tinyland-inc · Jess Sullivan (Jesssullivan) · May 10, 2026 · May 10, 2026
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ As of 2026-05-10:
 
 | Area | Status | Notes |
 | --- | --- | --- |
-| Release artifacts | Proven, signed candidate queued | `v6.19.5-xr10` is the latest published secured lab release with generic and RT RPMs. Signed tag `v6.19.5-xr11` is queued in the tag-backed release workflow after a successful workflow-dispatch generic and RT proof for the expanded Dirty Frag RxRPC RXGK route. |
+| Release artifacts | Published, host validation pending | `v6.19.5-xr11` is the latest published/downloadable secured lab release with generic RPMs, RT RPMs, and `SHA256SUMS`. `v6.19.5-xr10` remains the latest host boot-proven secured line until an approved lab boot validates `6.19.5-11.xr.el10`. |
 | `honey` rollout | Proven (generic) | `honey` is persistently defaulted to the generic XR kernel lane. |
 | `honey` RT boot | Reboot-valid, gated | RT boot and `/sys/kernel/realtime=1` verification succeeded; Dell's repeated host packet is cautionary, so regular use still needs downstream deadline evidence. |
 | `yoga` rollout | Proven one-time generic boot | Generic XR RPM install and one-time boot succeeded; stock Rocky remains the persistent fallback. |
@@ -313,9 +313,9 @@ adding, dropping, or upstreaming a repo-managed CVE or public security backport.
 
 | CVE | Public name | linux-xr status | Repo links | External references |
 | --- | --- | --- | --- | --- |
-| CVE-2026-31431 | Copy Fail / `algif_aead` AF_ALG local privilege escalation | Patched in `v6.19.5-xr9` and carried forward in `v6.19.5-xr10`; signed candidate `v6.19.5-xr11` keeps the same stable `6.19.y` backport on top of the vulnerable `6.19.5` base and has a successful workflow-dispatch RPM proof while the tag-backed Release is queued. Fixed natively by upstream affected-range floors such as `6.19.12+`, `6.18.22+`, `6.12.85+`, `6.6.137+`, `6.1.170+`, `5.15.204+`, `5.10.254+`, and `7.0+` bases. | [`xr/security/cve-2026-31431-algif-aead.patch`](xr/security/cve-2026-31431-algif-aead.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`xr/scripts/check-cve-2026-31431-live.sh`](xr/scripts/check-cve-2026-31431-live.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` proof run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), [Red Hat RHSB-2026-02](https://access.redhat.com/security/vulnerabilities/RHSB-2026-02), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431), [Copy Fail](https://copy.fail/) |
-| CVE-2026-43284 | Dirty Frag / ESP page-cache write | `v6.19.5-xr10` carries the repo-managed ESP backport on the vulnerable `6.19.5` base, and signed candidate `v6.19.5-xr11` keeps it with workflow-dispatch generic and RT proof while the tag-backed Release is queued. Published fixed floors include `5.10.255+`, `5.15.205+`, `6.1.171+`, `6.6.138+`, `6.12.87+`, `6.18.28+`, and `7.0.5+`; EOL `6.19.x` stays conservative and uses the repo backport. | [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` proof run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), [CVE record](https://www.cve.org/CVERecord?id=CVE-2026-43284), [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [ESP netdev fix f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e6) |
-| CVE-2026-43500 | Dirty Frag / RxRPC page-cache write | `v6.19.5-xr10` carried the first repo-managed RxRPC RXKAD linearize/COW hardening on the vulnerable `6.19.5` base. Current `xr/main` also carries the RXGK linearize/COW backport for `6.18.x`, `6.19.x`, and `7.0.x` bases that include RXGK; signed candidate `v6.19.5-xr11` is the first release candidate with RXKAD plus RXGK coverage and has a successful workflow-dispatch RPM proof while the tag-backed Release is queued. As of the 2026-05-09 linux-xr check, Debian tracks fixed package builds but NVD/CVE.org are not public here and no kernel.org upstream fixed floor is recorded in the gate, so supported `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases rely on the linux-xr backport route until proven otherwise. | [`xr/security/dirtyfrag-rxrpc-linearize.patch`](xr/security/dirtyfrag-rxrpc-linearize.patch), [`xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch`](xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` proof run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [Debian CVE tracker](https://security-tracker.debian.org/tracker/CVE-2026-43500), [RxRPC patch route](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/) |
+| CVE-2026-31431 | Copy Fail / `algif_aead` AF_ALG local privilege escalation | Patched in `v6.19.5-xr9` and carried forward in `v6.19.5-xr10` and published `v6.19.5-xr11`; xr11 keeps the same stable `6.19.y` backport on top of the vulnerable `6.19.5` base. Fixed natively by upstream affected-range floors such as `6.19.12+`, `6.18.22+`, `6.12.85+`, `6.6.137+`, `6.1.170+`, `5.15.204+`, `5.10.254+`, and `7.0+` bases. | [`xr/security/cve-2026-31431-algif-aead.patch`](xr/security/cve-2026-31431-algif-aead.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`xr/scripts/check-cve-2026-31431-live.sh`](xr/scripts/check-cve-2026-31431-live.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr11), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), [Red Hat RHSB-2026-02](https://access.redhat.com/security/vulnerabilities/RHSB-2026-02), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431), [Copy Fail](https://copy.fail/) |
+| CVE-2026-43284 | Dirty Frag / ESP page-cache write | `v6.19.5-xr10` carries the repo-managed ESP backport on the vulnerable `6.19.5` base, and published `v6.19.5-xr11` carries it forward with generic and RT RPMs plus `SHA256SUMS`. Published fixed floors include `5.10.255+`, `5.15.205+`, `6.1.171+`, `6.6.138+`, `6.12.87+`, `6.18.28+`, and `7.0.5+`; EOL `6.19.x` stays conservative and uses the repo backport. | [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr11), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), [CVE record](https://www.cve.org/CVERecord?id=CVE-2026-43284), [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [ESP netdev fix f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e6) |
+| CVE-2026-43500 | Dirty Frag / RxRPC page-cache write | `v6.19.5-xr10` carried the first repo-managed RxRPC RXKAD linearize/COW hardening on the vulnerable `6.19.5` base. Published `v6.19.5-xr11` is the first release with RXKAD plus RXGK coverage on the lab base. As of the 2026-05-09 linux-xr check, Debian tracks fixed package builds but NVD/CVE.org are not public here and no kernel.org upstream fixed floor is recorded in the gate, so supported `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases rely on the linux-xr backport route until proven otherwise. | [`xr/security/dirtyfrag-rxrpc-linearize.patch`](xr/security/dirtyfrag-rxrpc-linearize.patch), [`xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch`](xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr11), [`xr11` release run](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270) | [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [Debian CVE tracker](https://security-tracker.debian.org/tracker/CVE-2026-43500), [RxRPC patch route](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/) |
 
