A new Linux kernel vulnerability known as Dirty Frag was publicly disclosed on 7 May 2026. The flaw affects the IPsec ESP and rxrpc in-place decryption fast paths and is closely related to the same subsystem area impacted by the recent Copy Fail vulnerability.

Dirty Frag allows an unprivileged local user to gain immediate root access on all major Linux distributions. A working exploit is already publicly available.

Risk Level: When This Vulnerability Is Dangerous

Copy Fail (CVE‑2026‑31431) can only be exploited by someone who is able to run local commands on your virtual machine. This means the real‑world risk depends on how your system is exposed and who can access it.

High‑Risk Scenarios (Immediate Action Required)

Your system is at high risk if any of the following are true:

The VM is externally accessible (SSH open to the internet, public endpoints, jump hosts, etc.).
You have local users who are not already trusted with root privileges.

In these cases, an attacker who gains any local foothold can escalate to root instantly.

Low‑Risk Scenarios (Not Urgent, but Still Recommended)

The urgency is lower if:

Your VM is not externally exposed,
All users already have root access

In these situations, the vulnerability is still present, but the practical risk of exploitation is minimal because no untrusted user can execute local commands.

Interim fix for Rocky 8

The following command will reboot your machine.

TBD

Interim fix for Rocky 9

The following command will reboot your machine.

TBD

Interim fix for Ubuntu 22.04

TBD

Interim fix for Ubuntu 24.04

TBD

Interim fix for k8s clusters that use EWC images

TBD