Status of Vulnerability Mitigations
Since late April 2026, multiple vulnerabilities affecting the operation of ABCI 3.0 have been reported. Considering the potential impact on ABCI users, we summarize and share the current status of our response efforts.
Current Limitations
As a side effect of the implemented mitigations, the following restriction is in place as of May 16, 2026, 15:25:
- General users cannot use the
ptrace() system call or debuggers that rely on it (e.g., gdb, strace)
Summary of Mitigation Status
- Copy Fail
- CVE: CVE-2026-31431
- Mitigation date/time: April 30, 2026, 18:15
- Details: Mitigation was applied at the start of ABCI 3.0 service, and it has been confirmed that there is no impact on all nodes.
- DirtyFrag
- CVE: CVE-2026-43284, CVE-2026-43500
- Mitigation date/time: May 8, 2026, 12:53
- Details: Mitigation has been applied and verified to have no impact on all nodes.
- NGINX Rift
- CVE: CVE-2026-42945
- Mitigation date/time: May 14, 2026, 15:15
- Details: Confirmed that
ngx_http_rewrite_module is not used in any services where NGINX is deployed.
- Fragnesia
- CVE: CVE-2026-46300
- Mitigation date/time: May 14, 2026, 10:30
- Details: Confirmed that the mitigation applied for DirtyFrag is also effective against this vulnerability.
- ssh-keysign-pwn
- CVE: CVE-2026-46333
- Mitigation date/time: May 16, 2026, 15:25
- Details: Mitigation has been applied and verified to have no impact on all nodes. As a side effect, general users cannot use the
ptrace() system call or debuggers that rely on it (e.g., gdb, strace).
- DirtyDecrypt / DirtyCBC
- CVE: CVE-2026-31635
- Mitigation date/time: May 17, 2026, 20:25
- Details: Verified that
CONFIG_RXGK is disabled on the affected nodes, and therefore they are not impacted.
