Exploit on vmlinuz

Dirty Frag: A Fourth Way to Root via Page Cache (CVE-2026-43284, CVE-2026-43500)

Sun, 31 May 2026 10:00:00 +0100

A week after CopyFail, Hyunwoo Kim disclosed another local privilege escalation built on the same primitive: a write into the page cache of a read-only file. This time not through crypto, but through fragment handling in two network protocols. The name: Dirty Frag.

It is not a single bug but a chain of two CVEs:

CVE-2026-43284 in the ESP modules (Encapsulating Security Payload, i.e. IPsec): esp4, esp6. CVSS 8.8 per kernel.org, 7.8 per CISA. Vulnerable code since roughly 2017 (4.x kernels).
CVE-2026-43500 in RxRPC (the AFS protocol): the rxrpc module. CVSS 7.8. Vulnerable since roughly 2023 (6.2+ kernels).

Why it is the same family

Dirty COW, Dirty Pipe and CopyFail shared one denominator: an unauthorized write into page cache grants instant escalation, because you can overwrite the contents of a file the system treats as trusted (e.g. /usr/bin/su). Dirty Frag does exactly the same, except the entry point is faulty fragment handling in ESP and RxRPC. Hence the “Frag” in the name.

Kernel Security Checker: Check If Your Kernel Version Has Known Exploits

Thu, 28 May 2026 10:00:00 +0100

Until now, Kernel Security Checker answered a single question: how well hardened is my kernel? It analyzed the configuration (kconfig, sysctl, cmdline) and showed which options are worth enabling.

But that doesn’t tell the whole story. A well-configured kernel on an old version can still have holes with a long-public exploit floating around. So there’s now a second section: Vulnerabilities.

What the new CVE tab does

You enter your kernel version (what uname -r returns) and the tool lists known public exploits matched to that version. For each hit you get:

Dirty COW, Dirty Pipe, CopyFail: Three Ways to Root via Page Cache

Wed, 27 May 2026 10:00:00 +0100

Three vulnerabilities, three different kernel subsystems, same result: an unprivileged user writes data to the page cache of a read-only file and becomes root. Dirty COW needed a race condition. Dirty Pipe was deterministic. CopyFail does the same in 732 bytes of Python.

Dirty COW (CVE-2016-5195)

When: in the kernel since 2007, discovered in 2016. Sat there for 9 years.

Where: mm/gup.c, copy-on-write handling in get_user_pages().

How it works:

When writing to a private file mapping (MAP_PRIVATE), the kernel should first create a COW copy, then write. The problem: these two operations were not atomic.

CopyFail (CVE-2026-31431) — 9 Years of Hidden Privilege Escalation in the Kernel

Wed, 29 Apr 2026 14:00:00 +0100

On April 29th, CVE-2026-31431, dubbed “CopyFail”, was publicly disclosed. The vulnerability had been sitting in the kernel for 9 years — since 2017. It allows any local user to gain root. No race conditions, no offset guessing, 100% reliability. The entire exploit fits in a 732-byte Python script.

What’s Affected

The algif_aead module in the kernel’s crypto subsystem (AF_ALG). Affects virtually every distribution with a kernel built since 2017:

Ubuntu 20.04 – 24.04
RHEL 10.1
Amazon Linux 2023
SUSE 16
Debian, Fedora, Arch, Rocky Linux, AlmaLinux

CVSS: 7.8 (HIGH) — local access, low privileges, no user interaction required.