A new Linux kernel vulnerability known as Dirty Frag was publicly disclosed on 7 May 2026. The flaw affects the IPsec ESP and rxrpc in-place decryption fast paths and is closely related to the same subsystem area impacted by the recent Copy Fail vulnerability.
Dirty Frag allows an unprivileged local user to gain immediate root access on all major Linux distributions. A working exploit is already publicly available.
The Dirty Frag exploit works by corrupting page-cache pages of sensitive files (such as /etc/passwd or /usr/bin/su). (reference: AlmaLinux OS - Forever-Free Enterprise-Grade Operating System)
esp4 / esp6 are the kernel-side ESP transforms used by IPsec. Disabling them breaks IPsec tunnels that rely on the kernel data path on the affected machine. Do not apply this mitigation on hosts that terminate or transit IPsec / strongSwan / Libreswan tunnels. rxrpc is the AF_RXRPC transport used almost exclusively by AFS clients and is not present on typical web-hosting servers. (reference: Dirty Frag [CVE Pending]: Mitigation and Kernel Update on CloudLinux)
What is its relationship with the "Copy Fail" vulnerability?
Copy Fail was the motivation for starting researching new vulnerabilities. In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag. (reference V4bel/dirtyfrag)
If you didn't apply this for EWC, please check: Copy Fail (CVE‑2026‑31431) – Vulnerability Overview and Mitigation Guide for EWC images - European Weather Cloud Knowledge Base - ECMWF Confluence Wiki
Risk Level: When This Vulnerability Is Dangerous
This vulnerability can only be exploited by someone who is able to run local commands on your virtual machine. This means the real‑world risk depends on how your system is exposed and who can access it.
High‑Risk Scenarios (Immediate Action Required)
Your system is at high risk if any of the following are true:
- The VM is externally accessible (SSH open to the internet, public endpoints, jump hosts, etc.).
- You have local users who are not already trusted with root privileges.
In these cases, an attacker who gains any local foothold can escalate to root instantly.
Low‑Risk Scenarios (Not Urgent, but Still Recommended)
The urgency is lower if:
- Your VM is not externally exposed,
- All users already have root access
In these situations, the vulnerability is still present, but the practical risk of exploitation is minimal because no untrusted user can execute local commands.
Interim fix
This is valid for all EWC supported OSes: Rocky 8, Rocky9, Ubuntu22.04, Ubuntu24.04
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf ; rmmod esp4 esp6 rxrpc 2>/dev/null" |
No output is expected.
Reboot required?
Reboot after applying this is only required if the vulnerability has been actively exploited.