Dirty Frag Vulnerability (CVE-2026-43284, CVE-2026-43500)

On May 7, 2026, an independent security researcher released a security write up for a privilege escalation vulnerability in the Linux kernel that affects every major Linux distribution.

Cybersecurity recommends Linux administrators apply patches where they are available within 3 days. Mitigations for Copy Fail are being published. Admins should review the potential impact and test where possible before deploying mitigations in their environments.

Cloud provider guidance:

• "Dirty Frag" and other issues in Amazon Linux kernels

• Kernel LPE Vulnerabilities (Copy Fail + DirtyFrag) — AKS Advisory & Mitigation Guide

• GCP Security Bulletins

• Open to the world
• Shared, where multiple users share the device. Such as shared development boxes, jump boxes, build servers, lab machines.
• Kubernetes/container clusters.
• GitLab runners, Jenkins agents, anything that automatically executes code as a regular user.
• Software as a service that runs user code. Such as JuypterHub, Juypter Notebook

Cybersecurity is continuing to evaluate/develop detections for indicators of compromise and will share information as they become available. If you believe you may have been compromised please contact the Office of Cybersecurity at cybersecurity@cio.wisc.edu.

Any local unprivileged user would be able to obtain root-level access resulting in a full system takeover. Proof of concept code is already publicly available.

• Copy Fail Vulnerability (CVE-2026-31431)

• Cybersecurity Announcement: Linux Kernel Privilege Escalation to Root Vulnerability - Copy Fail (CVE-2026-31431)

• Cybersecurity Announcement: Linux Kernel Privilege Escalation to Root Vulnerability - Dirty Frag/Copy Fail 2