Scaleway Patches Kapsule Against Dirty Frag Kernel LPE After Functions-Runner Container Escape Risk Flagged

Scaleway has issued a security advisory addressing CVE-2026-43284, a Linux kernel local privilege escalation vulnerability affecting the ESP IPsec transform modules (`esp4`/`esp6`) and the AF_RXRPC socket family (`rxrpc`). The flaw mirrors the threat shape of CVE-2026-31431 (Copy Fail), allowing a local unprivileged user to escalate to root or escape a container. On Kapsule managed Kubernetes nodes, the functions-runner pods execute untrusted tenant JavaScript on shared infrastructure — making the LPE-to-escape attack path a direct operational risk.

The mitigation deploys a DaemonSet (`deploy/k8s/security/disable-dirty-frag.yaml`) that writes `install esp4 / esp6 / rxrpc /bin/false` into `/etc/modprobe.d/` on every node and forcibly removes any already-loaded modules with `rmmod`. The DaemonSet tolerates all taints, ensuring that nodes brought up by the cluster autoscaler receive the hardening on first boot before handling workloads. A corresponding update to `.github/workflows/ci.yml` adds a `kubectl apply -f` step in the security block, positioned before any pod restart — consistent with the approach used for the earlier Copy Fail vulnerability.

A risk check confirms that `esp4`, `esp6`, and `rxrpc` are not on the gateway, worker, or functions-runner hot path. The assessment found no functional dependency that would be disrupted by blocking these modules, meaning the hardening can be applied without expected service degradation. The change has been merged into the repository's security configuration.