Loading...
Loading...
A new unprivileged Linux local privilege-escalation (LPE) exploit dubbed "Copy Fail 2" abuses the xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path to cause page-cache writes into arbitrary readable files, enabling overwriting /etc/passwd to add a passwordless root user. The flaw is in the IPsec xfrm subsystem (affecting esp4 and esp6 paths) and is distinct from but similar-class to Copy Fail (CVE-2026-31431); an upstream fix was committed (f4c50a4034). Public proof-of-concept code and build/run
A new Linux kernel local privilege escalation vulnerability, dubbed 'Dirty Frag', has been active since 2017 and impacts nearly all major distributions. Unlike the earlier 'Copy Fail' flaw, Dirty Frag does not depend on the algif_aead module and bypasses Copy Fail mitigations, meaning patched kernels may still be vulnerable. The exploit enables unprivileged local attackers to gain elevated rights through a kernel memory handling flaw; however, exploitation requires local code execution to trigger the condition. The discovery matters because it widens the attack surface for long-running kernels across cloud, server, and desktop Linux deployments, forcing maintainers and operators to patch kernels or apply other kernel hardening to protect multi-tenant and production systems.
A new Linux local privilege-escalation flaw dubbed “Dirty Frag” lets any local user gain instant root on most Linux systems dating back to 2017. Disclosed after an embargo was apparently broken, the unpatched vulnerability exploits IPSec-related kernel modules (esp4, esp6, rxrpc) via a zero-copy page-cache write bug similar to the earlier Copy Fail exploit; PoC code is already public and authors report successful triggers on stock kernels and WSL2. Mitigation is simple: blacklist and unload the three modules until official patches arrive. The bug traces to 2017 kernel commits (xfrm-ESP and RxRPC page-cache write) and is critical because it affects major distributions and currently lacks upstream fixes. Administrators should apply the module workaround and watch for kernel updates.
A new local privilege escalation in the Linux kernel dubbed “Copy Fail 2” lets unprivileged users gain root by exploiting an xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path to write into page-cache and overwrite /etc/passwd with a passwordless uid=0 entry. Proof-of-concept code and scripts compile and spawn a root shell by adding a 'sick' user and using PAM nullok; a cleanup mode reverts changes. The flaw affects multiple kernels and distros (Debian, Arch, Fedora, Ubuntu 24.04/26.04) but not Ubuntu 22.04 LTS 5.15. Upstream fix was authored by Hyunwoo Kim and Kuan-Ting Chen and posted by IPsec maintainer Steffen Klassert. IPv6 variant exists and requires a separate patch.
Researchers disclosed a local Linux privilege escalation (LPE) dubbed “Copy Fail 2” that exploits xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path to write into page-cache and overwrite /etc/passwd, adding a passwordless uid-0 user that grants root. The flaw is in the IPsec xfrm subsystem (esp4 and esp6 variants), is similar to the earlier Copy Fail (CVE-2026-31431) but affects a different kernel subsystem, and an upstream patch (commit f4c50a4034...) has been posted. A proof-of-concept and helper scripts build and run the exploit; authors reported successful root on multiple distributions and kernels (Debian, Arch, Fedora, Ubuntu 24.04/26.04), while some older kernels (Ubuntu 22.04 5.15) were not vulnerable. Reporters and maintainers credited include Hyunwoo Kim, Kuan-Ting Chen, and IPsec maintainer Steffen Klassert.
A new unprivileged Linux local privilege-escalation (LPE) exploit dubbed "Copy Fail 2" abuses the xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path to cause page-cache writes into arbitrary readable files, enabling overwriting /etc/passwd to add a passwordless root user. The flaw is in the IPsec xfrm subsystem (affecting esp4 and esp6 paths) and is distinct from but similar-class to Copy Fail (CVE-2026-31431); an upstream fix was committed (f4c50a4034). Public proof-of-concept code and build/run instructions are provided and testing shows many modern kernels (6.8+, 6.12, 6.19, 7.0) are vulnerable, while older 5.15 kernels are not. Reporters Hyunwoo Kim and Kuan-Ting Chen authored the fix; IPsec maintainer Steffen Klassert posted it upstream. This matters because it enables easy root escalation on unpatched systems running affected kernels.