A week after Copy Fail (CVE-2026-31431), researcher Hyunwoo Kim disclosed a second Linux kernel local privilege escalation in the same broad area — IPsec ESP and rxrpc — and named it Dirty Frag. A working public proof-of-concept exists; any unprivileged local user can use it to gain root in a single command.
A second public exploit named “Copy Fail 2: Electric Boogaloo” refers to this same vulnerability under that alias. There is no separate “Copy Fail 2” CVE. Everything in this advisory applies.
The flaw is in the in-place decryption path of esp4, esp6, and rxrpc. When the receive path decrypts over paged buffers not privately owned by the kernel (e.g., pipe pages reaching the socket via splice(2) / sendfile(2)), unprivileged processes can retain references to the resulting plaintext — yielding a write primitive into the page cache that the public PoC turns into root in a single command.
Per Hyunwoo Kim’s public disclosure on oss-security (2026-05-07), the responsible-disclosure embargo was broken before distributions could coordinate, so no CVE identifiers have been allocated at the time of publication for either of the two bugs that make up Dirty Frag, and a working exploit is now publicly available.
Update on CVE assignments:
- The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284
- The RxRPC Page-Cache Write vulnerability has been reserved as CVE-2026-43500 for tracking (NVD entry pending publication)
Details: public PoC and write-up · Dirty Frag disclosure · AlmaLinux announcement · NVD entry
Status as of 2026-05-07, 20:30 UTC
Patched kernels and KernelCare livepatches for affected CloudLinux versions are in active build/test. See Update instructions below for current per-stream status. This article will be updated in place as each stream reaches release.
Subscribe to the CloudLinux status page for updates.
Affected CloudLinux versions
Contents
| Version | Affected | Will be patched via |
|---|---|---|
| CloudLinux 7 (CL7) | No | – |
| CloudLinux 7 Hybrid (CL7h) | Yes | CloudLinux kernel |
| CloudLinux 8 (CL8) | Yes | CloudLinux kernel |
| CloudLinux 9 (CL9) | Yes | AlmaLinux kernel |
| CloudLinux 10 (CL10) | Yes | AlmaLinux kernel |
A KernelCare livepatch will also be available as an alternative on all affected versions. See Stream 3 below for current status.
Apply this mitigation now
Until a patched kernel or KernelCare livepatch is installed, blacklist the esp4, esp6, and rxrpc modules so they cannot be loaded, and unload them if already present:
sudo sh -c "printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"To revert after a patched kernel is installed:
sudo rm /etc/modprobe.d/dirtyfrag.confCompatibility: esp4 / esp6 are the kernel-side ESP transforms used by IPsec. Disabling them breaks IPsec tunnels that rely on the kernel data path on the affected machine. Do not apply this mitigation on hosts that terminate or transit IPsec / strongSwan / Libreswan tunnels. rxrpc is the AF_RXRPC transport used almost exclusively by AFS clients and is not present on typical web-hosting servers.
Restore page-cache binaries after mitigation
The exploit can modify legitimate system binaries in page-cache as part of gaining root, so applying the mitigation alone is not enough on systems that may have been targeted before it was in place. After mitigating, drop page-cache:
sudo echo 3 > /proc/sys/vm/drop_caches
Additional protection for Imunify360 users
We identified IOCs associated with a Bash script that prepares the payload, compiles the exploit, and executes it to achieve privilege escalation. The related script has already been blacklisted on Imunify360.
This is an additional layer of defense. It does not replace the kernel update, but customers running Imunify360 are covered with further protection in the meantime.
Update instructions
Update: 2026-05-09, 08:20 UTC
For those who use LTS kernel, we released the patched version. The command to update:
dnf update 'kernel-lts*' --enablerepo=cloudlinux-updates-testing
rebootThere are three release streams. Use the one that applies to your CloudLinux version. As patches land, this article will be updated in place. Check the timestamps on the callouts in each stream below.
Stream 1 — CloudLinux kernel (CL7h, CL8)
Update: 2026-05-09, 08:20 UTC
The patched kernel has moved to the stable rollout for both CL7h and CL8. To install:
yum install --enablerepo=cloudlinux-rollout-4-bypass packageName
rebootTarget versions:
- CL7h: kernel-4.18.0-553.123.2.lve.el7h or newer
- CL8: kernel-4.18.0-553.123.2.lve.el8 or newer
Update: 2026-05-08, 15:30 UTC
Patched kernels for CL7h and CL8 are now available in the beta channel. Target versions:
- CL7h: kernel-4.18.0-553.123.2.lve.el7h or newer
- CL8: kernel-4.18.0-553.123.2.lve.el8 or newer
Once you have deployed the patch from the beta channel, please provide us feedback (both positive or negative) by opening a support ticket.
