Copy Fail CVE-2026-31431 Linux kernel LPE patch deadline May 15

The patch that fixed Dirty Frag last week is what made Fragnesia exploitable this week. That is not dramatic framing. Hyunwoo Kim, the researcher who reported the original Dirty Frag bugs, has publicly acknowledged that Fragnesia emerged as an unintended side effect of the commit closing CVE-2026-43284. The follow-up patch series for Fragnesia explicitly cites the Dirty Frag fix as one of the commits it now has to repair. Fragnesia (CVE-2026-46300) is the third Linux kernel local root flaw in three weeks. Copy Fail dropped April 29. Dirty Frag dropped May 7. Fragnesia dropped May 13. All three live in the same XFRM ESP code area. All three turn an unprivileged shell into root in one command. All three have public PoCs. AlmaLinux pushed patched kernels to production yesterday because Red Hat had not shipped yet. The story most posts will tell tomorrow is patch this CVE. That is the wrong story. Two of these three bugs were found by AI-assisted code scanners reviewing kernel code that human maintainers had recently audited. The fix for one is generating the next. The Fixes tag on the upstream patch points at a 2013 commit. There are more bugs in this class waiting. I recommend treating local code execution as a path to root, not a precondition for it. A monthly patch ring cannot keep up with this cadence. Three emergency reboots in three weeks is the new normal for Kubernetes nodes, CI runners, shared build farms, and any multi-tenant Linux host. This week: - Patch to a fixed kernel or apply the esp4/esp6/rxrpc module blacklist - Enable AppArmor unprivileged user namespace restriction on Ubuntu hosts - Audit which workloads actually need IPsec ESP, many do not - Inventory every host where untrusted users or untrusted code can run Who in your environment can hand a shell to someone you do not trust, and when did you last verify that shell cannot become root? #LinuxSecurity #VulnerabilityManagement #CloudSecurity #InfoSec

🚨 CRITICAL ALERT: "Dirty Frag" (CVE-2026-43284) Local Privilege Escalation in Linux Kernel A major Local Privilege Escalation (LPE) vulnerability has just been disclosed, impacting the Linux ecosystem with significant confirmation for SUSE Linux Enterprise Server (SLES) and openSUSE environments. Originally reported by researcher Hyunwoo Kim on April 30, 2026—shortly after the "Copy Fail" disclosure, the embargo was recently bypassed, making this a high-priority threat for immediate mitigation. The vulnerability, dubbed "Dirty Frag," is the technical successor to Dirty Pipe. Unlike many LPEs that rely on unstable race conditions, Dirty Frag provides deterministic and immediate ROOT access for unprivileged local users. 😱 🔍 What is Dirty Frag? The flaw (CVE-2026-43284) exists within the kernel's fast decryption path. Attackers leverage the xfrm (IPsec ESP) or RxRPC subsystems to inject malicious data directly into the Page Cache of sensitive files (such as /etc/passwd or system binaries) while they reside in RAM. The system then executes the tampered code, treating it as legitimate. 🛡️ Scope of Impact (SUSE Ecosystem): SLES 15 (SP4 through SP7): Vulnerable (the affected code is present in modern SLE kernels). openSUSE Tumbleweed: Vulnerable due to the use of cutting-edge kernels (6.x/7.x series). 🛠️ Immediate Mitigation (Workaround): While official patches are being rolled out via zypper (SUSE QA pipeline), you should immediately disable the attack vectors if they are not mission-critical: 1️⃣ Check if modules are loaded: lsmod | grep -E "esp4|esp6|rxrpc" 2️⃣ Apply Persistent Blacklist: echo -e "blacklist esp4\nblacklist esp6\nblacklist rxrpc" | sudo tee /etc/modprobe.d/dirtyfrag-mitigation.conf 3️⃣ Clear Memory Cache (CRITICAL STEP): sudo sync && echo 3 | sudo tee /proc/sys/vm/drop_caches 🕵️♂️ Indicators of Compromise (IoC) Check Don't just mitigate — audit. Since the exploit manipulates the cache and may persist to disk, run these checks: RPM Integrity Check: Compare installed binaries against original SUSE hashes. Any changes to /usr/bin/sudo or /etc/passwd are a major red flag: sudo rpm -Va | grep -E '^..5.* /usr/bin|/etc/passwd' Account Audit: Scan for unauthorized users with UID 0: grep 'x:0:' /etc/passwd Kernel Logs: Monitor for crashes or anomalies in affected modules that may indicate exploit attempts: sudo journalctl -k | grep -iE "xfrm|esp4|esp6|rxrpc" 🔗 Official Documentation & Tracking: SUSE Security Advisories: suse.com/support/security Linux Kernel Archive: git.kernel.org NVD Detail: https://lnkd.in/ggpA3Xdv #Linux #CyberSecurity #SUSE #SLES #Infosec #SysAdmin #DirtyFrag #CVE202643284 #KernelSecurity #CloudSecurity #TechAlert

