Copy Fail and Dirty Frag: Linux Page-Cache Exploits Target Every Major Distribution
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Linux kernel exploits are security-focused, not directly relevant to AI/cloud.
Two Linux kernel local privilege escalation vulnerabilities—Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284, CVE-2026-43500)—exploit page-cache write primitives similar to Dirty Pipe, allowing unprivileged users to gain root on all major distributions. Copy Fail, discovered by Theori's AI tool Xint Code in under an hour, targets the crypto subsystem's algif_aead module and roots Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16 with a 732-byte Python PoC. Dirty Frag chains xfrm-ESP and RxRPC page-cache writes to cover distribution-specific gaps (e.g., namespace restrictions), achieving root on every tested distro; patches landed in mainline by early April 2026, but unpatched systems remain exposed.
Patch your Linux kernels immediately—verify your distribution's fix for CVE-2026-31431, CVE-2026-43284, and CVE-2026-43500, and review your page-cache attack surface.
For a senior engineer managing cloud infrastructure, these exploits directly threaten Linux servers in production, and the use of AI for vulnerability discovery signals a shift in security tooling that impacts your threat model and patch cadence.