Three new high-severity local privilege escalation (LPE) vulnerabilities affecting Linux were recently disclosed, creating significant global risk. Although user-level access is a prerequisite for their exploitation, the new CVEs allow command execution as the root user and full system takeover. The CVEs are considered reliably exploitable on all major Linux distributions.

The name “Copy Fail” was given to CVE-2026-31431 (CVSS 7.8) at disclosure time, and subsequent investigations led to the discovery of CVE-2026-43284 (CVSS 8.8), dubbed “Copy Fail 2”, and CVE-2026-43500 (CVSS 7.8). The attack chain involving CVE-2026-43284 and CVE-2026-43500 was dubbed “Dirty Frag”. CVE-2026-31431 has been added to CISA’s KEV list, after active exploitation was reported by Microsoft. Microsoft also considers Dirty Frag high-risk for post-exploitation activity. Numerous national CERT alerts have been issued globally for the CVEs [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22].

Greenbone provides Linux package-level detection for all three emergency CVEs mentioned above across a wide spectrum of Linux distributions [1][2][3]. Greenbone’s coverage also extends to security updates for a wide array of software and hardware products. As a result, OPENVAS SCAN can also help identify the impact of Copy Fail, Copy Fail 2, and Dirty Frag in third-party Linux-based products.

Greenbone’s OPENVAS SCAN has industry-leading detection for many Linux distributions with authenticated Local Security Checks (LSC). Authenticated LSCs provide reliable detection because they analyze endpoint systems from within, build asset inventories, uncover package-level software vulnerabilities, and identify other security misconfigurations.

 

What Are Copy Fail, Copy Fail 2, and Dirty Frag?

The disclosure timeline for Copy Fail, Copy Fail 2, and Dirty Frag moved quickly, overlapping with mainline Linux kernel patching and downstream Linux distribution updates. Because several related events occurred within a short period, it is useful to first clarify the terminology and timeline of events:

• Copy Fail: Refers to CVE-2026-31431 (CVSS 7.8), an LPE flaw in the Linux kernel. Copy Fail was privately reported on March 23rd, 2026, and patched in the mainline Linux kernel on April 1st. On April 22nd, the flaw was published as CVE-2026-31431, and a full technical write-up [1] and proof-of-concept (PoC) exploit [2] followed days later. Microsoft reported active exploitation on May 1st, 2026 and CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities (KEV) catalog the same day. Since then, additional technical write-ups [3][4][5], PoC exploits [5][6], and a commercial penetration testing exploit [7] have become available.
• Copy Fail 2: Refers to CVE-2026-43284 (CVSS 8.8), published on May 8th, 2026. The flaw was discovered during follow-on research into the root cause of Copy Fail. Copy Fail 2 was privately reported on April 30th, 2026, and the fix was merged into the mainline Linux kernel on May 8th. A technical description [8] and PoC exploit [9] were published on May 7th, one day before upstream kernel patches became available to downstream Linux distributions. The original technical write-up indicates that the underlying flaw could be exploited alone for root-level access, without being chained with other software flaws, such as in Dirty Frag described below.
• Dirty Frag: Refers to the chained exploitation of CVE-2026-43284 (Copy Fail 2) and CVE-2026-43500 (CVSS 7.8). Although CVE-2026-43500 was responsibly disclosed and published on May 11th, 2026, sensitive information became publicly available before a fix was committed to the mainline Linux kernel. This prompted security researcher Hyunwoo Kim (@v4bel) to release technical details [9] and PoC code [10] on May 8th, before the root cause of CVE-2026-43500 was patched in the mainline Linux kernel on May 10th, 2026.

A Global Risk Analysis of Copy Fail, Copy Fail 2, and Dirty Frag

The global cyber security risk posed by Copy Fail, Copy Fail 2, and Dirty Frag is high. Linux is widely used in network and security appliances, workstations, cloud environments, Internet of Things (IoT) devices, embedded systems, industrial environments, and critical infrastructure. All three CVEs are considered highly reliable and affect every major Linux distribution, creating broad global exposure. The vulnerabilities have been traced back to three separate upstream Linux commits; Copy Fail [72548b093ee3] and Copy Fail 2 [cac2661c53f3] were introduced in 2017, while the Dirty Frag commit [2dc334f1a63a] was introduced in 2023 [1][2].

