Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild

What Happened

Recently, critical security flaws named Copy Fail and DirtyFrag were discovered in the Linux operating system. These flaws allow a regular user on a Linux machine to trick the system into giving them full administrative (root) control without modifying any files on the hard drive. This affects many popular Linux versions, including Ubuntu, Amazon Linux, RHEL, and SUSE, and attackers are already using Copy Fail in the real world. This is highly dangerous because it allows unauthorized users to take complete control of affected servers. System administrators should immediately apply the latest Linux updates or use the provided temporary workarounds to block the vulnerable components.

Key Takeaways

• Copy Fail and DirtyFrag are Linux kernel privilege escalation vulnerabilities that exploit page cache corruption.
• Exploitation leverages legitimate kernel interfaces like AF_ALG, AF_RXRPC, and splice() to corrupt the in-memory views of setuid binaries or /etc/passwd.
• Copy Fail (CVE-2026-31431) has been exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog.
• DirtyFrag expands the bug class to the networking stack, meaning systems patched only for Copy Fail may still be vulnerable.
• Mitigation requires kernel patching, targeted module blocking, and restricting unprivileged user namespaces.

Affected Systems

• Linux (Ubuntu, Amazon Linux, RHEL, SUSE)

Vulnerabilities (CVEs)

• CVE-2026-31431

Attack Chain

The attacker executes a local script or binary that leverages the socket(AF_ALG) or socket(AF_RXRPC) system calls alongside splice(). For DirtyFrag, the attacker first uses unshare to gain namespace capabilities. The exploit then injects read-only file pages into network buffers, where in-place cryptographic operations corrupt the page cache. This corrupts the in-memory view of a setuid binary like /usr/bin/su or the /etc/passwd file, allowing the attacker to execute a root shell or clear the root password to escalate privileges.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: Yes
• Other Detection Logic: Yes
• Platforms: Elastic Security Labs

The article provides EQL and ES|QL queries to detect syscall-level primitives (socket, splice), namespace creation (unshare), and generic SUID binary abuse. It also provides Auditd configuration rules.

Detection Engineering Assessment

EDR Visibility: High — EDRs with syscall monitoring (like auditd integration) or robust process execution tracking can observe the specific socket/splice calls and suspicious SUID binary executions. Network Visibility: Low — The vulnerability is a local privilege escalation exploiting kernel memory and page caches; network traffic is not a primary indicator. Detection Difficulty: Moderate — Detecting the exact exploit requires syscall-level visibility which can be noisy, but correlating it with SUID binary execution from non-root users makes it highly detectable.

Required Log Sources

• Auditd logs (syscalls: socket, splice, bind, unshare)
• Process execution logs (execve)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for a high volume of socket calls with AF_ALG or AF_RXRPC combined with splice calls from a single non-root process.	Auditd syscall logs	Privilege Escalation	Low
Look for SUID binaries (like su, sudo, pkexec) executed with effective UID 0 by a non-root user, spawned from a scripting runtime or user-writable path.	Process execution logs	Privilege Escalation	Medium

Control Gaps

• Systems without syscall-level auditing (e.g., auditd) may miss the early stages of the exploit.

Key Behavioral Indicators

• Burst of interleaved socket(AF_ALG) and splice() syscalls
• unshare(CLONE_NEWUSER | CLONE_NEWNET) followed by root process execution
• SUID binary execution with minimal arguments from a scripting runtime

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Disable the algif_aead module to mitigate Copy Fail.
• Disable esp4, esp6, and rxrpc modules to mitigate DirtyFrag.
• Drop the page cache after applying mitigations to clear corrupted memory.

Infrastructure Hardening

• Update the Linux kernel to the latest patched version provided by the distribution.
• Restrict unprivileged user namespace creation via sysctl (kernel.unprivileged_userns_clone=0 or user.max_user_namespaces=0).

User Protection

• Monitor for unauthorized local access, as these are local privilege escalation vulnerabilities.

Security Awareness

• Educate administrators on the risks of page cache vulnerabilities and the importance of rapid kernel patching.

MITRE ATT&CK Mapping

• T1068 - Exploitation for Privilege Escalation
• T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid

Additional IOCs

• File Paths:
  • /etc/modprobe.d/copyfail.conf - Configuration file created during mitigation to disable algif_aead.
  • /etc/modprobe.d/dirtyfrag.conf - Configuration file created during mitigation to disable esp4, esp6, and rxrpc.
• Command Lines:
  • Purpose: Disable algif_aead module to mitigate Copy Fail | Tools: echo, rmmod | Stage: Mitigation | echo "install algif_aead /bin/false" > /etc/modprobe.d/copyfail.conf
  • Purpose: Disable networking modules to mitigate DirtyFrag | Tools: printf, rmmod | Stage: Mitigation
  • Purpose: Drop page cache to discard corrupted in-memory pages | Tools: echo | Stage: Mitigation | echo 3 > /proc/sys/vm/drop_caches
  • Purpose: Restrict unprivileged user namespace creation | Tools: sysctl | Stage: Mitigation | sysctl -w kernel.unprivileged_userns_clone=0