Fyi there is a new problem in the linux kernel similar to Copy Fail that was fixed a few days ago. Unfortunately there is again an exploit published
The current 16.0 kernel 6.12.0-160000.29-default and the current Tumbleweed kernel 7.0.3-1-default are affected. For mitigation create a file /etc/modprobe.d/10-dirtyfrag.conf with content
and then unload these modules or reboot. Please be aware that this mitigation will break IPSEC VPN that use the ESP protocol. There is no CVE number as fa as i know for this.
https://github.com/V4bel/dirtyfrag
This document describes the Dirty Frag vulnerability class, first discovered and reported by Hyunwoo Kim (@v4bel), which can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.
Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.
For detailed technical information and the timeline, see here.
Because the embargo has currently been broken, no patch or CVE exists. After consultation with the maintainers on linux-distros@vs.openwall.org and at their request, this Dirty Frag document is being published. For the disclosure timeline, refer to the technical details.
Note
2026-05-08 Update:
The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6.
The RxRPC Page-Cache Write vulnerability has been reserved as CVE-2026-43500 for tracking; no patch exists in any tree yet.
A week after Copy Fail (CVE-2026-31431), researcher Hyunwoo Kim disclosed a second Linux kernel local privilege escalation in the same broad area — IPsec ESP and rxrpc — and named it Dirty Frag. A working public proof-of-concept exists; any unprivileged local user can use it to gain root in a single command.
That vulnerability can just be exploited when logged in to my system as a local user, right? Meaning physical access and/or ssh access is needed if I understand it correctly!?
You may have services/apps running as an unprivileged user. Use sudo cat /etc/passwd to see. If some apps go rogue they now can become root and own your machine.
This is fixed now for Leap 16.0 with kernel 6.12.0-160000.30.1. The rxrpc module and the related AFS filesystem has been removed from the kernel config.