Blog from May, 2026

Dirty Frag: Critical Linux Kernel Vulnerability
Francesco Murdaca posted on May 08, 2026

A new Linux kernel vulnerability known as Dirty Frag was publicly disclosed on 7 May 2026. The flaw affects the IPsec ESP and rxrpc in-place decryption fast paths and is closely related to the same subsystem area impacted by the recent Copy Fail vulnerability.

Dirty Frag allows an unprivileged local user to gain immediate root access on all major Linux distributions. A working exploit is already publicly available.

The Dirty Frag exploit works by corrupting page-cache pages of sensitive files (such as /etc/passwd or /usr/bin/su).  (reference: AlmaLinux OS - Forever-Free Enterprise-Grade Operating System)

esp4 / esp6 are the kernel-side ESP transforms used by IPsec. Disabling them breaks IPsec tunnels that rely on the kernel data path on the affected machine. Do not apply this mitigation on hosts that terminate or transit IPsec / strongSwan / Libreswan tunnels. rxrpc is the AF_RXRPC transport used almost exclusively by AFS clients and is not present on typical web-hosting servers. (reference: Dirty Frag [CVE Pending]: Mitigation and Kernel Update on CloudLinux)

What is its relationship with the "Copy Fail" vulnerability?

Copy Fail was the motivation for starting researching new vulnerabilities. In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag. (reference V4bel/dirtyfrag)

If you didn't apply this for EWC, please check: Copy Fail (CVE‑2026‑31431) – Vulnerability Overview and Mitigation Guide for EWC images - European Weather Cloud Knowledge Base - ECMWF Confluence Wiki

Risk Level: When This Vulnerability Is Dangerous

This vulnerability can only be exploited by someone who is able to run local commands on your virtual machine. This means the real‑world risk depends on how your system is exposed and who can access it.

High‑Risk Scenarios (Immediate Action Required)

Your system is at high risk if any of the following are true:

  • The VM is externally accessible (SSH open to the internet, public endpoints, jump hosts, etc.).
  • You have local users who are not already trusted with root privileges.

In these cases, an attacker who gains any local foothold can escalate to root instantly.

Low‑Risk Scenarios (Not Urgent, but Still Recommended)

The urgency is lower if:

  • Your VM is not externally exposed,
  • All users already have root access

In these situations, the vulnerability is still present, but the practical risk of exploitation is minimal because no untrusted user can execute local commands.

Interim fix

This is valid for all EWC supported OSes: Rocky 8, Rocky9, Ubuntu22.04, Ubuntu24.04

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf ; rmmod esp4 esp6 rxrpc 2>/dev/null"

No output is expected.

Reboot required?

Reboot after applying this is only required if the vulnerability has been actively exploited.

European Weather Cloud User Workshop - Join us in Darmstadt!
Francesco Murdaca posted on May 07, 2026

Start [UTC]: 22/09/2026 06:30
End [UTC]: 22/09/2026 15:30

Dear colleague,

This is an invitation to join us for the European Weather Cloud (EWC) User Workshop 2026, hybrid again and this time at EUMETSAT in Darmstadt on 22 September 2026. This full-day event, co-organised by EUMETSAT and ECMWF, will provide an opportunity to explore the latest developments, share experiences, and shape the future of the EWC.

You will find all the information in the event page, including how to register. The final agenda will be published closer to the event date.

While this workshop is intended primarily as an in-person event, online attendance will also be possible for those unable to travel. Either way, if you are planning to participate, you must register before 31 of July.

We encourage all EWC users to come forward and present their work, experiences, and use cases at the workshop. If you are interested in presenting, please contact us through the EWC Support Portal or our Discussion Platform.

Note that this year's workshop is very special — it coincides with EUMETSAT's 40th anniversary celebrations and in the same week still in Darmstadt there is the EUMETSAT Meteorological Satellite Conference 2026. If you happen to be in Darmstadt that week, why not join us for the EWC workshop as well? Don't forget to register if you do! Please keep in mind the workshop will be at EUMETSAT premises, while the conference in the congress centre in the centre of Darmstadt!

Please feel free to share this invitation with your colleagues who may be interested in attending.

We look forward to welcoming you to Darmstadt for this exciting event!

Kind regards,

The European Weather Cloud teams at ECMWF and EUMETSAT