If you're investigating Linux compromise and not reviewing auditd logs, you're missing the most authoritative source of system activity. The Linux Audit daemon (auditd) operates at the kernel level, capturing system calls, file access, process execution, and network connections that user-space logging can miss or that attackers can evade. This makes it critical for detecting privilege escalation, lateral movement, and command execution techniques (MITRE ATT&CK T1059). Key details for DFIR practitioners: • Default location: /var/log/audit/audit.log • EXECVE records capture full command lines with arguments — the exact commands attackers executed • Rules are defined in /etc/audit/audit[.]rules — always check for coverage gaps during IR • Native tools: ausearch (targeted queries), aureport (summary reports) • Third-party parsers: Laurel (converts to JSON), Plaso (timeline analysis) In incident response, I correlate auditd EXECVE records with /var/log/auth.log to map malicious commands back to specific user sessions. This reveals not just what was run, but who ran it, when, and from where. One caution: auditd only logs what you configure it to monitor. During triage, review the active ruleset. Are sensitive files being watched? Is sudo usage logged? Are network-related syscalls captured? Gaps in coverage mean gaps in visibility. For responders working large-scale Linux compromises, auditd logs are non-negotiable. Treat them as your kernel-level flight recorder. #DFIR #DigitalForensics #IncidentResponse #ForensicArtifact #InfoSec

CVE-2026-42945 lives in ngx_http_rewrite_module. The component handling URL rewrites in virtually every standard NGINX build. The root cause is a two-pass size mismatch: NGINX calculates the required buffer size in one pass, then copies data in a second pass. Under specific PCRE capture patterns with a ? in the replacement string, those two passes disagree, and the write goes out of bounds. No authentication required. A crafted HTTP request to any exposed endpoint is enough. If your system runs ASLR (most modern Linux deployments do), the realistic outcome is a worker crash and restart, disruptive, not catastrophic. RCE is possible but requires ASLR to be disabled or bypassed, which raises the bar meaningfully. Who's affected: anyone running NGINX Open Source below 1.30.1 / 1.31.0, or NGINX Plus below R33 P2. Given NGINX's market share, that's a wide surface. What to do: Patch to 1.30.1 or 1.31.0 now. A public PoC has been live since May 13 and scanners are already picking up vulnerable instances. If you can't patch immediately, switch unnamed PCRE captures to named captures in your rewrite rules as a temporary mitigation. #nginx #AppSec #DeXpose

The gate was never breached. It was walked around. Linux Integrity Drift (LID): Bypassing AppArmor via eBPF pathname rewriting. Pre-LSM syscall argument manipulation with zero audit footprint https://lnkd.in/eTP_PmhT // LID finds kernel code paths that bypass LSM hooks entirely - subsystems that perform security-sensitive operations without consulting the LSM framework. The security check is correct. The problem is that the kernel never asks. Disclaimer: 1⃣ All information and software available on my page is for educational purposes only. Use these at your own discretion. 2⃣ Usage of any tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. 3⃣ I assume no liability and are not responsible for any misuse or damage caused by this information. #tools #exploit #Kernel_Security

