Two Linux kernel local privilege escalation vulnerabilities have been publicly disclosed within a week of each other. Copy Fail (CVE-2026-31431), disclosed on 29 April 2026 by security firm Theori, and Dirty Frag (CVE-2026-43284 and CVE-2026-43500), disclosed on 7 May 2026 by researcher Hyunwoo Kim, both allow an unprivileged local user to obtain root on affected distributions. Both vulnerabilities affect the page cache and share the same broad bug class as the 2022 Dirty Pipe vulnerability.
Copy Fail was found by Theori using their AI-powered security tool Xint Code, which the team says required roughly an hour of scan time against the Linux crypto/ subsystem with a single operator prompt and no custom harness. The bug itself is a logic flaw in the algif_aead kernel module, introduced by an in-place optimisation in 2017. An unprivileged process can splice data into an AF_ALG socket and complete a small write into the page cache of a file it does not own. Because the page cache is shared across the host, the same write can affect files belonging to setuid binaries. Theori published a standalone 732-byte Python proof-of-concept that requires only the Python standard library and roots Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 without modification.
"Copy Fail requires only an unprivileged local user account -- no network access, no kernel debugging features, no pre-installed primitives. The kernel crypto API (AF_ALG) ships enabled in essentially every mainstream distro's default config, so the entire 2017 to patch window is in play out of the box."
-- Theori, copy.fail
The disclosure timeline shows that Theori reported the issue to the Linux kernel security team on 23 March 2026. An initial acknowledgment followed the next day, patches were proposed and reviewed by 25 March, a mainline commit landed on 1 April, and CVE-2026-31431 was assigned on 22 April. Public disclosure came on 29 April 2026. Major distributions began shipping fixes in the days that followed. Bugcrowd security researcher Casey Ellis wrote on the Bugcrowd blog that Theori "did not pivot to AI exploit development to chase a trend. They pivoted because the math now favours it."
A week after Copy Fail, Hyunwoo Kim published Dirty Frag, describing it as an extension of the same bug class. Dirty Frag chains two separate vulnerabilities: CVE-2026-43284, an xfrm-ESP page-cache write affecting the esp4 and esp6 modules, and CVE-2026-43500, an RxRPC page-cache write affecting rxrpc. Together they cover a wider range of configurations than either issue alone, because the two primitives compensate for each other's gaps across different distribution defaults.
"xfrm-ESP Page-Cache Write provides a powerful arbitrary 4-byte STORE primitive like Copy Fail, and is included on most distributions, but it requires the privilege to create a namespace. Ubuntu sometimes blocks unprivileged user namespace creation through AppArmor policy. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered. RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions. However, on Ubuntu, the rxrpc.ko module is loaded by default."
-- Hyunwoo Kim, dirtyfrag GitHub repository
Kim notes that this chaining makes the two variants cover each other's blind spots, allowing root privileges to be obtained on every major distribution tested. Unlike many kernel exploits, Dirty Frag does not depend on a race condition. Kim describes it as a deterministic logic bug: the kernel does not panic on a failed attempt, and the success rate is high. CVE-2026-43284 affects kernels from January 2017 up to a patch in May 2026. CVE-2026-43500 covers a narrower window from June 2023, when the affected RxRPC code path was introduced, up to 10 May 2026.
The Dirty Frag disclosure happened under unusual circumstances. Kim's README states that at the time of first publication on 7 May 2026, the embargo had been broken due to external factors and no patch or CVE had been assigned. The maintainers on the linux-distros mailing list asked Kim to publish the document at that point rather than wait. Patches and CVE identifiers followed in the days after publication. AlmaLinux published a detailed breakdown the same day as the disclosure, with test kernels carrying the patches available immediately and production repository updates landing on 8 May 2026.