Active exploitation of CVE-2026-31431 (Copy Fail) has been observed by Microsoft and added to CISA’s KEV list, although few details about the attacks are available. Microsoft also considers Dirty Frag high risk for post-exploitation activity.  The immediate risk landscape is further compounded by the fast-paced nature of events. Sensitive technical information and exploit code for CVE-2026-43284 and CVE-2026-43500 were disclosed before patches reached downstream Linux distributions, increasing the window of opportunity for attackers. Although security researchers followed responsible disclosure paths, sensitive details about CVE-2026-43284 were released in parallel with upstream patch commits to the Linux kernel. For CVE-2026-43500, early public exposure came from a patch submitted to the public netdev mailing list on April 29th.

Complete technical details and PoC exploit code are publicly available for all three CVEs, increasing the risk of exploitation by low-skilled attackers and initial access brokers (IAB) who sell unauthorized access to cyber-criminal organizations. Numerous national CERT alerts have been issued globally, and numerous product vendors have issued advisories and emergency patches to address the issues [3][4][5][6][7][8][9][10][11][12][13].

Although LPE flaws require local account access for exploitation, attackers can gain the required access in many ways, such as:

• Existing software vulnerabilities [T1190] [T1203]
• Using stolen credentials [T1078]
• Phishing and spear phishing [T1566]
• Malicious insiders [T1199]
• Supply chain compromise [T1195]

Potential impacts of successful exploitation include:

• Ransomware attacks [T1486]
• Credential theft [TA0006]
• Rootkit deployment [T1014] for covert, persistent access [TA0003]
• Binary replacement [T1554]
• Disabling security tools [TA0005]
• Botnet enrollment [T1584.005]
• Lateral movement to other systems [TA0008]
• Dropping poisoned files [T1204.002]
• Downstream supply-chain attacks [T1195]

Mitigating Copy Fail, Copy Fail 2, and Dirty Frag

As of May 13th, patches are still not available for all aforementioned CVEs across all major Linux distributions. Full mitigation requires identifying affected systems and installing operating system patches as soon as possible. As a temporary workaround, defenders can disable the vulnerable algif_aead, esp6, esp4, and rxrpc kernel modules [1][2][3][4]. However, in some cases this approach could be problematic if the modules support required functionality.

Due to active exploitation and the availability of PoC exploits, defenders should consider monitoring for indicators of compromise (IoCs) and suspicious activity, and conduct incident response if a breach is suspected.

It’s also important to remember that Copy Fail, Copy Fail 2, and Dirty Frag may introduce additional risk to many third-party products that use Linux. Defenders should scan all infrastructure for vulnerabilities and follow the affected product vendor’s security guidance.

Greenbone provides Linux package-level detection for all three emergency CVEs mentioned above across a wide spectrum of Linux distributions [5][6][7]. Greenbone’s coverage also extends to security updates for a wide array of software and hardware products, meaning that OPENVAS SCAN can help identify the impact of Copy Fail, Copy Fail 2, and Dirty Frag in third-party Linux-based products as well.

Greenbone’s OPENVAS SCAN has industry-leading detection for many Linux distributions with authenticated Local Security Checks (LSC). Authenticated LSCs provide reliable detection because they analyze endpoint systems from within, build asset inventories, uncover package-level software vulnerabilities, and identify other security misconfigurations.

 

 

Summary

Copy Fail, Copy Fail 2, and Dirty Frag create a serious risk to any systems or devices that use Linux. The flaws are all local privilege escalation (LPE) vulnerabilities that require user-level access to exploit. However, risk is increased due to reliable exploitation on all major Linux distributions, the availability of public PoC exploit code, and in the case of CVE-2026-31431, known active exploitation.

Organizations should regularly scan their IT infrastructure with OPENVAS SCAN to ensure Linux kernel patches are applied network-wide and vulnerable third-party software and hardware are identified. Security updates should be installed as soon as they become available. Temporary kernel module workarounds may be considered in the meantime where feasible. Additional security concerns include restricting local access paths, and monitoring systems for indicators of compromise (IoCs).