrated by it.

EDIT: Ok, there IS a CVE: https://security-tracker.debian.org/tracker/CVE-2026-46300