Skip to content
.ca
sign in
5 mincritical

How Dirty Frag rose from the Copy Fail exploit

CVE-2026-31431, also known as Dirty Frag or Copy Fail, is a Linux kernel local privilege escalation vulnerability that allows attackers to write to read-only memory regions via page-cache abuse. Active exploitation was observed prior to the public embargo break, with threat actors deploying ELF binaries, Python scripts, and malicious PyPI packages to achieve root access, notably including adoption by the Multiverze trojan family.

Sens:ImmediateConf:highAnalyzed:2026-05-25Google

Authors: Igor Lasic

ActorsMultiverzeV4bel
Privilege EscalationLinuxCopy FailDirty FragCVE-2026-31431

Source:Reversinglabs

IOCs · 28

Detection / HunterGoogle

What Happened

A critical security flaw in the Linux operating system, known as Dirty Frag or Copy Fail, allows attackers to gain full administrative (root) control over affected systems. This vulnerability impacts all major Linux distributions, including Ubuntu, Red Hat, and Debian. The flaw is actively being used by hackers, who are spreading it through malicious software and compromised code packages. Organizations must immediately apply the latest security updates provided by their Linux vendors to protect their systems.

Key Takeaways

  • CVE-2026-31431 (Dirty Frag/Copy Fail) is a critical Linux kernel local privilege escalation vulnerability actively exploited in the wild.
  • Malicious samples were circulating at least 9 days before the public embargo was broken in early May 2026.
  • Exploits are distributed via ELF binaries, Python scripts, and a malicious PyPI wheel named 'copyfail'.
  • The Multiverze trojan family has actively adopted the exploit to achieve root access on compromised hosts.

Affected Systems

  • Linux kernel
  • Ubuntu
  • Red Hat
  • Debian
  • SUSE

Vulnerabilities (CVEs)

  • CVE-2026-31431
  • CVE-2022-0847

Attack Chain

Attackers exploit CVE-2026-31431 by abusing the Linux kernel's page-cache to write content to read-only memory regions. The exploit payload executes shellcode that calls setuid(0), setgid(0), and setgroups(0) to normalize root credentials. Finally, the shellcode uses the execve syscall to spawn an interactive root shell (/bin/sh) with the TERM=xterm environment variable set. This exploit has been weaponized into standalone ELF binaries, Python scripts, and malicious PyPI packages.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: ReversingLabs Spectra Analyze, Spectra Intelligence

The article provides YARA rules to detect the V4bel reference shellcode and Spectra Intelligence queries to hunt for exploit variants by threat name and CVE field.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions typically have strong visibility into process creation events, especially when a low-privilege process spawns a root shell, and can monitor execution from writable directories. Network Visibility: Low — This is a local privilege escalation vulnerability, meaning the exploitation occurs entirely on the host without generating specific network traffic. Detection Difficulty: Moderate — While the exploit itself leverages kernel memory manipulation which is hard to detect directly, the resulting behavior (spawning a root shell from a low-privilege process or executing ELFs from /tmp) is highly anomalous and detectable.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1 / Linux Auditd execve)
  • File Creation (Sysmon Event ID 11 / Linux Auditd)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for process creation events where a low-privilege parent process spawns a child process with UID 0 (root).Process CreationPrivilege EscalationLow
Evaluate whether execution of ELF binaries from world-writable paths like /tmp or /dev/shm can be monitored.Process CreationExecutionMedium

Control Gaps

  • Lack of kernel patching
  • Unrestricted execution from world-writable directories

Key Behavioral Indicators

  • Low-privilege process spawning a root shell
  • Execution of unsigned ELFs from /tmp or /dev/shm
  • Presence of TERM=xterm in unexpected shell environments

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Apply vendor kernel updates for CVE-2026-31431 and reboot affected Linux hosts immediately.
  • If applicable, scan your software supply chain and build pipelines for the malicious PyPI package 'copyfail'.

Infrastructure Hardening

  • Audit setuid and setgid binaries on production Linux hosts and remove permissions where not required.
  • Consider mounting /tmp and /dev/shm with the noexec flag to prevent execution of staged payloads.

