A new unpatched local privilege escalation in the Linux kernel, dubbed Dirty Frag, has been described as a successor to Copy Fail (CVE-2026-31431, CVSS 7.8) and was reported to Linux kernel maintainers on 30 April 2026. According to security researcher Hyunwoo Kim (@v4bel) the flaw enables root access by chaining the xfrm-ESP Page-Cache Write vulnerability with the RxRPC Page-Cache Write vulnerability, a deterministic bug that does not rely on a timing window.
Successful exploitation could grant an unprivileged local user elevated root privileges on most distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10 and Fedora 44.
The xfrm-ESP Page-Cache Write vulnerability originates from the IPSec (xfrm) subsystem and requires the attacker to create a user namespace, a step blocked by Ubuntu via AppArmor; in environments where this is allowed, the RxRPC module (rxrpc[.]ko) may be present to enable the attack, whereas on systems like Ubuntu the module is loaded by default. A PoC exists that can gain root in a single command, and administrators are advised to blockload esp4, esp6 and rxrpc by creating a dirtyfrag[.]conf entry.