Where’s the CVE? Was there an attempt at responsible disclosure? Was confidentiality breached? Did they coordinate this release with the devs like the dirtyfrag people did? This “announcement” doesn’t answer any of these questions and I am frustrated by it.

EDIT: Ok, there IS a CVE: https://security-tracker.debian.org/tracker/CVE-2026-46300

However, it is in the same surface and the mitigation is the same as for dirtyfrag.

phew