User Protection

  • Evaluate whether endpoint security tools can alert on privilege escalation process chains.

Security Awareness

  • Educate development teams on the risks of malicious open-source packages and transitive dependencies in build pipelines.

MITRE ATT&CK Mapping

  • T1068 - Exploitation for Privilege Escalation
  • T1548.001 - Setuid and Setgid
  • T1059.004 - Unix Shell
  • T1059.006 - Python
  • T1195.002 - Compromise Software Supply Chain

Additional IOCs

  • File Hashes:
    • 133a79e9094c14c0f41378c712fd9a3f7687e5ab6f781bd5fb94774e64f4b48d (sha256) - ELF64/SO Linux.Exploit.DirtyFrag
    • 381755b623dd7a4c2b5d80aaf40d7083eea727dd1f473545539029656ca81817 (sha256) - ELF64/SO Linux.Trojan.DirtyFrag
    • a02ea2ba8108a9b7a997faa8808cfc55bb69af54e69178fa5aa1785681cf0ced (sha256) - ELF64/Exe Linux.Trojan.DirtyFrag, Linux.Exploit.DirtyFrag
    • 48c0bb0760a08a70fa6cf96c0102c968cb1bc62d319cba0a605247be1e2e4180 (sha256) - ELF64 Linux.Exploit.CVE-2026-31431
    • 76ad71ac3cf6d50bf4038048b9832df5e9aa63b85865c02ad1dd91cb2fdaef4b (sha256) - ELF64 Linux.Exploit.CVE-2026-31431
    • ea21dbc2c11ee666cb9e2b4d2cd1e6a4776b3ea6bff6d57f80a6cf31624791e9 (sha256) - ELF64 Linux.Exploit.CVE-2026-31431
    • bd855eb0a90c8cb6618662c48cc93d3a16cf9a7e4d945b70e3be3500f60042f9 (sha256) - Script/Python Linux.Exploit.CVE-2026-31431
    • 26865ea1744e00664a13b1a65f2e670def8d3bb84b10533f18f2e0ac43548fe0 (sha256) - ELF64 Linux.Exploit.CVE-2026-31431
    • b090751120d4814744c24253a820a67db5c3b2957c0334cf7d52e7847d6af409 (sha256) - ELF64 Linux.Trojan.Multiverze
    • d658fd3b2fe203180e6a3ef6863a5eb3cdd92cfecbaa68de5b8f550702762eab (sha256) - ELF64 Linux.Trojan.Multiverze
    • 5bd7df1c89cf9f69e6003d73a8e3b9eab9cf6025e6911f0fec0451da1673d6f0 (sha256) - ELF64 Linux.Trojan.Multiverze
    • c60c5527e49c3bb502b672b7fffc3eb5b8c6ff9d4e30eae5d559b54d2ce03a01 (sha256) - Script/Python Script-Python.Exploit.CVE-2026-31431
    • c935a349a974ef605b5a12141934d966315c0da5fe2343750815927a39f92881 (sha256) - Script/Python Script-Python.Exploit.CVE-2026-31431
    • affde15382361e2fb87a7d32a5260ab72cc5d2d734fd7de6d21a1c94d0f58d22 (sha256) - Script/Python Script-Python.Exploit.CVE-2026-31431
    • 424d306e8cba73ce83af5faf051a169d957a10213509d7132b620f427b4159bb (sha256) - ELF64 Linux.Exploit.CopyFail
    • 1507e6e6945bfdf652ef7ed2fe10e01245074fd54d29d8eca98f265a91c88e63 (sha256) - ELF64 Linux.Exploit.CopyFail
    • 26a75e5ef8d30ae678596fafe56e1f191d17fd9a438c463cd7dcefb765c2fb94 (sha256) - Archive/ZIP Linux.Exploit.CVE-2026-31431
    • 3c5ec61632d0699e048d8428461c4d65f89988a370396db2f070f63ebbf9dbae (sha256) - ELF64 Linux.Exploit.CVE-2026-31431
    • d401e7d1c00605749d6c617ace73ab20a762b72e41c2e1590331596e38219a61 (sha256) - ELF64 Linux.Exploit.CVE-2026-31431

Related