 ## SELinux and Security Config
 
@@ -343,29 +343,27 @@ drift fails before an RPM can be accepted.
 
 ## Upstream status
 
-As of 2026-05-10, the latest published secured linux-xr lab release is
-[`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10).
+As of 2026-05-10, the latest published/downloadable secured linux-xr lab release
+is [`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr11).
 It keeps the `6.19.5` lab base but carries repo-managed
 [`CVE-2026-31431`](#known-patched-cves-and-security-backports),
 `CVE-2026-43284` Dirty Frag ESP, and `CVE-2026-43500` Dirty Frag
-RxRPC backports. The generic `xr10` runtime is boot-proven on
-`mbp-13` and `honey`; RT artifacts are published but remain gated on explicit
-RT host validation. Kernel.org now lists
+RxRPC RXKAD/RXGK backports. Generic and RT RPMs plus `SHA256SUMS` are
+published. The generic `xr10` runtime remains boot-proven on `mbp-13` and
+`honey`; xr11 still needs explicit lab host boot validation before it becomes
+the host-proven rollout line. Kernel.org now lists
 `6.19.14` as EOL; it remains useful as a bounded compatibility proof, but it
 should not become the long-lived lab target. Issue
 [#37](https://github.com/tinyland-inc/linux-xr/issues/37) tracks rebasing the
 lab line to a selected maintained stable or longterm base and triaging all
 carry patches.
 
-The current signed release candidate is
-[`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270)
-from `xr/main` commit `e25a1a77`. The prior workflow-dispatch proof
-[`25609434372`](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372)
-passed generic and RT RPM builds. `xr11` keeps the `6.19.5` compatibility base,
-adds the Dirty Frag RxRPC RXGK backport alongside the existing RXKAD route, and
-should supersede `xr10` for lab rollout only after the tag-backed Release
-publishes RPMs plus checksums and the target hosts boot the exact
-`6.19.5-11.xr.el10` kernel.
+The published `v6.19.5-xr11` release comes from `xr/main` commit
+`e25a1a77`. The tag-backed run
+[`25615643270`](https://github.com/tinyland-inc/linux-xr/actions/runs/25615643270)
+completed generic, RT, and release jobs. `xr11` should supersede `xr10` for
+lab rollout only after target hosts boot the exact `6.19.5-11.xr.el10` kernel
+and record SELinux, RPM, rollback, and default-boot evidence.
 
