Two More Major Linux Vulnerabilities Discovered in the Same Class as Copy Fail

Two new Linux local privilege escalation vulnerabilities, Dirty Frag and Copy Fail 2: Electric Boogaloo were discovered in the same vulnerability class as Copy Fail, affecting most Linux distributions.

“Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.”

The exploit is also a successor of the Dirty Pipe vulnerability.

According to the writeup, the patch for the Copy Fail vulnerability won’t help with Dirt Frag, since it can be triggered whether or not algif_aead is available.

The vulnerability utilizes in-place cryptography just like Copy Fail.

Dirty Frag is actually two vulnerabilities chained together. The exploit author, Hyunwoo Kim, explains further:

RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions. For example, the default build of RHEL 10.1 does not ship rxrpc.ko. However, on Ubuntu, the rxrpc.ko module is loaded by default.

Chaining the two variants makes the blind spots cover each other. In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.

Both bugs have now been assigned CVEs, CVE-2026-43284 and CVE-2026-43500 respectively, however there is only a patch for the xfrm-ESP Page-Cache Write vulnerability.

Another vulnerability in a similar vein was found in a different subsystem.

Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path. Page-cache write into any readable file. Overwrites a nologin line in /etc/passwd with sick::0:0:...:/:/bin/bash and sus into it. Same class as Copy Fail (CVE-2026-31431), different subsystem.

They list current versions of Ubuntu, Debian, Arch, and Fedora as being vulnerable.

For now, make sure to update your system and check with your distribution to see any steps you might need to take to prevent exploitation.

So many high-severity bugs in such a short time is alarming.

GrapheneOS stated that they aren’t vulnerable to all three of the recent bugs:

GrapheneOS isn't vulnerable to the 3 recently disclosed Linux kernel vulnerabilities named Copy Fail, Copy Fail 2 and Dirty Frag. Current Android Open Source Project SELinux policies block exploiting all 3 bugs. Standard AOSP GKI kernel configuration also has 2/3 of the…
— GrapheneOS (@GrapheneOS) May 8, 2026

Perhaps the Linux kernel maintainers and Linux distributions could do more to protect their users against such attacks before they’re found.

Community Discussion