Dirty Frag / CopyFail2 Linux Privilege Escalation

Overview

• CVE: CVE-2026-43284, CVE-2026-43500

• Severity: High

• Platform: Linux (Kernel-level components)

• Incident Type: Local Privilege Escalation Vulnerability (Post-Exploitation)

• Advisory Date: 11 May 2026

Dirty Frag, also referred to as CopyFail2, is a Linux local privilege escalation chain that abuses page-cache writes through vulnerable kernel networking components. Public proof-of-concept artefacts are already circulating, including a repository dubbed Copy Fail 2: Electric Boogaloo, and Microsoft has reported limited in-the-wild activity. The issue is most relevant after initial access, such as a compromised SSH account, web shell, low-privileged service account or container foothold.

Affected Versions

• See vendor advisories for exact fixed kernel builds by distribution.

• Public reporting indicates Linux distributions released in the last nine years are likely affected.

• Publicly reported tested affected builds include Ubuntu 24.04, Debian 13, Arch, Fedora and Ubuntu 26.04, though exposure still depends on kernel build, module state and vendor backports.

• Exposure depends on whether esp4, esp6, rxrpc and related functionality are present, loaded and reachable in your environment.

  
  

Vulnerability Breakdown

CVE-2026-43284 - xfrm-ESP page-cache write

• Severity: High

• CVSS: 7.8

• Description: This flaw affects the xfrm/IPsec ESP path and can create a controlled page-cache write primitive during in-place decryption over paged buffers.

• Impact: An attacker with local execution may be able to modify cached content and escalate privileges to root.

• Conditions: Local access is required. Risk increases where unprivileged users can create sockets, use namespaces or reach affected IPsec-related modules.

• Notes: Disabling esp4 and esp6 may reduce exposure, but doing so can break IPsec tunnels that rely on the kernel data path.

CVE-2026-43500 - RxRPC page-cache write

• Severity: High

• CVSS: Not yet published

• Description: This issue affects the rxrpc path and can be chained with CVE-2026-43284 to improve exploitation reliability and support namespace-related privilege paths.

• Impact: When combined with the xfrm-ESP flaw, it can help turn limited local access into full root compromise on vulnerable Linux systems.

• Conditions: Local access is required. Exposure depends on rxrpc availability and how the host handles namespaces and related networking features.

• Notes: As of 8 May 2026, public reporting indicates this CVE is reserved but not fully published in NVD.

  
  

Mitigation

• Apply vendor kernel updates as soon as they are available.

• Prioritise internet-facing Linux systems, shared servers, container hosts, CI runners and systems handling untrusted workloads.

• Where operationally safe, disable unused rxrpc, esp4 and esp6 modules until patched.

• Review whether unprivileged user namespaces and unnecessary local shell access can be restricted.

• Increase monitoring for suspicious privilege escalation activity, unexpected su usage and anomalous setuid behaviour.

• If compromise is suspected, verify critical file integrity and assess whether page cache should be cleared after mitigation.

• Take care before disabling esp4 or esp6 on hosts that depend on IPsec.

  
  

Summary for IT Teams

• Products: Linux kernel

• Threat Level: High, CVSS 7.8

• Action Required: Patch urgently, apply temporary module restrictions where safe, and prioritise hosts where a low-privileged foothold could lead to root compromise.

  
  

Reference

• Microsoft Security Blog - Active attack: Dirty Frag Linux Vulnerability

• CloudLinux - Dirty Frag (CVE-2026-43284, CVE-2026-43500): Mitigation and Kernel Update

• GitHub - Copy Fail 2: Electric Boogaloo

• Tenable - Dirty Frag (CVE-2026-43284, CVE-2026-43500): Linux kernel privilege escalation vulnerability

Need Help?

If your organisation needs help assessing exposure, prioritising affected systems or planning emergency remediation, contact Secure ISS on 1300 769 460.