 Current ingestion checkpoint:
 
@@ -399,9 +397,9 @@ Current ingestion checkpoint:
 
 | Patch/workstream | Upstream status | Next action |
 |-------|----------------|-----|
-| CVE-2026-31431 / Copy Fail / `algif_aead` | Fixed upstream in `7.0` and stable affected-range floors including `6.19.12`, `6.18.22`, `6.12.85`, `6.6.137`, `6.1.170`, `5.15.204`, and `5.10.254`; `v6.19.5-xr10` carries the `6.19.y` backport on the current `6.19.5` lab base, and signed candidate `xr11` keeps it | Keep fleet rollout on `xr10` until the `xr11` tag-backed Release publishes assets and host boot evidence exists, then rebase the generic lane to a maintained target such as `7.0.5` stable or `6.18.28` longterm under issue #37. Treat stock 6.12-class hosts as exposed to Dirty Frag RxRPC unless a vendor backport, mitigation, or linux-xr route is proven and installed. |
-| CVE-2026-43284 / Dirty Frag ESP page-cache write | ESP shared-frag fix is in netdev/net commit `f4c50a4034e6` and published in stable floors including `6.12.87`, `6.18.28`, and `7.0.5`; the EOL `6.19.5` lab base remains protected by the repo backport | Keep `v6.19.5-xr10` as the latest published secured lab release until the `xr11` tag-backed Release publishes assets and host boot evidence exists, stop treating fixed maintained bases as needing the ESP backport, and keep `6.12.87` as a fallback candidate only after an RPM proof succeeds. |
-| CVE-2026-43500 / Dirty Frag RxRPC page-cache write | Debian now tracks the CVE and carries an `skb->data_len` RxRPC fix, but no NVD/CVE.org record or kernel.org upstream fixed floor is visible from the 2026-05-09 linux-xr check; linux-xr carries RXKAD and RXGK linearize/COW backports until that upstream floor is proven | Publish and boot-validate `xr11` for the EOL `6.19.5` lab line, and keep carrying RxRPC on source-sync candidates until upstream/vendor fixed floors are proven. |
+| CVE-2026-31431 / Copy Fail / `algif_aead` | Fixed upstream in `7.0` and stable affected-range floors including `6.19.12`, `6.18.22`, `6.12.85`, `6.6.137`, `6.1.170`, `5.15.204`, and `5.10.254`; `v6.19.5-xr11` carries the `6.19.y` backport on the current `6.19.5` lab base | Keep fleet rollout on the host-proven `xr10` boot line until xr11 host boot evidence exists, then rebase the generic lane to a maintained target such as `7.0.5` stable or `6.18.28` longterm under issue #37. Treat stock 6.12-class hosts as exposed to Dirty Frag RxRPC unless a vendor backport, mitigation, or linux-xr route is proven and installed. |
+| CVE-2026-43284 / Dirty Frag ESP page-cache write | ESP shared-frag fix is in netdev/net commit `f4c50a4034e6` and published in stable floors including `6.12.87`, `6.18.28`, and `7.0.5`; the EOL `6.19.5` lab base remains protected by the repo backport in published `xr11` | Keep `v6.19.5-xr11` as the published secured lab release while boot-validating it, stop treating fixed maintained bases as needing the ESP backport, and keep `6.12.87` as a fallback candidate only after an RPM proof succeeds. |
+| CVE-2026-43500 / Dirty Frag RxRPC page-cache write | Debian now tracks the CVE and carries an `skb->data_len` RxRPC fix, but no NVD/CVE.org record or kernel.org upstream fixed floor is visible from the 2026-05-09 linux-xr check; published `xr11` carries RXKAD and RXGK linearize/COW backports | Boot-validate `xr11` for the EOL `6.19.5` lab line, and keep carrying RxRPC on source-sync candidates until upstream/vendor fixed floors are proven. |
 | VESA DisplayID DSC BPP parser / amdgpu handling | In-flight upstream series; not present in current upstream checkout | Track Bolyukin v7 fixed-DSC-BPP series and drop this part when it lands. |
 | QP table + RC offset adjustments | Local carry; not submitted as a standalone upstream series | Split from the DisplayID parser carry using `xr/patches/0007-vesa-dsc-bpp.map.md` and decide whether this is evidence-backed upstream material or host-only risk. |
 | EDID non-desktop quirk for `BIG/0x1234` and `BIG/0x5095` | Absent from current upstream checkout | Follow `xr/patches/bigscreen-beyond-edid.route.md`: local `BIG/0x1234` evidence now proves `non-desktop=1`; next regenerate an upstream/drm-misc topic patch and send via the DRM route. |

