Dirty Frag (CVE-2026-43284)

## Description

[CVE-2026-43284](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), also known as Dirty Frag, is a vulnerability in the Linux kernel's IP fragment reassembly path affecting the IPsec (`esp4`, `esp6`, `ipcomp`, `ipcomp6`) and RxRPC (`rxrpc`) subsystems. AWS has issued a [security bulletin](https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/) for this issue. The affected kernel modules can be exploited by a local attacker to achieve privilege escalation.

## Impact

There is no downtime expected from this change. The affected kernel modules (`esp4`, `esp6`, `ipcomp`, `ipcomp6`, `rxrpc`) are unloaded on all nodes and blacklisted so they cannot be reloaded. A filesystem cache flush is performed afterward to ensure clean state.

## Changes

- Places a boot hook (`00-dirty-frag-mitigation`) on the shared storage at `/mnt/jrc-comms/hooks/boot.d/` so the mitigation is applied automatically on every instance boot, even after AMI replacements.
- The hook blacklists the `esp4`, `esp6`, `ipcomp`, `ipcomp6`, and `rxrpc` modules via `/etc/modprobe.d/p014c-disable-dirtyfrag.conf` and unloads any that are currently loaded.
- Runs the hook immediately on all nodes so the mitigation takes effect without waiting for a reboot.
- Flushes filesystem caches on all nodes after the mitigation is applied.

## If You Accept

The five affected kernel modules will be unloaded and blacklisted across all instances, closing this attack vector. The boot hook ensures the mitigation persists across reboots and new instances. Once a patched kernel is rolled out, the hook is harmless to leave in place.

## If You Reject

The affected modules will remain loaded, leaving your instances vulnerable to exploitation via the Dirty Frag vulnerability.