Skip to content

ZERODAY Important Linux Dirty Frag, CopyFail2 Local Privilege Escalation (LPE) Vulnerabilities

Dear OSG Security Contacts,

Two Linux kernel exploits were released to the public on May 7th, called Dirty Frag (CVE-2026-43284) and Copy.Fail2_Electric-Boogaloo, that allow a local normal user to perform root privilege escalation. Kernel developers seem to have found out at the same time as the public, making these zero day vulnerabilities. These vulnerabilities use a similar page-cache write approach to the recently disclosed "Copy Fail" vulnerability, but target different Linux kernel subsystems.
While there is no patch yet available, there are mitigating steps below that you should apply immediately to protect yourself from the potential rapid spread of these exploits. This is the information we have at the time of writing.

IMPACTED VERSIONS:

The disclosed vulnerabilities reportedly affect Linux kernels across broad version ranges and have been reproduced on major Linux distributions including Ubuntu, RHEL, CentOS Stream, Fedora, AlmaLinux, and openSUSE. In our testing it worked with default configurations of the OS and could be exploited in less than a minute.
The xfrm-ESP Page-Cache Write vulnerability reportedly affects kernels since 2017.
The RxRPC Page-Cache Write vulnerability reportedly affects kernels since 2023.
At the time of disclosure, no upstream patches or CVEs are available.

WHAT ARE THE VULNERABILITIES:

Dirty Frag and Copy Fail 2 Electric Boogaloo belong to the same broader page-cache write vulnerability class as Dirty Pipe and Copy Fail. The vulnerabilities allow deterministic local privilege escalation without race conditions or kernel-version-specific offsets.
The vulnerabilities target Linux kernel networking subsystems related to xfrm-ESP and RxRPC handling. Public exploit code demonstrates reliable privilege escalation across multiple Linux distributions.
Note that the esp4 and esp6 modules are used in the encryption of network traffic at the IP layer of the networking model. You will need to determine if you are actively using these modules for production use and do a quick risk analysis to determine if you need to remove the modules or mitigate this vulnerability in another way.
Importantly, previously discussed Copy Fail mitigations (such as blacklisting algif_aead) do NOT mitigate these vulnerabilities.

EXPLOIT PRE-CONDITIONS

xfrm-ESP Page-Cache Write requires the privilege to create a namespace (unshare(CLONE_NEWUSER)). Ubuntu sometimes blocks unprivileged user namespace creation through AppArmor policy. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered.

RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions. However, on Ubuntu, the rxrpc.ko module is loaded by default.

WHAT YOU SHOULD DO:

Until vendor patches become available, consider applying temporary mitigations by unloading and blacklisting the affected kernel modules where operationally feasible. In our testing, these mitigations prevented both vulnerabilities.

Currently discussed mitigations include disabling:
- esp4
- esp6
- xfrm_user
- rxrpc

This is accomplished on vulnerable systems by adding the following lines to the file "/etc/modprobe.d/dirtyfrag.conf"

install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

And then run the following command as root to remove the affected modules:

rmmod esp4 esp6 rxrpc 2>/dev/null

For shared environments, consider restricting unprivileged user access paths (SSH, HTCondor jobs, containers, CI workloads, etc.) until mitigations or vendor patches are available.
If exploitation is suspected, systems should be rebooted and audited to check for injected accounts or rootkits.

REFERENCES

[1] https://github.com/V4bel/dirtyfrag
[2] https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md
[3] https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
[4] https://access.redhat.com/security/cve/cve-2026-43284

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team