But is not the recommended way to use CVE.

Curious phrasing. Does that mean the patch (not: the mitigation) will work for this as well or no?

Here we have fragnesia.

It has been said that CVE-2026-46300 has been assigned for this issue, except that it hasn't. At least not yet.
And in case you don't yet believe that the Linux kernel's handling of CVEs is malicious compliance, note the wording of the CVE mention:

For those that like to track these by CVE ids...

Ubuntu (and Debian?) isn't affected, due to default AppArmor rules.

The same mitigation for Dirty Frag blocks this as well, so if you were on top of Dirty Frag protections, you don't need to worry about fragnesia.

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

(sorry, I thought I already had posted this one)

I tried multiple connections (we have two ISPs at home - hello redundancy) and sometimes it server side remembers the output language. Not sure why yet as I could not reliably reproduce this. This is intriguing. Any ideas?

//end (for now)

I just compared these:

```
curl --verbose --cookie-jar - 'https://ikotaslabs.com/news/2026-05-11?page=1&lang-en'
curl --verbose --cookie-jar - 'https://ikotaslabs.com/news/2026-05-11?lang-en'
```

and

```
curl --verbose --cookie-jar - --cookie "lang=en" 'https://ikotaslabs.com/news/2026-05-11?page=1'
```

The first two deliver Japanese returning cookie `lang=ja` ; the last one delivers English with a cookie `lang=en`.

All deliver `<html lang="ja">` which is very odd for the second one.

Odd indeed, and I still think it is caused by the `lang=en` request cookie being absent or present: the Mastodon preview cards are generated server side without sending cookies.

There is a good description of the Mastodon preview cards state of affairs at https://box464.com/posts/mastodon-preview-cards/

(I had to in-place edit `data-mode="dark"` in the html header into `data-mode="light"` to force it to become readable)

The preview request is at https://github.com/mastodon/mastodon/blob/main/app/services/fetch_link_card_service.rb#L56 (search for `Request.new`).

The web is full of surprises, not limited to security vulnerabilities (;

That's a nice find.

Just tried in an incognito Window without Google Translate active but with JavaScript active.

- Japanese: https://ikotaslabs.com/news/2026-05-11?page=1
- English: https://ikotaslabs.com/news/2026-05-11?lang=en
- English as well: https://ikotaslabs.com/news/2026-05-11?page=1&lang=en
- English as well: https://ikotaslabs.com/news/2026-05-11?page=1

I think it is setting a lang=en cookie the first time it encounters a lang=en parameter, but does not always return an English translated page unless the lang=en cookie is in the request.

Interstingly if I get rid of the page=1 part of your link, it works fine.

So far, patches have only landed in today's Linux 7.0.6 and 6.18.29.

An “embargo” with patches in public is… always going to be fragile. (Looks like “accidental duplicate find” here, because of first copy fail.)

oss-security - Copy Fail 2 / Dirty Frag — n-day from public commit, not embargo break

(www.openwall.com)