A new Linux kernel vulnerability known as Dirty Frag was publicly disclosed on 7 May 2026. The flaw affects the IPsec ESP and rxrpc in-place decryption fast paths and is closely related to the same subsystem area impacted by the recent Copy Fail vulnerability.
Dirty Frag allows an unprivileged local user to gain immediate root access on all major Linux distributions. A working exploit is already publicly available.
The Dirty Frag exploit works by corrupting page-cache pages of sensitive files (such as /etc/passwd or /usr/bin/su). (reference: AlmaLinux OS - Forever-Free Enterprise-Grade Operating System)
esp4 / esp6 are the kernel-side ESP transforms used by IPsec. Disabling them breaks IPsec tunnels that rely on the kernel data path on the affected machine. Do not apply this mitigation on hosts that terminate or transit IPsec / strongSwan / Libreswan tunnels. rxrpc is the AF_RXRPC transport used almost exclusively by AFS clients and is not present on typical web-hosting servers. (reference: Dirty Frag [CVE Pending]: Mitigation and Kernel Update on CloudLinux)
What is its relationship with the "Copy Fail" vulnerability?
Copy Fail was the motivation for starting researching new vulnerabilities. In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag. (reference V4bel/dirtyfrag)
If you didn't apply this for EWC, please check: Copy Fail (CVE‑2026‑31431) – Vulnerability Overview and Mitigation Guide for EWC images - European Weather Cloud Knowledge Base - ECMWF Confluence Wiki
Risk Level: When This Vulnerability Is Dangerous
This vulnerability can only be exploited by someone who is able to run local commands on your virtual machine. This means the real‑world risk depends on how your system is exposed and who can access it.
High‑Risk Scenarios (Immediate Action Required)
Your system is at high risk if any of the following are true:
- The VM is externally accessible (SSH open to the internet, public endpoints, jump hosts, etc.).
- You have local users who are not already trusted with root privileges.
In these cases, an attacker who gains any local foothold can escalate to root instantly.
Low‑Risk Scenarios (Not Urgent, but Still Recommended)
The urgency is lower if:
- Your VM is not externally exposed,
- All users already have root access
In these situations, the vulnerability is still present, but the practical risk of exploitation is minimal because no untrusted user can execute local commands.
Interim fix
This is valid for all EWC supported OSes: Rocky 8, Rocky9, Ubuntu22.04, Ubuntu24.04
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf ; rmmod esp4 esp6 rxrpc 2>/dev/null" |
No output is expected.
Reboot required?
Reboot after applying this is only required if the vulnerability has been actively exploited.
EUMETSAT Managed Kubernetes
CLI - kubectl
pre-requisite: have a machine with kubectl installed and your kubeconfig in ~/.kube/ folder
Update each MachineDeployment that should use the custom profile:
kubectl --context <user-cluster-context> annotate machinedeployment -n kube-system <machine-deployment-name> \ k8c.io/operating-system-profile=osp-ubuntu-ewc-1105202601 \ --overwrite
Changing the OSP annotation does not automatically rotate existing machines. Trigger a rolling restart so the MachineDeployment creates new machines with the new profile:
forceRestartAnnotations="{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"forceRestart\":\"$(date +%s)\"}}}}}"
kubectl --context <user-cluster-context> patch machinedeployment -n kube-system <machine-deployment-name> \ --type=merge \ -p "$forceRestartAnnotations"
Watch the rollout:
kubectl --context <user-cluster-context> get machinedeployments,machines -n kube-system -o wide kubectl --context <user-cluster-context> get nodes -o wide
KKP UI
On the KKP UI, the process would be similar via ClickOps, and would need to be done for each intended node pool of each user cluster.
Once logged in go to Resources - > Clusters → Select your cluster. In the Machine Deployment section click the edit button.
In the new window open, scroll down until you find the Operating System Profile and change to the new value: osp-ubuntu-custom-1105202601. And then hit Save Changes.
After that, in the same Machine Deployment section, you can use the Refresh button to refresh the node pool.
Dear colleague,
This is an invitation to join us for the European Weather Cloud (EWC) User Workshop 2026, hybrid again and this time at EUMETSAT in Darmstadt on 22 September 2026. This full-day event, co-organised by EUMETSAT and ECMWF, will provide an opportunity to explore the latest developments, share experiences, and shape the future of the EWC.
