Loading...
Loading...
A wave of local privilege-escalation flaws targeting the Linux IPsec/xfrm code—branded Dirty Frag and Copy Fail 2—has produced reliable root exploits with public proof-of-concept code. Both issues abuse MSG_SPLICE_PAGES no-copy fast paths to cause page-cache or in-place writes, letting attackers overwrite kernel memory or files like /etc/passwd. The bugs trace back to long-lived commits (some since 2017) and affect many mainstream distributions and recent kernels, with some mitigations failing to block the new techniques. Vendors and maintainers are releasing upstream patches and module-workarounds; administrators should apply updates, reboot, or unload esp/xfrm modules and restrict untrusted local access immediately.
Local Linux kernel LPEs like Copy Fail 2 let unprivileged users gain root, undermining host security and container isolation. Tech teams must track kernel fixes and public exploit code to prioritize patching and mitigation.
Dossier last updated: 2026-05-10 05:02:53
A new high-severity Linux kernel vulnerability dubbed "Dirty Frag" has been disclosed, marking the second major kernel security flaw in two weeks. The bug affects how the kernel handles fragmented network packets, allowing local attackers to trigger memory corruption and potentially escalate privileges or cause denial-of-service on many Linux distributions and embedded devices. Vendors and open-source maintainers are patching kernels; administrators are urged to apply updates, restrict untrusted local access, and monitor network-facing systems. The repeat of serious kernel bugs highlights ongoing challenges in securing widely deployed open-source infrastructure and the importance of timely patch management for cloud providers, IoT vendors, and enterprises running Linux at scale.
A new Linux local root exploit called "Dirty Frag" (CVE-2026-43284 chained with CVE-2026-43500) was disclosed May 7, 2026 and already has working public exploits. The flaw stems from how the kernel handles pipe-backed pages in the IPsec/ESP network path—MSG_SPLICE_PAGES can attach shared pipe pages to skbs without marking them shared, allowing in-place ESP decryption to overwrite kernel memory and yield a reliable local privilege escalation. The first CVE is patched; the second is still being rolled out by distributions. Because this is a deterministic logic bug with high success rates, unpatched servers remain at immediate risk and administrators should install vendor updates and reboot now.
A critical Linux kernel exploit chain nicknamed "Dirty Frag" (CVE-2026-43284, disclosed May 7, 2026) delivers reliable root from any attacker able to run code on a server. The chain combines two kernel flaws (CVE-2026-43284 in the IPsec/ESP receive path and CVE-2026-43500) to produce a deterministic page-cache write primitive that yields root; a working exploit already exists and distributions began patching on May 8. Researcher Hyunwoo Kim links Dirty Frag to last week’s Copy Fail (CVE-2026-31431), showing the same core weakness—long-lived in-place processing that betrays memory ownership—and security teams warn it affects mainstream kernels back to ~2017 across major distributions (RHEL, AlmaLinux, Debian, Ubuntu, Fedora, Arch, CentOS, Amazon Linux). Administrators should patch and reboot immediately.
A new Linux kernel local privilege escalation vulnerability, dubbed 'Dirty Frag', has been active since 2017 and impacts nearly all major distributions. Unlike the earlier 'Copy Fail' flaw, Dirty Frag does not depend on the algif_aead module and bypasses Copy Fail mitigations, meaning patched kernels may still be vulnerable. The exploit enables unprivileged local attackers to gain elevated rights through a kernel memory handling flaw; however, exploitation requires local code execution to trigger the condition. The discovery matters because it widens the attack surface for long-running kernels across cloud, server, and desktop Linux deployments, forcing maintainers and operators to patch kernels or apply other kernel hardening to protect multi-tenant and production systems.
A new Linux local privilege-escalation flaw dubbed “Dirty Frag” lets any local user gain instant root on most Linux systems dating back to 2017. Disclosed after an embargo was apparently broken, the unpatched vulnerability exploits IPSec-related kernel modules (esp4, esp6, rxrpc) via a zero-copy page-cache write bug similar to the earlier Copy Fail exploit; PoC code is already public and authors report successful triggers on stock kernels and WSL2. Mitigation is simple: blacklist and unload the three modules until official patches arrive. The bug traces to 2017 kernel commits (xfrm-ESP and RxRPC page-cache write) and is critical because it affects major distributions and currently lacks upstream fixes. Administrators should apply the module workaround and watch for kernel updates.
A new local privilege escalation in the Linux kernel dubbed “Copy Fail 2” lets unprivileged users gain root by exploiting an xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path to write into page-cache and overwrite /etc/passwd with a passwordless uid=0 entry. Proof-of-concept code and scripts compile and spawn a root shell by adding a 'sick' user and using PAM nullok; a cleanup mode reverts changes. The flaw affects multiple kernels and distros (Debian, Arch, Fedora, Ubuntu 24.04/26.04) but not Ubuntu 22.04 LTS 5.15. Upstream fix was authored by Hyunwoo Kim and Kuan-Ting Chen and posted by IPsec maintainer Steffen Klassert. IPv6 variant exists and requires a separate patch.
Researchers disclosed a local Linux privilege escalation (LPE) dubbed “Copy Fail 2” that exploits xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path to write into page-cache and overwrite /etc/passwd, adding a passwordless uid-0 user that grants root. The flaw is in the IPsec xfrm subsystem (esp4 and esp6 variants), is similar to the earlier Copy Fail (CVE-2026-31431) but affects a different kernel subsystem, and an upstream patch (commit f4c50a4034...) has been posted. A proof-of-concept and helper scripts build and run the exploit; authors reported successful root on multiple distributions and kernels (Debian, Arch, Fedora, Ubuntu 24.04/26.04), while some older kernels (Ubuntu 22.04 5.15) were not vulnerable. Reporters and maintainers credited include Hyunwoo Kim, Kuan-Ting Chen, and IPsec maintainer Steffen Klassert.
A new unprivileged Linux local privilege-escalation (LPE) exploit dubbed "Copy Fail 2" abuses the xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path to cause page-cache writes into arbitrary readable files, enabling overwriting /etc/passwd to add a passwordless root user. The flaw is in the IPsec xfrm subsystem (affecting esp4 and esp6 paths) and is distinct from but similar-class to Copy Fail (CVE-2026-31431); an upstream fix was committed (f4c50a4034). Public proof-of-concept code and build/run instructions are provided and testing shows many modern kernels (6.8+, 6.12, 6.19, 7.0) are vulnerable, while older 5.15 kernels are not. Reporters Hyunwoo Kim and Kuan-Ting Chen authored the fix; IPsec maintainer Steffen Klassert posted it upstream. This matters because it enables easy root escalation on unpatched systems running affected kernels.