Dirty Frag kernel CVEs (CVE-2026-43284 / CVE-2026-43500) - ESP/IPsec path - follow-up to the Copy Fa

Dear Zyxel team

There is already a helpful thread on the related Copy Fail vulnerability where a Zyxel employee confirmed the appliance is not practically exposed, since exploitation needs a local unprivileged user to run code and the firewall/AP do not offer that attack surface:

https://community.zyxel.com/en/discussion/32815/linux-expoit-cve-2026-31431

I would like to ask specifically about the related "Dirty Frag" disclosure, which that thread predates and does not cover:

• CVE-2026-43284 - xfrm/ESP IPsec input path (esp4, esp6 modules)
• CVE-2026-43500 - the RxRPC page-cache write half of the chain

These are Linux kernel local privilege escalation flaws affecting mainline kernels since 2017. What makes them more relevant to me than Copy Fail is the location: CVE-2026-43284 sits in the ESP/IPsec input path, not the crypto subsystem - directly in code that anyone running IPsec VPN on ZLD is exercising.

My questions (I run a USG FLEX 50W, originally branded USG20W-VPN, on firmware V5.42 ABAR.1):

1. Is the vulnerable ESP code even present and reachable in ZLD's kernel?
2. Does the same "no local shell, so not practically exploitable" reasoning from the Copy Fail thread apply equally to Dirty Frag, or does the IPsec processing path change the picture?
3. If a fix is needed, what is the planned remediation and timeline?

One related point raised in the other thread that I would value a comment on: a web-service RCE could in principle chain past the "needs local access" precondition without the attacker touching the firewall directly. Does that scenario affect Zyxel's assessment here?

Thanks in advance.