diff --git a/xr/security/README.md b/xr/security/README.md
@@ -12,7 +12,7 @@ feature carry; use `xr/patches/` for that path.
 | `cve-2026-31431-algif-aead.patch` | Linux stable `6.19.y` commit `ce42ee423e58`, backporting mainline `a664bf3d603d` | Applied automatically for vulnerable `6.19.x` bases before RT and XR carry patches |
 | `dirtyfrag-esp-shared-frag.patch` | `CVE-2026-43284` Dirty Frag ESP mitigation from netdev/net commit `f4c50a4034e6` | Applied automatically for supported vulnerable `6.18.x`, `6.19.x`, and pre-`7.0.5` `7.0.x` bases before RT and XR carry patches; fixed maintained bases such as `6.12.87`, `6.18.28`, and `7.0.5` do not need this backport |
 | `dirtyfrag-rxrpc-linearize.patch` | `CVE-2026-43500` linux-xr RXKAD backport adapted from the public Dirty Frag RxRPC patch route; Debian now tracks fixed package builds, but this repo has not yet recorded a kernel.org fixed floor | Applied automatically for supported vulnerable `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases before RT and XR carry patches until an upstream fixed floor is published and proven |
-| `dirtyfrag-rxrpc-rxgk-linearize.patch` | `CVE-2026-43500` linux-xr RXGK backport for DATA/RESPONSE in-place decrypt paths; `v6.19.5-xr11` is the first merged build candidate expected to publish RXKAD plus RXGK coverage on the EOL `6.19.5` lab base | Applied automatically with the RXKAD backport for supported vulnerable `6.18.x`, `6.19.x`, and `7.0.x` bases that carry RXGK until an upstream fixed floor is published and proven |
+| `dirtyfrag-rxrpc-rxgk-linearize.patch` | `CVE-2026-43500` linux-xr RXGK backport for DATA/RESPONSE in-place decrypt paths; published `v6.19.5-xr11` is the first release with RXKAD plus RXGK coverage on the EOL `6.19.5` lab base | Applied automatically with the RXKAD backport for supported vulnerable `6.18.x`, `6.19.x`, and `7.0.x` bases that carry RXGK until an upstream fixed floor is published and proven |
 
 Other affected kernel lines remain guarded by `xr/scripts/build-rpm.sh`, but do
 not have repo-managed backports here. Use a fixed upstream floor, vendor-fixed

diff --git a/xr/source-sync.md b/xr/source-sync.md
@@ -5,15 +5,16 @@ upstream stable target. It is separate from the RPM proof-build path.
 
 ## Current target
 
-As of 2026-05-09:
-
-- Current lab release line: `v6.19.5-xr10` is published and boot-proven on
-  `mbp-13` and `honey`
-- Current merged build candidate: `v6.19.5-xr11` from `xr/main` commit
-  `3b55106d`, carrying `CVE-2026-31431`, `CVE-2026-43284`, and both
-  `CVE-2026-43500` RxRPC RXKAD/RXGK backports. It should not replace `xr10`
-  in rollout docs until generic and RT artifacts are uploaded and target hosts
-  boot the exact `6.19.5-11.xr.el10` kernel.
+As of 2026-05-10:
+
+- Current published/downloadable lab release line: `v6.19.5-xr11` from
+  `xr/main` commit `e25a1a77`, with generic RPMs, RT RPMs, and `SHA256SUMS`
+  published on GitHub. It carries `CVE-2026-31431`, `CVE-2026-43284`, and both
+  `CVE-2026-43500` RxRPC RXKAD/RXGK backports.
+- Current host boot-proven line: `v6.19.5-xr10` is boot-proven on `mbp-13` and
+  `honey`. xr11 should not replace `xr10` in host-proven rollout docs until
+  target hosts boot the exact `6.19.5-11.xr.el10` kernel and record SELinux,
+  RPM, rollback, and default-boot evidence.
 - Bounded EOL compatibility proof target: `v6.19.14`
 - Maintained generic candidate targets: `v7.0.5` stable and `v6.18.28` longterm
 - Longterm fallback watch: `v6.12.87`, still pending a successful RPM proof.