RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: kernel (2 articles)Clear
vulnerability
CVE-2026-46300
2026-05-14

Third Linux kernel root exploit in three weeks - 'Fragnesia' rides the same ESP-in-TCP code path as Dirty Frag and ships with a public proof-of-concept (CVE-2026-46300)

Six days after Dirty Frag was patched, researcher William Bowling and the V12 Security team disclosed Fragnesia - a separate Linux kernel bug in the same ESP-in-TCP networking code that lets any unprivileged local user become root in one command. The public proof-of-concept overwrites /usr/bin/su in memory using a logic flaw that loses track of shared socket-buffer fragments, then re-runs su to drop into a root shell. The on-disk binary is left untouched, which makes the change harder to spot. Tracked as CVE-2026-46300 (CVSS 7.8), it follows Copy Fail (April 29) and Dirty Frag (May 7) in the same family.

linuxkernellpefragnesiadirty-frag-familyxfrm-esppage-cachepoc-public
Check
List Linux hosts where untrusted users can get a shell (multi-tenant servers, container build farms, CI runners) and verify whether the esp4/esp6/rxrpc module blacklist from Dirty Frag is still in place.
Affected
All Linux kernels released before May 13, 2026, including AlmaLinux 8/9/10, CloudLinux 7h/8/9/10, RHEL, Ubuntu, Debian, and openSUSE. Requires unprivileged user namespace creation enabled.
Fix
Install the patched kernel from your distribution as it lands (AlmaLinux and CloudLinux first), or use KernelCare for rebootless livepatches. Interim mitigation: blacklist esp4, esp6, and rxrpc modules, then drop the page cache.
vulnerability
CVE-2026-31431
2026-04-29

9-year-old Linux kernel bug 'Copy Fail' lets any user with shell access become root in seconds - works on every major distribution since 2017 (CVE-2026-31431)

Researchers at Theori and Xint disclosed Copy Fail yesterday, a Linux kernel bug introduced in 2017 that lets any unprivileged user with shell access become root in seconds. The exploit is a 732-byte Python script that works without version-specific tweaks on every major Linux distribution since 2017 - Ubuntu, Amazon Linux, RHEL, SUSE. Unlike previous kernel bugs (Dirty Cow, Dirty Pipe), Copy Fail has no race condition and no per-kernel offsets. It also leaves no trace on disk because it only modifies the in-memory page cache. The bug was found using AI-assisted reverse engineering and has been hiding in the open for nearly nine years.

linuxkernelcopy-failprivilege-escalationpage-cachetheorixintcontainer-escapeai-assistedauthencesnaf-alg9-year-old
Check
Update the kernel on every Linux server, container host, and CI runner you operate today, especially anything that runs untrusted code or hosts multiple tenants.
Affected
Every Linux distribution since 2017 with kernel 4.14 or later. CVE-2026-31431, CVSS 7.8. Acute risk: shared-kernel multi-tenant environments (Kubernetes nodes, Docker hosts), CI/CD runners that execute untrusted PR code (GitHub Actions self-hosted, GitLab runners, Jenkins agents), notebook hosts, and anything using Linux containers as a security boundary. Firecracker microVMs and gVisor are not affected.
Fix
Apply the kernel update from your distribution that includes commit a664bf3d603d. Until patched, blacklist the algif_aead module: 'echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf' then 'rmmod algif_aead'. The disable does not break dm-crypt, kTLS, IPsec, or SSH. For multi-tenant Kubernetes clusters, treat container boundaries as broken until patched.