ELASTIC Security Labs’ report, published on 9 May 2026, examines Linux kernel privilege escalation vulnerabilities Copy Fail and DirtyFrag that exploit subtle page cache corruption to reach root, with Copy Fail already reported as exploited in the wild.
It notes Copy Fail (CVE-2026-31431) alongside Copy Fail 2 and DirtyFrag as methods that leverage legitimate kernel interfaces, local execution, and short PoCs to escalate privileges, and says Copy Fail has been added to CISA's Known Exploited Vulnerabilities catalog, according to CISA's Known Exploited Vulnerabilities catalog.
Copy Fail attacks a logic bug in the authencesn cryptographic template, chaining AF_ALG and splice() to write into the page cache of readable files, while DirtyFrag extends the bug class into the networking stack via ESP and RxRPC paths that can overwrite /usr/bin/su or /etc/passwd, requiring unshare(CLONE_NEWUSER | CLONE_NEWNET) to gain namespace capabilities.
Detection focuses on primitive actions such as socket(AF_ALG) and splice, with auditd and ES|QL signals used to identify exploitation patterns, and several detection rules and mitigation steps are provided. Mitigations include updating the kernel, blocking modules like algif_aead for Copy Fail and disabling esp4, esp6, and rxrpc for DirtyFrag, plus dropping caches and restricting unprivileged user namespaces, all with caution regarding potential impacts on services.