You will find all the information in the event page, including how to register. The final agenda will be published closer to the event date.
While this workshop is intended primarily as an in-person event, online attendance will also be possible for those unable to travel. Either way, if you are planning to participate, you must register before 31 of July.
We encourage all EWC users to come forward and present their work, experiences, and use cases at the workshop. If you are interested in presenting, please contact us through the EWC Support Portal or our Discussion Platform.
Note that this year's workshop is very special — it coincides with EUMETSAT's 40th anniversary celebrations and in the same week still in Darmstadt there is the EUMETSAT Meteorological Satellite Conference 2026. If you happen to be in Darmstadt that week, why not join us for the EWC workshop as well? Don't forget to register if you do! Please keep in mind the workshop will be at EUMETSAT premises, while the conference in the congress centre in the centre of Darmstadt!
Please feel free to share this invitation with your colleagues who may be interested in attending.
We look forward to welcoming you to Darmstadt for this exciting event!
Kind regards,
The European Weather Cloud teams at ECMWF and EUMETSAT
This vulnerability gives attackers that can run commands locally an immediate path to full system compromise. Please apply the fixes described below it as soon as possible if you haven't done already.
Copy Fail — CVE-2026-31431 is a critical Linux kernel vulnerability that allows any unprivileged local user to escalate privileges to root. The issue originates from a flaw in the algif_aead cryptographic subsystem, which enables a controlled write into the page cache of readable files. This makes it possible to modify in‑memory SUID binaries and gain full system control.
All major Linux distributions released from 2017 are affected unless patched.
Kernel patches are not available yet for the different Operating System flavours supported on the EWC, but there are interim mitigations that must be applied while waiting for the proper fix.
Newly created instances are also vulnerable
You must apply the same mitigations right after provisioning any new instances until we release a new set of patched images with the fixes in place.
Risk Level: When This Vulnerability Is Dangerous
Copy Fail (CVE‑2026‑31431) can only be exploited by someone who is able to run local commands on your virtual machine. This means the real‑world risk depends on how your system is exposed and who can access it.
High‑Risk Scenarios (Immediate Action Required)
Your system is at high risk if any of the following are true:
- The VM is externally accessible (SSH open to the internet, public endpoints, jump hosts, etc.).
- You have local users who are not already trusted with root privileges.
In these cases, an attacker who gains any local foothold can escalate to root instantly.
Low‑Risk Scenarios (Not Urgent, but Still Recommended)
The urgency is lower if:
- Your VM is not externally exposed,
- All users already have root access
In these situations, the vulnerability is still present, but the practical risk of exploitation is minimal because no untrusted user can execute local commands.
Interim fix for Rocky 8
The following command will reboot your machine.
grep -q 'initcall_blacklist=algif_aead_init' /etc/default/grub || sudo sed -i -E 's/^(GRUB_CMDLINE_LINUX_DEFAULT=")([^"]*)"/\1\2 initcall_blacklist=algif_aead_init"/' /etc/default/grub; sudo grub2-mkconfig -o /boot/grub2/grub.cfg; sudo reboot
Interim fix for Rocky 9
The following command will reboot your machine.
sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"; sudo reboot
Interim fix for Ubuntu 22.04
sudo su echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead
Interim fix for Ubuntu 24.04
sudo su echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead
Interim fix for k8s clusters that use EWC images
Setup
Install krew
install kubecl-node-shell
export KUBECONFIG=path/to/file
One-line command to patch all ubuntu nodes
kubectl get nodes -o name|xargs -I "{}" kubectl node-shell '{}' -n kube-system -- bash -c 'echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead'
Note: message rmmod: ERROR: Module algif_aead is not currently loaded might pop-up. but the solution worked nevertheless.
Dear all,
In preparation for the upcoming migration to EWC Identity and Access Management (IAM) system we will soon start to onboard users who have only a local account in Morpheus. These users will receive an email inviting them to reset their password for EWC IAM login.
We have introduced a new documentation page EWC Services Login that provides an overview of the types of login available at the moment (EWC IAM vs local accounts) for each service.
