RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: page-cache (2 articles)Clear
vulnerability
2026-05-08

Brand-new Linux 'Dirty Frag' bug lets any local user become root on every major distribution - PoC exploit is public, no patches yet

Researcher Hyunwoo Kim disclosed Dirty Frag yesterday after an unrelated third party broke the embargo five days early. The flaw chains two Linux kernel page-cache write bugs (xfrm-ESP and RxRPC) to give any local user root access on every major distribution - Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Like Dirty Pipe and last week's Copy Fail, it's a deterministic logic bug with no race condition required and no kernel panic on failure. PoC is public on GitHub. The ESP variant patch was merged into the netdev tree on May 7 but distribution kernels remain unpatched. No CVE assigned yet because the embargo broke early.

dirty-fraglinux-kernellpeprivilege-escalationpage-cachexfrm-esprxrpchyunwoo-kimembargo-brokenpoc-publicunpatchedcopy-fail-successordirty-pipe-class
Check
Inventory Linux servers, container hosts, CI runners, and Kubernetes nodes that allow shell access or run untrusted code. Check whether esp4, esp6, and rxrpc kernel modules are loaded with 'lsmod | grep -E "esp4|esp6|rxrpc"'.
Affected
Every Linux distribution with kernel 4.10+ (ESP variant) and 5.x+ (RxRPC variant). All major distros confirmed: Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Acute risk: shared-kernel multi-tenant environments (Kubernetes nodes, container hosts), CI/CD runners executing untrusted PR code. Firecracker microVMs and gVisor are not affected.
Fix
Blacklist vulnerable modules: 'sh -c "printf \'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n\' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"'. This breaks IPsec VPNs and AFS filesystems but stops the exploit. Apply distribution kernel patches as soon as they ship - AlmaLinux has early test patches. Treat container boundaries as broken until patched.
vulnerability
CVE-2026-31431
2026-04-29

9-year-old Linux kernel bug 'Copy Fail' lets any user with shell access become root in seconds - works on every major distribution since 2017 (CVE-2026-31431)

Researchers at Theori and Xint disclosed Copy Fail yesterday, a Linux kernel bug introduced in 2017 that lets any unprivileged user with shell access become root in seconds. The exploit is a 732-byte Python script that works without version-specific tweaks on every major Linux distribution since 2017 - Ubuntu, Amazon Linux, RHEL, SUSE. Unlike previous kernel bugs (Dirty Cow, Dirty Pipe), Copy Fail has no race condition and no per-kernel offsets. It also leaves no trace on disk because it only modifies the in-memory page cache. The bug was found using AI-assisted reverse engineering and has been hiding in the open for nearly nine years.

linuxkernelcopy-failprivilege-escalationpage-cachetheorixintcontainer-escapeai-assistedauthencesnaf-alg9-year-old
Check
Update the kernel on every Linux server, container host, and CI runner you operate today, especially anything that runs untrusted code or hosts multiple tenants.
Affected
Every Linux distribution since 2017 with kernel 4.14 or later. CVE-2026-31431, CVSS 7.8. Acute risk: shared-kernel multi-tenant environments (Kubernetes nodes, Docker hosts), CI/CD runners that execute untrusted PR code (GitHub Actions self-hosted, GitLab runners, Jenkins agents), notebook hosts, and anything using Linux containers as a security boundary. Firecracker microVMs and gVisor are not affected.
Fix
Apply the kernel update from your distribution that includes commit a664bf3d603d. Until patched, blacklist the algif_aead module: 'echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf' then 'rmmod algif_aead'. The disable does not break dm-crypt, kTLS, IPsec, or SSH. For multi-tenant Kubernetes clusters, treat container boundaries as broken until patched.