Linux Dirty Frag and Copy Fail Flaws Spur Calls for Kernel Killswitch
Linux developers and government defenders are responding to newly disclosed local privilege-escalation flaws Dirty Frag and Copy Fail, which can let unprivileged users gain root on affected systems. Dirty Frag combines CVE-2026-43284 and CVE-2026-43500 in Linux networking components tied to IPSec ESP and RxRPC, while Copy Fail (CVE-2026-31431) is a separate AF_ALG cryptographic socket flaw. Researchers said the bugs had existed for years, proof-of-concept exploit material is public, and affected environments include major enterprise distributions such as RHEL, Ubuntu, Fedora, CentOS Stream, AlmaLinux, and OpenShift deployments.
The Canadian Centre for Cyber Security warned that Dirty Frag could be chained with remote code execution for more severe compromise and advised organizations to identify exposed systems, disable vulnerable modules where possible, regenerate initramfs, restrict access, reduce privileges, and monitor logs until vendor patches arrive. In parallel, Linux kernel maintainer Sasha Levin proposed an emergency runtime Killswitch mechanism that would let administrators temporarily disable vulnerable kernel functions until reboot, aiming to reduce exposure when public disclosure outpaces patch distribution; the proposal remains under review and has not yet been merged.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Linux developers propose Killswitch runtime mitigation
By 2026-05-11, Linux kernel developers were reviewing Sasha Levin's proposed Killswitch mechanism, intended to let administrators disable vulnerable kernel functions at runtime as a stop-gap defense between public disclosure and patch deployment.
fsnotify maintainer denies takeover and cites governance dispute
During the fsnotify controversy, maintainer Martin Tournoij said the removed accounts were not active maintainers and that access was revoked over rushed merges and an unauthorized sponsorship-file change, framing the incident as a maintainer dispute rather than a compromise.
fsnotify maintainer removals trigger supply-chain takeover concerns
By 2026-05-08, contributor access changes in the fsnotify GitHub organization had sparked fears of a possible supply-chain compromise after Yasuhiro Matsumoto said he had been removed from the project and recent releases came under scrutiny.
Canadian Centre for Cyber Security issues Dirty Frag alert
On 2026-05-08, the Canadian Centre for Cyber Security published Alert AL26-011 warning that CVE-2026-43284 and CVE-2026-43500 could be chained for root compromise, noting public proof-of-concept exploits and the lack of a universal fix across stable kernels.
Researcher Hyunwoo Kim publicly discloses Dirty Frag flaws
On 2026-05-07, researcher Hyunwoo Kim publicly disclosed the Linux kernel vulnerabilities CVE-2026-43284 and CVE-2026-43500, collectively referred to as Dirty Frag, showing they could be chained for local privilege escalation to root.
Public upstream patch accelerates Dirty Frag exploit development
Before Dirty Frag was publicly disclosed, an upstream Linux patch became public and enabled another researcher to rapidly develop an exploit, contributing to the accelerated disclosure timeline described by kernel developers.
Theori publicly discloses Copy Fail privilege-escalation flaw
On 2026-04-29, Theori publicly disclosed Copy Fail (CVE-2026-31431), a nine-year-old AF_ALG Linux kernel flaw that enables reliable local root escalation by allowing controlled writes into the kernel page cache of readable files.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Popular Go Library fsnotify Raises Supply Chain Alarms After Maintainer Access Changes
cybersecuritynews.com
Open source9-Year-Old Dirty Frag Vulnerability Enables Root Access on Linux Systems
hackread.com
Open sourceLinux developers weigh emergency "killswitch" for vulnerable kernel functions - Help Net Security
helpnetsecurity.com
Open sourceAL26-011 - Vulnerabilities affecting Linux - CVE-2026-43284 and CVE-2026-43500 - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCopy Fail (CVE-2026-31431): A Technical Deep Dive : r/netsec
reddit.com
Open sourcefsnotify Maintainer Dispute Sparks Supply Chain Concerns - S...
