Linux Kernel Page Cache Vulnerabilities: CopyFail, Fragnesia, and DirtyDecrypt LPE Risks

An analysis of the CopyFail (CVE-2026-31431), Fragnesia, and DirtyDecrypt vulnerabilities within the Linux kernel, including exploitation mechanisms and mitiga…

Key Takeaways

The CopyFail vulnerability (CVE-2026-31431) enables root escalation by writing just 4 bytes into the page cache.
A compact 732-byte Python exploit target major distributions—including Ubuntu, RHEL, and Debian—without requiring modifications.
Fragnesia (CVE-2026-46300) and DirtyDecrypt leverage logic bugs to corrupt read-only files residing in RAM.
CISA has mandated CopyFail patching by May 15, 2026, following evidence of active exploitation.

The Linux kernel is currently grappling with a significant crisis involving page cache management. A series of local privilege escalation (LPE) vulnerabilities—dubbed CopyFail (CVE-2026-31431), Fragnesia (CVE-2026-46300), and DirtyDecrypt—have demonstrated that volatile memory corruption can provide deterministic root access. Notably, these flaws do not alter physical files on disk, allowing them to bypass traditional integrity monitoring systems.

The root of the issue lies in how the kernel handles in-place copy operations and the cryptographic subsystem, utilizing optimizations dating back to 2017. The severity of the situation is underscored by the rapid release of functional exploits and CopyFail's inclusion in active threat catalogs. Due to the nature of these bugs, a vast majority of server and cloud infrastructures running modern Linux distributions remain at risk.

CopyFail (CVE-2026-31431): The AF_ALG Subsystem Risk

Disclosed on April 29, 2026, CopyFail (CVE-2026-31431) represents a deterministic LPE within the AF_ALG cryptographic subsystem. The bug, found in the algif_aead module, stems from commit 72548b093ee3, which introduced an optimization for in-place writes. This vulnerability allows an unprivileged local user to trigger an error by combining the AF_ALG interface with the splice() system call.

Technically, CopyFail enables the writing of four controlled bytes into the page cache beyond the intended region. This small margin is sufficient to corrupt the cache of critical setuid-root binaries, such as /usr/bin/su. By manipulating these bytes, an attacker can redirect execution flow to spawn a root shell. Palo Alto Networks Unit 42 has characterized this threat as one of the most severe facing the Linux ecosystem in recent years.

The efficacy of the exploit is highlighted by a Python-based Proof of Concept (PoC) totaling only 732 bytes. The script relies solely on standard libraries and is effective against Ubuntu, RHEL, Debian, SUSE, Amazon Linux, and AlmaLinux running kernel versions 4.14 through 6.19.12. On May 1, 2026, CISA added the flaw to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply patches by May 15.

Fragnesia and DirtyDecrypt: Advancing Page Cache Corruption

On May 14, 2026, Fragnesia (CVE-2026-46300) was revealed with a CVSS score of 7.8, affecting the XFRM ESP-in-TCP subsystem. This logic bug facilitates arbitrary writes into the page cache of files originally flagged as read-only. Wiz has confirmed that Fragnesia belongs to the same class of attacks as CopyFail and DirtyFrag, utilizing volatile memory to circumvent standard filesystem permissions.

Simultaneously, DirtyDecrypt (also known as DirtyCBC) was reported by the V12 team on May 9, 2026. This vulnerability impacts the rxgk module and affects distributions such as Fedora, Arch, and openSUSE Tumbleweed, provided the CONFIG_RXGK configuration is enabled. While maintainers have clarified that DirtyDecrypt is a duplicate of CVE-2026-31635—which was patched in the mainline kernel on April 25, 2026—the existence of a public PoC maintains a high risk profile.

These attacks are particularly insidious due to their evasion capabilities. As noted by experts at Theori (and cited by researcher Bruce Schneier):

"The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing."

This characteristic ensures that the escalation remains invisible to classic integrity checks, as no discrepancy between the on-disk binary and its digital signature is ever generated during corrupted execution in RAM.

The Exploit Market and the Proposed "Killswitch"

Market interest in these LPEs is evident in underground circles. ThreatMon reported that a threat actor known as 'berz0k' listed a Linux zero-day exploit for $170,000. While a direct link to Fragnesia remains unconfirmed, the price point reflects the strategic value of deterministic exploits capable of breaching enterprise environments. This succession of flaws has exposed structural vulnerabilities within the kernel code review process.

The breach of the DirtyFrag information embargo by Bruce Schneier sparked tension among maintainers, leading Sasha Levin to propose a kernel "Killswitch." This mechanism would allow administrators to disable vulnerable subsystems at runtime without requiring a system reboot. Such a solution aims to close the exposure window between bug discovery and patch deployment.

Remediation and Mitigation Strategies

The primary defense against CopyFail (CVE-2026-31431), Fragnesia (CVE-2026-46300), and DirtyDecrypt is an immediate kernel update. To resolve CopyFail, systems must move to version 6.19.12 or higher, or apply vendor-specific backports for the algif_aead module. Priority should be given to systems with untrusted local users or exposed services.

Interim countermeasures can be implemented while awaiting patches. For DirtyDecrypt, administrators should check if the rxgk module is active via the CONFIG_RXGK variable and disable it if not required. To mitigate AF_ALG-based PoCs, it is recommended to restrict access to these interfaces using SELinux or AppArmor policies, limiting an unprivileged user's ability to invoke the vulnerable calls.

Regarding third-party solutions, CloudLinux maintainers stated: "Customers who have already applied the Dirty Frag mitigation need no further action until patched kernels are released." It is critical to recognize that checksumming tools like AIDE or Tripwire will not detect these intrusions; monitoring should instead focus on process behavior and strict access control management.

Conclusion

Page cache vulnerabilities represent a critical threat to Linux security stability in 2026. The deterministic nature of CopyFail and the versatility of Fragnesia demonstrate that performance-focused optimizations can harbor deep logical risks. The rapid response from CISA indicates that securing these infrastructures is an urgent priority, given the immediate availability of weaponized exploits.

As the debate over the "Killswitch" mechanism continues, the burden of security remains tied to patch cycle agility. Administrators must closely monitor official bulletins for CVE-2026-31431 and CVE-2026-46300, recognizing that the window for securing systems is shrinking as exploit adoption accelerates.

Information has been verified against cited sources and is current as of the time of publication.