We just started applying mitigation for the copy fail and another one is out from the same family. Since we manage Linux servers primarily, this demands immediate attention.
A new privilege escalation vulnerability has been disclosed under the name Dirty Frag. This flaw extends the bug class previously seen in the “Dirty Pipe” and “Copy Fail” vulnerabilities.
How It Works
Dirty Frag chains together two specific kernel module bugs: the xfrm-ESP and RxRPC Page-Cache Write vulnerabilities.
Crucially, this is a deterministic logic bug. In practical terms, this means the exploit does not rely on a narrow timing window (known as a race condition) to be successful. If an unauthorized user runs the exploit, it will reliably grant them root access without causing a system crash (a kernel panic), making it a highly effective attack vector.
Affected Systems
This vulnerability has an extensive scope and affects multiple major Linux distributions. The underlying flaws have existed within the kernel code for approximately nine years.
It impacts modern operating systems utilized in enterprise environments, including:
- Ubuntu
- RHEL (Red Hat Enterprise Linux)
- CentOS Stream
- Fedora
- openSUSE
Mitigation
Since this is very recent (8th May 2026), there is currently no official patch or CVE assigned to this vulnerability.
Until distribution maintainers release kernel patches, the current mitigation strategy is to completely disable the vulnerable kernel modules. System administrators must configure the system to disable and block the following modules:
- esp4
- esp6
- rxrpc
Once an official, stable patch is released, systems should be updated immediately. In the era of AI, the speed at which these vulnerabilities are discovered and exploited will only increase. It is more important than ever to maintain proactive monitoring and keep our defenses strong to stay ahead of automated threats.