Copy Fail and Dirty Frag: Linux Page-Cache Exploits Target Every Major Distribution

Copy Fail and Dirty Frag: Linux Page-Cache Exploits Target Every Major Distribution

Briefly

"Copy Fail (CVE-2026-31431), disclosed on 29 April 2026 by security firm Theori, and Dirty Frag (CVE-2026-43284 and CVE-2026-43500), disclosed on 7 May 2026 by researcher Hyunwoo Kim, both allow an unprivileged local user to obtain root on affected distributions. Both vulnerabilities affect the page cache and share the same broad bug class as the 2022 Dirty Pipe vulnerability."

"Copy Fail was found by Theori using their AI-powered security tool Xint Code, which the team says required roughly an hour of scan time against the Linux crypto/ subsystem with a single operator prompt and no custom harness. The bug itself is a logic flaw in the algif_aead kernel module, introduced by an in-place optimisation in 2017. An unprivileged process can splice data into an AF_ALG socket and complete a small write into the page cache of a file it does not own."

"Because the page cache is shared across the host, the same write can affect files belonging to setuid binaries. Theori published a standalone 732-byte Python proof-of-concept that requires only the Python standard library and roots Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 without modification."

""Copy Fail requires only an unprivileged local user account -- no network access, no kernel debugging features, no pre-installed primitives. The kernel crypto API (AF_ALG) ships enabled in essentially every mainstream distro's default config, so the entire 2017 to patch window is in play out of the box." --Theori, copy.fail"