Two weeks. Two separate research teams. Same result: full root privileges on Linux with a single command. Dirty Frag and Copy Fail are the biggest Linux security stories of May 2026 — and they affect nearly every major Linux distribution.
TL;DR
- Dirty Frag (CVE-2026-43284 + CVE-2026-43500): chained kernel bugs in IPsec ESP and RxRPC modules, working PoC published on GitHub, affects Ubuntu / RHEL / Fedora / openSUSE
- Copy Fail (CVE-2026-31431): crypto module logic bug, 732-byte Python script achieves root with 100% reliability — including Ubuntu 24.04 and Amazon Linux 2023
- Both are local vulnerabilities — the attacker must already have a foothold on the system
- Patch now — Copy Fail has an upstream fix; Dirty Frag’s RxRPC half still has no official patch
- Dirty Frag workaround: disable the vulnerable kernel modules if you don’t use IPsec VPN
Why This Matters
Linux runs the majority of internet servers, cloud infrastructure, and IoT devices. If you’re a developer, sysadmin, or security professional — or if you run Linux at home — these vulnerabilities affect you directly.
Both flaws are local privilege escalation (LPE) vulnerabilities. That means an attacker needs an existing low-privileged foothold first — through phishing, a vulnerable web application, or a stolen SSH key. Once they’re in, root is one command away.
Dirty Frag — A Nine-Year-Old Kernel Bug
What It Is
Dirty Frag chains two kernel vulnerabilities:
- CVE-2026-43284 — xfrm-ESP (IPsec packet encryption in the kernel)
- CVE-2026-43500 — RxRPC (Andrew File System transport protocol)
Researcher Hyunwoo Kim disclosed both on May 7, 2026. A working proof-of-concept is publicly available on GitHub.
How It Works
The kernel’s job is to manage memory strictly — unprivileged users must not touch protected files or memory regions. Dirty Frag bypasses this using the page cache: a region of memory where the kernel temporarily stores file data for fast access.
When the Linux kernel encrypts or decrypts IPsec network traffic, it writes directly to memory pages that are externally owned — not exclusively controlled by the kernel. An attacker uses the splice() system call to redirect those pages and gains a write primitive into protected files.
In short: a 4-byte write to the wrong place = root.
Analogy: imagine a building janitor accidentally gains write access to the manager’s contracts because they share the same copy room. Dirty Frag exploits exactly that kind of shared interface.
What Makes It Particularly Dangerous
- Deterministic — no race condition required. Many kernel exploits need millisecond-perfect timing. Dirty Frag works every time.
- Single command — the PoC grants root without complex preparation
- Long-lived bug — the ESP vulnerability has been in the kernel since approximately 2017; RxRPC since 2023
Limitations
In hardened environments — such as Kubernetes with a default seccomp profile — the attack requires CAP_NET_ADMIN, which unprivileged users don’t have. On most standard Linux installations, this restriction is absent.
Affected Distributions
Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, Fedora, openSUSE Tumbleweed.
Patch Status
- CVE-2026-43284 (ESP): patch released May 8, 2026
- CVE-2026-43500 (RxRPC): no official patch as of this writing
Workaround (If You Can’t Patch Immediately)
Disable the vulnerable kernel modules. Warning: this breaks IPsec VPN connections and AFS filesystems.
# Block module loading and remove from running kernelprintf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \ | sudo tee /etc/modprobe.d/dirtyfrag.conf
sudo rmmod esp4 esp6 rxrpc 2>/dev/null
# Drop page cacheecho 3 | sudo tee /proc/sys/vm/drop_cachesCopy Fail — 100% Reliable Root in 732 Bytes
What It Is
CVE-2026-31431, named Copy Fail, was discovered in March 2026 by offensive security firm Theori using their Xint AI-driven code analysis platform. It was publicly disclosed in May 2026.
How It Works
Copy Fail lives in the kernel’s authencesn cryptographic template — the component handling authenticated encryption operations.
In 2017, the kernel team added a performance optimization: instead of using separate input and output buffers for cryptographic operations, the same buffer was reused for both (“in-place” processing). Faster — but it left a gap.
The attack combines two components:
- AF_ALG socket — the kernel’s cryptographic interface, accessible to unprivileged users
- splice() system call — a file operation that moves data between file descriptors without copying
By combining these, an attacker gains a 4-byte write primitive into the memory pages of setuid-root binaries — effectively modifying something like /usr/bin/sudo in memory and executing arbitrary code as root.