Ubuntu is affected across all releases going back to Trusty Tahr (14.04 LTS). Canonical published a mitigation guide covering both Dirty Frag CVEs. The guide assigns CVE-2026-43284 a CVSS 3.1 score of 8.8 (HIGH) based on the kernel.org CNA assessment, and assigns CVE-2026-43500 a CVSS 3.1 score of 7.8 (HIGH) based on Canonical's own assessment, noting that the CVE List had not yet assigned a score. Canonical's guide describes the process of blocking the three affected modules (esp4, esp6, rxrpc) via /etc/modprobe.d, regenerating the initramfs, unloading the modules, and confirming they are no longer present in /proc/modules. Organisations using IPsec with StrongSwan or AFS with RxRPC should assess the regression risk before applying that mitigation, as it disables the relevant kernel modules.
Both vulnerabilities sit in the same broad area that produced Dirty Pipe (CVE-2022-0847), the 2022 Linux LPE discussed in related security coverage at the time. Dirty Pipe let an unprivileged user splice data into the page cache of read-only files. Copy Fail and Dirty Frag use the same page-cache write primitive but enter it through different kernel subsystems: the crypto API in Copy Fail's case, and IPsec and RxRPC in Dirty Frag's. The reason these bugs survived for years in heavily reviewed code is likely that the crypto/ subsystem, the ESP fast path, and the RxRPC receive path are all reviewed primarily for cryptographic correctness properties such as IND-CPA security and side-channel resistance. The question of where memory came from and whether the kernel should write through it is a different kind of question, and one the standard review process is not oriented to catch.
Sysdig's Threat Research Team posted on LinkedIn that "Dirty Frag shows page-cache-write flaws are becoming a recurring exploit class" and that with a public exploit available, defenders should assume any local foothold on an unpatched Linux system can rapidly become root access. Crystal Morin, a security researcher at Sysdig, posted a Falco detection rule for Dirty Frag on 7 May, the day of disclosure.
The Container isolation story is a complicating factor for both vulnerabilities. Bugcrowd's Ellis identifies three surfaces as particularly exposed by Copy Fail: multi-tenant Kubernetes clusters running on a shared kernel, self-hosted CI/CD runners that execute untrusted pull request code, and AI agent code-execution sandboxes that run model-generated shell commands inside containers. The page cache is shared across the entire host, so a write from one container affects every other tenant. Isolation mechanisms that do not provide a separate kernel, such as Linux namespaces, do not block either exploit. Ellis writes that "shared-kernel multi-tenancy is the structural exposure Copy Fail makes concrete" and recommends microVM runtimes such as Firecracker, or a user-space kernel such as gVisor, for workloads that execute untrusted code.
The AI angle in Copy Fail's discovery has attracted attention beyond the vulnerability itself. An InfoQ report from April 2026 covered Anthropic researcher Nicholas Carlini's use of Claude Code to find five Linux kernel vulnerabilities, including a remotely exploitable 23-year-old heap buffer overflow in the NFS driver. Carlini used a simple bash loop across every source file in the kernel tree with no custom tooling. Linux kernel maintainers told Carlini that AI bug reports have shifted from noise to legitimate findings, with security lists now receiving between five and ten valid reports daily. Theori's work on Copy Fail takes a similar approach but in a more targeted way, limiting the scan to the crypto/ subsystem. Ellis's piece describes the Xint Code result as a data point indicating that the cost of finding kernel-grade logic flaws may have dropped significantly, and says organisations should assume the supply of new reports will increase.
For organisations responding now, the primary action for Copy Fail is to update to a kernel package containing mainline commit a664bf3d603d, which reverts the 2017 algif_aead in-place optimisation. Until that patch is available, Theori's mitigation is to blacklist the algif_aead module and combine that with a seccomp profile blocking AF_ALG socket creation for untrusted processes. For Dirty Frag, the mitigation is to blacklist esp4, esp6, and rxrpc and clear the page cache, then apply kernel updates when distributions ship them. Kim's README notes that Copy Fail's published mitigation of blacklisting algif_aead does not protect against Dirty Frag, because the xfrm-ESP primitive shares the same sink as Copy Fail but does not rely on algif_aead being present.