A new Linux kernel privilege escalation dropped this week. Dirty Frag chains two CVEs — CVE-2026-43284 and CVE-2026-43500 — to write attacker-controlled bytes into the page cache of suid binaries and /etc/passwd via splice(). Nine years of kernel releases affected across every major distro. One variant is patched upstream. The other isn't yet. We had a swamp extension for it two hours later. Fleet scanning in parallel, detection of both variants, patch status checks, IOC detection for page cache corruption and XFRM SA patterns, automated mitigation that unloads and blocklists the vulnerable modules, persistent scan history. Zero deps on the target hosts — just POSIX tooling and procfs/sysfs. Look, anyone can write a bash script that checks one host. That's not the problem. The problem is what happens when you need to check a thousand hosts at 2am and your team needs to know which ones are actually exploitable, which ones are patched, and which ones show signs of compromise. You need structured results, not terminal output someone has to squint at. You need remediation that's idempotent so you can run it twice without breaking things. You need to be able to answer "which hosts were still vulnerable last Tuesday" without digging through logs. That's the operational workflow swamp gives you. Scan, assess, triage, mitigate, verify. Claude Code helped us build it fast. Swamp made sure it actually works at scale. swamp extension pull @swamp/cve/dirtyfrag Details and detection methodology: https://lnkd.in/eDksKewY

Upgrade to nginx 1.31 (released May 13) asap: lots of exploit fixes; link below is to the most critical RCE (remote code execution) to drive the point across. I hate to repost hype, but this one is so impactful considering how many Linux LPEs (local privilege escalations) out there; even FreeBSD has a recent LPE. https://lnkd.in/eJ4xqccX

The Linux kernel just got a new root exploit and the most uncomfortable part is how unsurprising it is. It's called Dirty Frag. Disclosed by researcher Hyunwoo Kim, it chains two page-cache write bugs in xfrm-ESP and RxRPC into a clean local privilege escalation. No race condition, No timing window. The kernel doesn't panic when the exploit fails. The success rate is, in the researcher's own words, very high. If that template sounds familiar, it should: Dirty Pipe in 2022, Copy Fail last week & now Dirty Frag. Same family, Same shape. A logic mistake that lets user-controlled data slip into a place the kernel assumed was its own. What's interesting here is what these three bugs have in common beyond technique. They all sat in mainline for years. They were all found, eventually, by humans or AI staring hard at code that everyone else had stopped reading. Each disclosure makes the next one easier, because the pattern is now a hunting template. The lesson isn't that Linux is uniquely fragile, it's that "deterministic logic bug in a privileged subsystem" has become a productive class of exploit, not a freak event. If you run multi-tenant Linux, containers, or anything that lets users execute code, your threat model needs a permanent slot for "unknown root LPE in an unpatched kernel." There is no patch yet. Watch this one closely. References: - https://lnkd.in/g5HuSpAK

New CVE in Betrusted! Davide Ornaghi and I discovered a logic flaw in Linux Kernel, assigned as CVE-2026-31717. More info below, and full write-up soon.

We found a logic bug in the Linux kernel that lets any logged-in user on a file server silently become another user, reading and overwriting their files with no trace in permissions, ownership, or audit logs. CVE-2026-31717 - CVSS 8.8 - Patched in mainline The flaw is in ksmbd's durable-handle reconnect path: the feature that lets clients resume open files after a WiFi drop. The server never verifies who reconnects. Defenders: patch to the latest kernel, or set durable handles = no in ksmbd.conf until you do. Affects OpenWrt, TrueNAS Scale, and most ksmbd-based NAS. Writeup + PoC: https://lnkd.in/gk6fbdaY With Giuseppe Caruso, at Betrusted. #CVE #LinuxSecurity #InfoSec