This update is an important step toward a unified and seamless access experience across the European Weather Cloud.
If you have any questions or encounter issues, please contact the EWC support team using https://support.europeanweather.cloud.
We would like to use this opportunity to remind about the upcoming webinar: EWC IAM and Intro to OpenStack Horizon (April 29, 2026). If you wish to register, please use this link.
EWC team
We are currently experiencing issues with a few EUMETCast Terrestrial Clients in the EWC at EUMETSAT side. We are investigating the problem.
We will contact the affected users directly and provide an update here as soon as we have more information, or by 15:00 UTC today at the latest.
If you have any questions, please do not hesitate to contact us at https://support.europeanweather.cloud.
We apologize for the inconvenience.
We are replacing the data bucket s3://seviri.meteosat-0-degree.level-15.native with the reprocessed FCDR dataset s3://seviri-meteosat-0-degree.fcdr.level15.netcdf.
The new bucket is available as of now and will be retained depending on usage and available storage capacity. The old bucket will be removed in two weeks.
For more information, please consult Using EUMETSAT data buckets (local data pool). Should you have any questions or concerns, please do not hesitate to contact us via https://chat.europeanweather.cloudor https://support.europeanweather.cloud.
The European Weather Cloud (EWC) teams at ECMWF and EUMETSAT are pleased to invite you to the first thematic EWC webinar of 2026.
These recurring thematic webinars are aimed at all users of the EWC service, provided by EUMETSAT and ECMWF, which is available to all ECMWF and EUMETSAT Member and Co-operating States. Our primary objective is to provide guidance to users on how to effectively use the different capabilities of the EWC.
Information on the previous webinars, including their recordings, can be found here.
In this webinar, we will introduce the EWC Identity and Access Management (IAM), the service that will be used the service that will be used for authentication and access to the available EWC services. We will also provide a first look at OpenStack Horizon, the web interface for managing cloud resources (replacing Morpheus).
Participants will learn how to:
- Use the EWC Identity and Access Management (IAM) system, common administrative tasks, user roles and access to EWC services. Moreover how you can create clients that can you use for your workloads.
Access the OpenStack Horizon dashboard and perform similar actions that user you could do on Morpheus.
By the end of this session, participants will have gained an understanding of EWC IAM and initial understanding of OpenStack Horizon.
Attendance
This webinar is open to anyone from an ECMWF or EUMETSAT Member and Co-operating State.
If you would like to attend the webinar, please complete the registration form at this link.
We will alert you of your acceptance to the webinar and send you all the joining information and Microsoft Teams meeting details in due course.
The webinar will be conducted in English.
Dear all,
We are pleased to announce that a new use case has been published on the EWC website:
We will share more updates in the future. In the meantime, we would like to remind you that you can still contribute to the EWC website by submitting your use cases.
If you would like your use case to be featured, please contact us via our Support Portal or the EWC Discussion Platform.
Dear all,
We are pleased to announce that a new use case has been published on the EWC website:
We will share more updates in the future. In the meantime, we would like to remind you that you can still contribute to the EWC website by submitting your use cases.
If you would like your use case to be featured, please contact us via our Support Portal or the EWC Discussion Platform.
Dear all,
We are pleased to announce that a new use case has been published on the EWC website:
- E-Profile - Operational data processing for ground-based remote sensing of the atmosphere on the EWC
We will share more updates in the future. In the meantime, we would like to remind you that you can still contribute to the EWC website by submitting your use cases.
If you would like your use case to be featured, please contact us via our Support Portal or the EWC Discussion Platform.
Dear EWC users ,
we are pleased to share that a new use case has been published on the EWC website.
We will share more use cases in the future and we would like to remind that the opportunity to contribute to the EWC website with your use case running on the EWC is always valid! just contact us via our EWC Support Portal or EWC Discussion platform
Dear EWC users,
Following a detailed analysis of user feedback, Morpheus features usage, and an evaluation of open-source alternatives, we have decided to decommission Morpheus in favour of alternative solutions providing better integration with standard tools and alignment with the long-term goals of the EWC.
In particular:
As a replacement of Morpheus web interface to manage cloud resources, we have selected Horizon, the OpenStack Dashboard.
