Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path. Page-cache write into any readable file. Overwrites a nologin line in /etc/passwd with sick::0:0:…:/:/bin/bash and sus into it. Same class as Copy Fail (CVE-2026-31431), different subsystem.
IPv6
Same bug exists in esp6_input and is not covered by the v4 fix f4c50a4034. PoC in ipv6/: ipv6/run.sh and ipv6/copyfail2v6.c. Uses ::1 loopback and ip -6 xfrm. ESP packet padded to >= 40 bytes to clear the xfrm6_input.c:124 size gate.
@Karakazzz
Not really another one. It abuses the same vulnerable esp4 module as DirtyFrag does, just in a different way. Mitigating dirtyfrag will mitigate copyfail2
#!/usr/bin/bash
for module in $(lsmod | awk '{print $1}' | tail -n +2)
do
vulnerable=("algif_aead" "esp4" "esp6" "rxrpc" "xfrm_user" "xfrm_algo")
if [[ "${vulnerable[@]}" =~ "${module}" ]]; then
echo "The $module module is loaded on this system and is vulnerable..."
fi
done
I have a couple of Intel(R) 10 Gigabit dual network cards using ixgbe which depends on the xfrm_algo module…