Update: 2026-05-08, 06:00 UTC
Target package versions for CL7h and CL8 will be listed here on release. CloudLinux rebuilds are based on the AlmaLinux 8 fix kernel-4.18.0-553.123.2.el8_10 (currently in the AlmaLinux testing repository).
Status: May 7, 20:30 UTC
Patched kernels are in build on top of the AlmaLinux 8 fix. Target package versions and channel availability are coming soon.
Both CL7h and CL8 will be CloudLinux rebuilds of the upstream fix.
Updating from the CloudLinux beta channel
Once the patched kernel lands in the beta channel, enable it for a single update:
Instructions for CL8 — beta channel cloudlinux-updates-testing:
yum --enablerepo=cloudlinux-updates-testing update 'kernel*'Instructions for CL7h — beta channel cl7h_beta:
reboot
uname -r
yum --enablerepo=cl7h_beta update 'kernel*'
reboot
uname -r
reboot
uname -r
Once the kernel reaches the stable channel
A plain update will pull the patched version, no extra repo enablement needed:
yum update 'kernel*'
reboot
uname -r
Stream 2 — AlmaLinux kernel (CL9, CL10)
Update: 2026-05-08, 15:30 UTC
Patched kernels are available in the AlmaLinux stable repository. Target versions:
- CL9 / AlmaLinux 9: kernel-5.14.0-611.54.3.el9_7 or newer
- CL10 / AlmaLinux 10: kernel-6.12.0-124.55.2.el10_1 or newer
Update to the patched version with:
dnf update 'kernel*'
reboot
uname -r
Update: 2026-05-08, 06:00 UTC
Patched kernels are available in the AlmaLinux testing repository:
- CL9 / AlmaLinux 9: kernel-5.14.0-611.54.3.el9_7 or newer
- CL10 / AlmaLinux 10: kernel-6.12.0-124.55.2.el10_1 or newer
Promotion to production repositories is pending. See the AlmaLinux advisory for upstream details.
Status: May 7, 20:30 UTC
AlmaLinux is preparing the patched kernel. Target package versions and repository availability will be added here as soon as upstream announces.
CloudLinux 9 and CloudLinux 10 use the AlmaLinux kernel directly.
Updating from the AlmaLinux testing repository
The almalinux-release-testing package is not in CloudLinux repositories — install it from a direct URL, update the kernel, then disable the testing repo.
For CL10:
# 1. Enable the AlmaLinux 10 testing repo
dnf install -y https://repo.almalinux.org/almalinux/10/extras/x86_64/os/Packages/almalinux-release-testing-10-1.el10.x86_64.rpm
# 2. Update the kernel
dnf update ‘kernel*’
# 3. Reboot
reboot
# 4. Verify — expected kernel-6.12.0-124.55.2.el10_1 or later
uname -r
# 5. Disable the testing repo
dnf config-manager –disable almalinux-testingFor CL9 — same flow, but replace the URL in step 1:
dnf install -y https://repo.almalinux.org/almalinux/9/extras/x86_64/os/Packages/almalinux-release-testing-9-1.el9.noarch.rpmExpected version: kernel-5.14.0-611.54.3.el9_7 or later.
Once the kernel reaches AlmaLinux stable production repositories
A plain update will pull the patched version, no testing-repo step needed:
dnf update 'kernel*'
reboot
uname -r
Stream 3 — KernelCare livepatch (all affected versions)
Update: 2026-05-08, 17:00 UTC
Kernel patches are released to the main feed for the following EL8 distributions: CentOS 8, RHEL 8, Almalinux 8, CloudLinux 8, and CloudLinux 7 Hybrid and Almalinux 9 FIPS variants.
Customers on the main feed will receive the fix automatically on their next kcarectl –update
The patch for Ubuntu Jammy has been released to the testing feed. In order to deploy from the test feed, run the following command:
kcarectl --update --prefix testOnce you have deployed the patch from the test feed, please provide us feedback (both positive or negative) by opening a support ticket.
Update: May 8, 12pm UTC
We are currently rolling out patches for the entire el8 kernel family. They are already available in the testing feed and will be released to the main feed later today. At the same time, work is underway on el9. The release schedule for that will be announced later.
In order to deploy from the test feed, run the following command:
kcarectl --update --prefix testOnce you have deployed the patch from the test feed, please provide us feedback (both positive or negative) by opening a support ticket.
Status: May 7, 20:30 UTC
KernelCare engineering is preparing livepatches. Per-distro release status will be appended here as patches roll out.
The KernelCare livepatch for this vulnerability is being prepared. Once published, KernelCare-subscribed systems will receive the fix automatically through the usual livepatch flow:
kcarectl --update
Not using KernelCare yet? You can get started in just a few minutes. Find more information here.
How to verify you are patched
After update + reboot:
uname -rCompare to the target version for your CloudLinux stream above
