LESS than two weeks after Copy Fail’s public disclosure (CVE-2026-31431), SANS ISC reports a new Linux local privilege escalation vulnerability, dubbed Dirty Frag, discovered by Hyunwoo Kim (@v4bel). The flaw comprises two sub-vulnerabilities in the xfrm ESP decryption fast paths (esp4, esp6) and the RxRPC module, which can chain to achieve immediate root on many major Linux distributions, with no CVE assigned because the embargo was broken.
Dirty Frag enables an unprivileged user to escalate to root via in-place cryptographic operations on page-cache pages that are readable but not writable, effectively corrupting the page cache of files such as /etc/passwd or /usr/bin/su. Remediation steps include denylisting vulnerable modules (esp4, esp6, rxrpc), applying live patches where available, and installing patched kernels from testing repositories, with cautions about potential disruption to IPsec and RxRPC-dependent services.
The advisory notes that Dirty Frag resembles Copy Fail in its root cause—kernel page-cache handling and in-place operations—though the two exploit different kernel subsystems and have separate discoverers and disclosure timelines.