- The EWC Community Hub provides a more open approach for application blueprints because items rely on open source solution and can be easily customised and adapted for the different needs and environments
- Access to EWC services (including Horizon) will be accomplished through the EWC Identity and Access Management (IAM). Existing users will be onboarded and migrated into EWC IAM. Over the coming weeks, you may receive emails from the EWC team related to IAM onboarding.
🗓️ Indicative Timeline (Subject to Updates)
The following timeline is indicative and will be refined and updated regularly as the transition progresses:
Availability of the new solution – End of Q1
User webinars – Dates to be announced closer to each event
Progressive transition of users and workloads – Q2–Q4
End-of-year completion of the transition and Morpheus decommissioning – End of year
Further communications will be sent at each major milestone.
📣 User Support and Ongoing Communication
Please be assured that you will be supported throughout the entire transition. We will provide clear documentation, guidance, and direct communication to help you at every stage. No immediate action is required at this point.
To keep you fully informed, we will:
Share regular updates via official EWC communication channels, including monthly updates and any changes to the timeline
Announce webinars to present the new solutions, explain the changes, and answer your questions
Publish updated documentation, how-to pages on how to perform similar actions in the new system and FAQs to support your preparation for the transition
We appreciate your patience and please contact us via Support Ticket or via Rocketchat if you have any questions or concern.
EWC Team
The EWC Team on EUMETSAT side is pleased to announce an upcoming webinar on 18 March 2026, from 08:00 to 11:00 UTC, dedicated to the EWC cloud migration of the EUMETSAT side of the EWC.
Based on the current timeline, the new cloud infrastructure is planned to be in place by the end of Q1 2026, after which tenancy migration will begin.
This online webinar will present the new infrastructure, outline the planned migration approach and timeline, explain the available migration options, and provide guidance on next steps. There will also be dedicated time for questions and answers, allowing participants to raise specific topics and clarify any concerns.
Attendance
Please note that the webinar is relevant to EWC users with a tenancy on the EUMETSAT side of the EWC, as well as EWC users who access the EUMETSAT side through an ECMWF tenancy.
Please complete the registration form at https://ec.europa.eu/eusurvey/runner/EWCCloudMigration
If the proposed time does not work for you, please contact us at support@europeanweather.cloud, and we will be happy to arrange a separate meeting or additional discussion time. It's important that everyone involved is aware!
We will alert you of your acceptance to the webinar and send you all the joining information and Microsoft Teams meeting details in due course.
The webinar will be conducted in English.
Dear EWC users,
Happy Ney Year from the EWC Team!
On Tuesday, 27 January 2026, starting at 7:00 UTC, a maintenance window for EWC IAM is scheduled with an expected duration of approximately 2 hours. During this period, short interruptions to the availability of the EWC IAM system will occur.
The EWC IAM system will be migrated from https://iam.eumetsat.europeanweather.cloud to https://iam.europeanweather.cloud
This change is required for the transition of the EWC Identity and Access Management (IAM) system from the pilot phase to operational service and preparation for general availability to all EWC users.
All currently managed systems through EWC IAM will be automatically reconfigured as part of this change. However, users with accounts will need to use the new address to access the IAM administration console.
The user documentation, available at https://confluence.ecmwf.int/display/EWCLOUDKB/EWC+Identity+and+Access+Management+%28IAM%29+Service will be updated accordingly to reflect the new addresses.
We apologise for any inconvenience this may cause and thank you for your understanding.
For any questions or comments or issues, please contact us via Support Ticket or via Rocketchat
Kind regards,
EWC Support Team
We are pleased to announce the availability of new updated images at both ECMWF and EUMETSAT for:
- Rocky Linux 8.10
- Rocky Linux 9.6 (replacing 9.5)
- Ubuntu 22.04 LTS
- Ubuntu 24.04 LTS
You can already deploy the new images from Morpheus using the usual instance types, or in Openstack using the new image names. The details on these images are on this page: EWC Virtual Images Available
As a general rule, we strongly recommend you always keep your virtual machines up-to-date with the latest security fixes, as highlighted in our Best practices as a Tenant Admin.
As always, if you need any support, please do get in touch with us on the European Weather Cloud Discussion Platform or through the Support Portal.
Kind regards,
The EWC Team