Two freshly disclosed Linux kernel flaws — Copy Fail (CVE-2026-31431) and a related family of bugs dubbed DirtyFrag — give unprivileged local users a dependable route to root on virtually every mainstream distribution, including Ubuntu, Amazon Linux, RHEL, and SUSE. Both abuse subtle page-cache corruption to tamper with privileged binaries in memory while leaving the on-disk files pristine. Copy Fail is already being exploited in the wild and now sits in CISA's Known Exploited Vulnerabilities catalog, and working proof-of-concept code circulates in Python, Go, Rust, C, and Metasploit form — so the time to detect and patch is now.

Copy Fail (CVE-2026-31431): poisoning setuid binaries in the page cache

Copy Fail is a logic bug in the Linux kernel's authencesn cryptographic template, the AEAD construction used for IPsec Extended Sequence Numbers. According to the NVD entry, the fix "mostly reverts commit 72548b093ee3 except for the copying of the associated data" — restoring crypto: algif_aead to operating out-of-place. Per the public detection-script write-up, the flaw was disclosed on April 29, 2026 by the Xint Code Research Team and had been latent in the kernel since roughly 2017 — close to a decade.

The attack stitches together two kernel features that are individually benign:

  • AF_ALG — the socket family that exposes the kernel crypto API to userspace.
  • splice() — a zero-copy syscall that feeds file data straight into another file descriptor without copying it.

Because splice() can push a file's cached pages directly into a crypto operation, the kernel's in-memory copy of a file — its page cache — ends up inside that cryptographic buffer. The authencesn algorithm treats its output buffer as scratch space and writes four bytes slightly beyond where it should. Normally harmless, but when the output buffer is chained to page-cache pages belonging to a setuid binary like /usr/bin/su (a side effect of a 2017 "optimisation" in algif_aead.c), those four bytes land inside the kernel's cached copy of that binary.

The crypto operation then fails with an error, so the kernel never marks the page dirty and never flushes it back to disk. The file on disk stays clean and any integrity checker that hashes on-disk contents sees nothing wrong — but the page cache is what actually executes, and su is setuid root. The result is a clean, reliable local privilege escalation with minimal forensic residue. A working exploit reportedly fits in a 732-byte Python script (a public PoC is referenced at copy.fail/#exploit), which is exactly why blocking any single implementation is futile.

DirtyFrag: the same bug class, pushed into the network stack

DirtyFrag applies the same page-cache corruption primitive but reaches it through the networking subsystem, giving it two distinct exploitation paths.

ESP path (AF_NETLINK / XFRM)

This variant sets up XFRM security associations over AF_NETLINK to drive in-place cryptographic operations on spliced pages. It overwrites /usr/bin/su with a minimal root-shell ELF entirely in memory, then runs it to land a root shell.

RxRPC fallback path (AF_RXRPC)

When AF_ALG isn't available, DirtyFrag falls back to AF_RXRPC with the pcbc(fcrypt) cipher. Instead of su, it corrupts /etc/passwd to blank out root's password field, after which su to root succeeds with no credentials.

Both DirtyFrag paths first call unshare(CLONE_NEWUSER | CLONE_NEWNET) to gain the needed namespace capabilities before triggering the page-cache write — a behavioral tell that defenders can anchor detections to.

Patch managers, read this: DirtyFrag does not rely on the algif_aead module. If your only mitigation was disabling that module to stop Copy Fail, DirtyFrag still works against you.

Why signature-matching PoCs is a losing game

Detection that keys off known exploit scripts is already stale. Copy Fail has at least five public reimplementations across different languages, and DirtyFrag ships as a C PoC. Each new signature is obsolete the moment another port appears. Durable detection has to target the syscall primitives and behaviors every implementation must use — not filenames or script hashes.

Detection: syscall primitives via auditd + EQL

All variants funnel through a small set of unavoidable low-level operations:

  • socket(AF_ALG) — value 0x26 in the a0 argument
  • socket(AF_RXRPC) — value 0x21, used by DirtyFrag's fallback path
  • splice() — invoked from a non-root process to inject pages into crypto buffers

With auditd syscall auditing in place, correlate these against the final escalation — a process gaining effective UID 0 from a non-root caller — using an EQL sequence rule with a 60-second maximum span. Requiring the privilege-escalation outcome to follow the suspicious primitives keeps false positives down while catching the full chain regardless of implementation.

Detection: DirtyFrag namespace creation

DirtyFrag's use of unshare(CLONE_NEWUSER | CLONE_NEWNET) is a sharp signal. Legitimate software rarely calls unshare with both the user and network namespace flags from a non-root context and then immediately spawns a root-owned process. An EQL sequence that matches the unshare event (argument bitmasks such as 0x10000000, 0x50000000, or 0x70000000) followed by a root process execution within 30 seconds — scoped to the same host, parent PID, and user — yields a tight, low-noise alert.

Detection: generic SUID abuse via process events

Where syscall auditing isn't enabled, process-execution telemetry still catches the final stage of both exploits. Flag SUID binary executions where all of the following hold:

  • Effective UID is 0
  • The real user is non-root
  • The parent process is also non-root
  • A SUID binary (su, sudo, pkexec, passwd, chsh, newgrp) is launched with minimal arguments
  • The parent is a scripting runtime, an interactive shell one-liner, or an executable from a user-writable path

This fingerprints the escalation behavior itself, independent of any exploit-specific artifact.

Recommended actions

  • Patch now. Apply the kernel updates that address CVE-2026-31431 and the DirtyFrag variants for your distribution. Copy Fail is confirmed in active exploitation and was added to CISA's KEV catalog on May 1, 2026.
  • Don't stop at disabling algif_aead. That blunts Copy Fail but leaves DirtyFrag's RxRPC path wide open.
  • Enable auditd syscall auditing for socket, splice, and unshare calls from non-root processes.
  • Deploy EQL sequence rules to catch the chain in correlated context rather than as isolated events.
  • Monitor SUID binary executions so you can still catch the final escalation step even without syscall auditing.
  • Confirm your exposure with the published Copy Fail detection script, which helps determine where you're vulnerable — or still vulnerable after patching.

The takeaway

Copy Fail and DirtyFrag mark a maturing style of Linux kernel exploitation that weaponizes legitimate kernel interfaces to corrupt memory invisibly on disk. With active exploitation already underway and accessible PoCs spanning multiple languages, this isn't a nation-state-only problem. The most resilient defense is behavioral: anchor detection to the AF_ALG socket creation, splice() abuse, namespace manipulation, and anomalous SUID escalation sequences that every variant must rely on. Patch, audit, and hunt — the exploit code is already out there.