socket.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dirty Frag Linux Kernel LPE Enables Immediate Root Access Across Major Distros
Researchers publicly disclosed **Dirty Frag**, a Linux kernel local privilege escalation chain that can give an unprivileged local user immediate root access across major distributions. The disclosure said the issue combines flaws in the in-place decryption fast paths for **`esp4`**, **`esp6`**, and **`rxrpc`**, allowing page-cache corruption or plaintext exposure in externally backed paged fragments. Public write-ups and exploit repositories described two working paths: overwriting **`/usr/bin/su`** with a root shell via the ESP/XFRM stack, or corrupting **`/etc/passwd`** through RXRPC/RXKAD behavior so a UID 0 account can be used without a password. The bug was published without patches or CVE assignments after an embargo was reportedly broken, and exploit code was quickly made public through oss-sec, GitHub, and security forums. A related GitHub proof of concept, **Copy Fail 2: Electric Boogaloo**, tied the ESP path to the **`MSG_SPLICE_PAGES`** no-copy-on-write fast path and reported successful exploitation on Debian, Arch, Fedora, and newer Ubuntu releases, while noting older Ubuntu 22.04 kernels were not affected by that specific path. AlmaLinux said all supported releases were affected, issued patched kernels in testing by backporting the upstream ESP fix, and recommended temporary mitigations including blacklisting or unloading **`esp4`**, **`esp6`**, and **`rxrpc`** modules and dropping page cache if compromise is suspected.
May 20, 2026
Fragnesia Linux Kernel Flaw Lets Local Users Gain Root via Page Cache Corruption
Researchers disclosed **Fragnesia** (`CVE-2026-46300`), a Linux kernel local privilege escalation flaw that allows an unprivileged local user to gain **root** by corrupting the kernel page cache for read-only files. The bug, discovered by William Bowling of Zellic and the V12 team, is described as a new variant in the Dirty Frag family and affects Linux kernels released before May 13, 2026. It stems from faulty bookkeeping when shared page fragments are merged in socket buffers and can be triggered through the kernel's XFRM **ESP-in-TCP** path, with additional exposure through `rxrpc` on some systems. A public proof-of-concept exploit modifies the in-memory copy of files such as `/usr/bin/su` to spawn a root shell while leaving the on-disk binary unchanged, reducing forensic visibility. Vendors and distributions moved quickly to publish advisories, patches, and mitigations as exploit code became public. AlmaLinux said releases 8, 9, and 10 are affected through `esp4` and `esp6`, with AlmaLinux 9 and 10 also exposed through `rxrpc` when `kernel-modules-partner` is installed, and released backported fixes ahead of upstream vendor updates. Recommended mitigations include disabling or blacklisting the `esp4`, `esp6`, and `rxrpc` kernel modules, restricting unprivileged user namespaces, and monitoring for suspicious namespace creation or XFRM manipulation; AlmaLinux also advised dropping page cache if compromise is suspected. The disclosure comes amid heightened concern over Linux local-root bugs in the same code area, and one cybercrime forum post reportedly advertised a Linux LPE zero-day for sale for **$170,000**.
May 19, 2026
Linux kernel LPE exploits DirtyDecrypt and PinTheft expose root access paths
Public proof-of-concept exploit code was released for **DirtyDecrypt** (`CVE-2026-31635`), a high-severity Linux kernel local privilege escalation flaw caused by a missing copy-on-write guard in `rxgk_decrypt_skb()` within the RxGK subsystem. The bug allows unprivileged local users to corrupt shared page-cache memory tied to privileged files or processes, potentially overwriting targets such as `/etc/shadow`, `/etc/sudoers`, or SUID binaries to gain **root**. Reports said the issue was quietly patched upstream in late April and primarily affects systems using mainline or rolling-release kernels with `CONFIG_RXGK` enabled, including **Fedora**, **Arch Linux**, and **openSUSE Tumbleweed**; the risk is elevated on Kubernetes worker nodes and developer workstations because exploitation can also enable container escape and theft of secrets or runtime sockets. At the same time, researchers disclosed **PinTheft**, another Linux local privilege escalation exploit that abuses a double-free or refcount bug in the **RDS zerocopy send path** and uses `io_uring` fixed buffers to turn the flaw into a page-cache overwrite against a SUID-root binary. The exploit, credited to Aaron Esau of V12 Security, reportedly drains page references through failed RDS zerocopy sends, frees the page, reclaims it as page cache, and overwrites it with a malicious ELF payload that yields a root shell when executed. Mailing list discussion said a patch and proof of concept are available, with exploitability depending on the `rds` kernel module being present or autoloadable; **Arch Linux** was reported to enable it by default, while Fedora may also be exposed and Debian and Ubuntu appear to have mitigations that restrict autoloading.
May 20, 2026