A new Linux kernel vulnerability known as Dirty Frag was publicly disclosed on 7 May 2026. The flaw affects the IPsec ESP and rxrpc in-place decryption fast paths and is closely related to the same subsystem area impacted by the recent Copy Fail vulnerability.
Dirty Frag allows an unprivileged local user to gain immediate root access on all major Linux distributions. A working exploit is already publicly available.
Copy Fail was the motivation for starting this research. In particular, xfrm-ESP Page-Cache Write in the Dirty Frag vulnerability chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.
If you didn't apply this for EWC, check: Copy Fail (CVE‑2026‑31431) – Vulnerability Overview and Mitigation Guide for EWC images - European …
Copy Fail (CVE‑2026‑31431) can only be exploited by someone who is able to run local commands on your virtual machine. This means the real‑world risk depends on how your system is exposed and who can access it.
Your system is at high risk if any of the following are true:
In these cases, an attacker who gains any local foothold can escalate to root instantly.
The urgency is lower if:
In these situations, the vulnerability is still present, but the practical risk of exploitation is minimal because no untrusted user can execute local commands.
The following command will reboot your machine.
TBD |
The following command will reboot your machine.
|
|
TBD |