What Makes It Exceptional
- 732 bytes of Python — a single small script, no specialized tools required
- 100% reliability — researchers demonstrated successful exploitation on four major distribution variants
- No offsets needed — the exploit works without version-specific memory addresses, which is a common barrier in kernel exploits
Affected Systems
Kernel versions from 2017 to present. Confirmed on:
- Ubuntu 24.04 LTS
- Amazon Linux 2023
- RHEL 10.1
- SUSE 16
Patch Available
The upstream fix was released April 1, 2026 (reverting the problematic optimization). Fixed kernel versions: 6.18.22, 6.19.12, and 7.0. Fedora 42+ already includes the update.
Dirty Pipe, Dirty Frag, Copy Fail — What’s the Connection?
All three vulnerability classes exploit the same underlying mechanism: a page cache write primitive.
| Vulnerability | CVE | Year | Primitive | Patched |
|---|---|---|---|---|
| Dirty Pipe | CVE-2022-0847 | 2022 | pipe page cache write | Yes |
| Copy Fail | CVE-2026-31431 | 2026 | authencesn splice write | Yes (kernel 6.18.22+) |
| Dirty Frag | CVE-2026-43284/43500 | 2026 | ESP/RxRPC page cache write | Partial |
Dirty Pipe redefined kernel security thinking in 2022 by demonstrating that the page cache could be weaponized for privileged writes. Copy Fail and Dirty Frag follow the same logic — different modules, same principle.
What You Can Do Now
1. Update Your Kernel
This is the most important action. Check your current version and update:
# Check current kernel versionuname -r
# Ubuntu/Debiansudo apt update && sudo apt upgrade
# Fedora/RHELsudo dnf update kernel
# openSUSEsudo zypper update kernel-defaultTarget: kernel 6.18.22, 6.19.12, or 7.0+ for the Copy Fail fix. For Dirty Frag’s ESP patch, check your distribution’s security advisory page.
2. Dirty Frag: Disable Modules If You Don’t Use IPsec VPN
If your servers don’t use IPsec-based VPN connections or AFS filesystems:
# Check if modules are loadedlsmod | grep -E 'esp4|esp6|rxrpc'
# If not in use, disable themprintf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \ | sudo tee /etc/modprobe.d/dirtyfrag.conf3. Restrict Local Access
Both vulnerabilities require a local account. Reduce your exposure:
- Audit all SSH keys and user accounts on your servers
- Remove unnecessary user accounts
- Review who has sudo access:
sudo cat /etc/sudoers - Enable auditd logging for kernel-level syscalls
# Monitor splice() calls (Copy Fail indicator)sudo auditctl -a always,exit -F arch=b64 -S splice -k copy_fail_watch4. Enable Seccomp Profiles
Especially in Kubernetes and container environments — the default seccomp profile prevents the CAP_NET_ADMIN-dependent Dirty Frag attack path.
5. Follow Your Distribution’s Security Advisories
- Ubuntu Security Notices:
ubuntu.com/security/notices - Red Hat Security Advisories:
access.redhat.com/security/security-updates - AlmaLinux Security:
errata.almalinux.org
Summary
Dirty Frag and Copy Fail are a reminder that the Linux kernel is large and complex — and vulnerabilities hide where you don’t expect them. Both flaws were present for years before discovery.
The good news: Copy Fail has a patch. The bad news: Dirty Frag’s RxRPC half still has no official fix.
Update. Audit access. Disable unused modules. These three actions make your systems significantly harder to compromise.
Related Posts
- Linux Privilege Escalation: Attack Techniques and How to Detect Them — comprehensive guide to Linux privesc techniques and detection
- Linux Default Attack Surface — What Attackers See First — what an attacker sees when they first land on a Linux target
- Linux Lateral Movement: Attack and Detect 2026 — what happens after root is achieved
Sources
- BleepingComputer — New Linux ‘Dirty Frag’ zero-day with PoC exploit gives root privileges
- BleepingComputer — New Linux ‘Copy Fail’ flaw gives hackers root on major distros
- Wiz Research — Dirty Frag: Linux Kernel Local Privilege Escalation via ESP and RxRPC
- AlmaLinux — Dirty Frag Patches Released
- Tenable — Dirty Frag FAQ
- The Hacker News — Linux Kernel Dirty Frag LPE Exploit
- Sysdig — Detecting Dirty Frag