[nate@social0 ~]$ 27m ago

Ok Ive been working through the mitigations for the string of kernel vulnerabilities. I think this is all of them. I had Claude spit out a summary.

Hope this helps others.

Linux Kernel LPE Roundup — May 7, 2026
Four local privilege escalation vulnerabilities in the same bug class (page-cache writes) are actively circulating. Here’s what you need to know:
1. Copy Fail (CVE-2026-31431)
Original page-cache write via algif_aead in the crypto subsystem. Patched upstream, distro patches available.
Mitigation: Blacklist algif_aead module, or apply your distro’s kernel update.
https://copy.fail/
2. Dirty Frag (no CVE yet)
Chains xfrm-ESP + RxRPC page-cache writes for a universal unprivileged LPE across all major distros. Published after a third party broke the embargo — no patches exist yet.
Mitigation: Blacklist esp4, esp6, and rxrpc modules.
https://github.com/V4bel/dirtyfrag/
3. Copy Fail 2: Electric Boogaloo (no CVE yet)
xfrm ESP-in-UDP variant using MSG_SPLICE_PAGES. Same class as Copy Fail, different subsystem. Autoloads esp4/xfrm modules via userns netlink. Upstream fix committed but not yet in stable branches.
Mitigation: Blacklist esp4 (same as Dirty Frag).
https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
4. io_uring ZCRX Freelist LPE (no CVE yet)
Out-of-bounds write in io_uring’s zero-copy receive freelist. Narrower scope — requires kernel 6.15+, CONFIG_IO_URING_ZCRX=y, a supported NIC (mlx5/ice/nfp), and CAP_NET_ADMIN. Fix committed but not in stable yet.
Mitigation: Check grep CONFIG_IO_URING_ZCRX /lib/modules/$(uname -r)/config — if not set, you’re not affected.
https://ze3tar.github.io/post-zcrx.html

#linux #kernel #cve #vulnerability #copyfail #copyfail2 #dirtyfrag #security #infosec #sysadmin

Copy Fail — 732 Bytes to Root

CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.

Xint
ragectl32m ago

From waiting for #RHEL to release an update for #copyfail to waiting for RHEL to release an update for #dirtyfrag

Time to change career and open a bar on a beach? 🤷‍♂️

[nate@social0 ~]$ 55m ago
So, daily! I guess daily is the new pace at which I need to mitigate zero day kernel flaws. Got it. #linux #kernel #lpe #dirtyfrag #copyfail
DeltaLima 🐧55m ago

glad esp32 is not affected

#dirtyfrag

NWCS58m ago

#infosec #cybersecurity #linux dirty frag is easy to exploit, well done!

#copyfail #dirtyfrag

NWCS1h ago

#infosec #cybersecurity #linux "dirty frag" without the echo chamber https://www.openwall.com/lists/oss-security/2026/05/07/8

#copyfail #dirtyfrag

oss-security - Dirty Frag: Universal Linux LPE

Show threadHanno Rein1h ago

University clusters are down again.

*opens mastodon*

Ah, another one. #dirtyfrag

uwuhaeckse1h ago
I cant be the only one to misread the #DirtyFrag #vulnerability ... just #queer things
Jan Schaumann1h ago

You know, I was going to let this domain expire...

https://istheinternetonfire.com/

Originally set up for Heartbleed in 2014; hadn't remembered to update it since the CrowdStrike incident two years ago.

I guess I'll just set it to a permanent "yes" going forward.

#CopyFail #DirtyFrag

Is The Internet On Fire?

dig +short txt istheinternetonfire.com

Jan Schaumann1h ago

The rxrpc module is likely easier for you to block, but if you can't blocklist the ESP kernel modules, note that that exploit path requires the ability to call `unshare(CLONE_NEWUSER | CLONE_NEWNET)`.

That is

```
sysctl -w kernel.unprivileged_userns_clone=0
```

prevents the ESP exploit.

(That also prevents that other silly variant.)

#DirtyFrag