Skip to content

Critical Linux Kernel Vulnerabilities: Local Privilege Escalation Without Available Patches

Bottom line: Two new Linux kernel vulnerabilities (Dirty Frag, Copy Fail 2) enable local root escalation. Public exploits are available, patches are still pending. Affected versions: Ubuntu 24.04, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE and others. Previous countermeasures are ineffective.

On May 7, 2026, two critical vulnerabilities in the Linux kernel were publicly disclosed that allow local users to escalate privileges to root level. Exploits are already fully functional and affect most common Linux distributions.

The two vulnerabilities “Dirty Frag” (CVE-2026-43284) and “Copy Fail 2: Electric Boogaloo” enable unprivileged users to overwrite arbitrary kernel memory contents and thereby obtain root privileges. They exist in the in-place decryption paths of the kernel modules esp4, esp6 (IPsec/ESP) as well as rxrpc and abuse page cache write primitives via functions such as splice(2) and sendfile(2).

These are deterministic logic errors with no race condition component. Success probability is rated as high, and a failed attack does not result in a kernel panic. Functional proof-of-concept exploits are publicly available and enable root escalation in a single invocation.

Particularly concerning is the fact that existing countermeasures against the earlier “Copy Fail” vulnerability (CVE-2026-31431) – such as blocking the algif_aead module – provide no protection against these new variants. The underlying code flaws have existed in part since 2017 (xfrm-ESP) or 2023 (RxRPC).

Affected systems include Ubuntu 24.04, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, Fedora, openSUSE Tumbleweed, CloudLinux and other distributions. The xfrm-ESP path requires the ability to create user namespaces, while the RxRPC path functions independently – but only if the rxrpc module is loaded. By combining both attack vectors, escalation is possible on most standard distributions.


Source: www.cert.at

Share on: