Linux Copy Fail, Dirty Frag flaws

Linux has a kernel problem — not just one bug, but a pattern. In the past two weeks, researchers disclosed Copy Fail and then Dirty Frag, two local privilege-escalation attacks that let an unprivileged user become root by corrupting the page cache. The news this week is that Dirty Frag arrived before patches were fully ready, public exploit code is already circulating, and maintainers are now debating an emergency runtime “kill switch” for future zero-days. ### What is the page cache, and why does it matter? The page cache is the kernel’s in-memory copy of file data. Linux keeps file contents there so reads stay fast. The whole security assumption is simple — if a file is read-only on disk, random unprivileged code should not be able to smuggle writes into that cached copy. But Copy Fail and Dirty Frag both break that assumption in weird kernel paths, then use the corrupted cached bytes to hijack a setuid binary and pop root. (cert.europa.eu) ### What did Copy Fail actually do? Copy Fail is CVE-2026-31431. It lives in `algif_aead`, part of Linux’s userspace crypto API. A 2017 optimization let writable destinations point at page-cache-backed memory. By combining an AF_ALG socket with `splice`, an unprivileged user could make a controlled 4-byte write into the cached contents of a readable file — including something like `/usr/bin/su`. The upstream fix was committed on April 1, 2026, but when the flaw was disclosed on April 29, many major distros still had no shipped fix. (cert.europa.eu) ### So what makes Dirty Frag different? Dirty Frag is really a two-part chain — CVE-2026-43284 in xfrm-ESP and CVE-2026-43500 in RxRPC. Instead of the crypto socket path Copy Fail used, this one abuses networking and fragment handling paths tied to ESP, the IPsec encryption layer, and RxRPC, which underpins AFS-style distributed file access. Same family of bug, different plumbing. The result is still page-cache corruption and root escalation, but the exploit path looks broader and more operationally useful. (cert.europa.eu) ### Why are people calling it more dangerous? Because turns out reliability matters as much as severity. Hyunwoo Kim’s Dirty Frag write-up says the exploit is deterministic, does not need a race condition, and usually does not crash the kernel when it fails. Microsoft also flagged active investigation into campaign activity and said the technique appears designed to be more consistent than older Linux privilege-escalation exploits. That is the scary part — a root bug that behaves less like a lab trick and more like an operator tool. (access.redhat.com) ### Which systems are in the blast radius? A lot of them. Copy Fail hit kernels built since 2017 across Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora, Arch, and others. Dirty Frag’s xfrm-ESP issue also traces back to 2017, while the RxRPC half starts in 2023. Red Hat says RHEL 8, 9, 10 and OpenShift 4 are affected, and Microsoft lists Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift among exposed environments. (github.com) ### Why the “kill switch” idea now? Because patch cycles are slower than exploit releases. After Copy Fail and Dirty Frag landed back-to-back, Sasha Levin floated a kernel feature that would let admins disable specific vulnerable functions at runtime until real fixes arrive. Basically, a first-aid kit for the kernel. But the catch is obvious — turning off code paths in production can break workloads, and low-latency or deterministic systems may hate that trade-off. (cert.europa.eu) ### What should admins do right now? Patch first, obviously, where vendor kernels are available. If patches are not ready, use mitigations that unload or block the relevant modules — `esp4`, `esp6`, and `rxrpc` for Dirty Frag — and then clear the page cache or reboot. Also tighten local access, because both attacks need code execution as a non-root user before they can jump to root. Containers, CI runners, shared hosts, and exposed admin boxes are the systems that should make you most nervous. (networkworld.com) ### Bottom line? This is not just “two bad Linux bugs.” It looks like researchers have found a reusable bug class around page-cache writes, and that means more audits — and maybe more surprises — are probably coming. (infoq.com) (github.com)