Two critical Linux kernel privilege escalation vulnerabilities dropped in the past two weeks. Both are deterministic, single-command root exploits. One of them was discovered with AI assistance. The other had its embargo broken, and a working exploit was reverse-engineered within an hour of the patches appearing in the kernel tree.
This is what the acceleration curve looks like.
The vulnerabilities
Copy Fail (CVE-2026-31431, disclosed April 29) exploits the kernel’s algif_aead crypto interface to write 4 bytes into any page-cache-backed file. That’s enough to patch a setuid binary in memory and get root. CVSS 7.8.
Dirty Frag (CVE-2026-43284 + CVE-2026-43500, disclosed May 7) chains two bugs in the ESP (IPsec) and RxRPC kernel modules to achieve the same thing: writing attacker-controlled data into the page cache, corrupting read-only files in memory. Also CVSS 7.8. Also deterministic. Also universal.
Both belong to the same class: page-cache write primitives via in-place operations on non-owned page fragments. The kernel decrypts data directly over pages that belong to the page cache, which means an unprivileged user can modify the cached representation of any file on disk, including setuid binaries.
Why Dirty Frag is particularly bad
Most kernel privilege escalations depend on race conditions: you have to win a timing window, and exploitation is probabilistic. Dirty Frag is neither. It’s a deterministic logic bug with no race, no timing window, and no crash risk. It works every time.
The attack path:
- Use
splice(2)to feed page-cache-backed pipe pages into a socket routed through ESP or RxRPC processing - The kernel’s receive path decrypts incoming data in place over those page fragments
- Because the pages belong to the page cache (backing read-only files), the decryption writes directly into cached file content
- Corrupt a setuid binary like
/usr/bin/suin memory with shellcode - Execute it. Root.
The ESP half of the bug has existed since January 2017 (commit cac2661c53f3). That’s nine years of vulnerable kernels. The RxRPC half was introduced in June 2023. On Ubuntu, AppArmor blocks the ESP vector alone, so the published exploit chains both to bypass it.
The embargo was broken by an unrelated third party on May 7 before distributions could coordinate patches. Within approximately one hour, a working exploit was reverse-engineered from the patch diff and published. As of today, Ubuntu has not yet issued a patched kernel.
The “Dirty” family
This is the fourth named vulnerability in the page-cache corruption lineage:
| Year | Name | CVE | Mechanism |
|---|---|---|---|
| 2016 | Dirty COW | CVE-2016-5195 | COW page fault race condition |
| 2022 | Dirty Pipe | CVE-2022-0847 | Pipe buffer flag corruption |
| 2022 | Dirty Cred | CVE-2022-2588 | Credential swap via UAF |
| 2026 | Dirty Frag | CVE-2026-43284/43500 | Page-cache write via ESP/RxRPC frags |
Notice the trajectory. Dirty COW required winning a race condition. Dirty Pipe was easier but still needed specific pipe buffer state. Dirty Frag is fully deterministic. The exploits are getting simpler, more reliable, and harder to detect.
AI is accelerating discovery
Copy Fail was discovered using Xint Code, an AI-driven source code analysis tool. The researcher pointed it at the Linux crypto/ subsystem with a single prompt and had a working exploit path within an hour.
That’s not the only example. CVE-2025-37899, a use-after-free in ksmbd (the in-kernel SMB server), was discovered by OpenAI’s o3 model analyzing 12,000+ lines of SMB implementation code. Google’s Big Sleep project (Project Zero + DeepMind) found the first publicly documented AI-discovered zero-day in SQLite in October 2024 and has since found 20+ flaws in open-source software. KernelGPT used LLMs to generate syscall specifications for the Syzkaller fuzzer and found 24 new kernel bugs, 11 of which were assigned CVEs.
The Linux kernel became a CVE Numbering Authority in February 2024. Disclosure rates exploded: 3,500+ kernel CVEs in 2024 alone, running at 8-9 per day in early 2025. Not all of those are AI-found. But the critical ones, the deterministic privilege escalations that work on every machine, are increasingly coming from AI-assisted analysis. The pattern is human insight plus AI-amplified systematic code review. A researcher has a hunch about a subsystem, points an AI at it, and gets a confirmed exploit path in hours instead of weeks.
And they don’t just find individual bugs. LLMs are surprisingly effective at chaining seemingly minor vulnerabilities into full privilege escalation paths. Dirty Frag itself is a chain: two medium-severity bugs in different subsystems that individually don’t grant root, but combined give you deterministic page-cache writes. Palo Alto’s Unit 42 reports that frontier AI now excels at exactly this, combining multiple lower-severity issues into critical exploit paths that traditional scanners miss. Carnegie Mellon researchers demonstrated an LLM agent autonomously replaying the full multi-step Equifax breach sequence across simulated enterprise networks, chaining exploitation, lateral movement, and data exfiltration without human guidance.
This is not going to slow down. The models are getting better at code analysis faster than the kernel is getting reviewed.
How I mitigated my Ubuntu 24.04 servers
The vulnerable modules (esp4, esp6, rxrpc) are not loaded by default on most systems. They serve IPsec VPN and AFS filesystem use cases. If you don’t use either, blacklisting them eliminates the attack surface entirely.
Here’s the mitigation I deployed across my fleet:
# 1. Create a persistent blacklist for esp4, esp6, and rxrpc
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf"
# 2. Unload the modules from the current running session
sudo rmmod esp4 esp6 rxrpc 2>/dev/null
# 3. Synchronize and drop page caches to flush memory
sudo sync && echo 3 | sudo tee /proc/sys/vm/drop_caches
# 4. Verify the mitigation is active
modprobe -n -v esp4
# Expected output: install /bin/falseTo deploy across multiple servers:
SERVERS="server1 server2 server3 server4 server5 server6 server7"
for host in $SERVERS; do
echo "--- $host ---"
ssh "$host" 'sudo sh -c "printf \"install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n\" > /etc/modprobe.d/dirtyfrag.conf" && sudo rmmod esp4 esp6 rxrpc 2>/dev/null; sudo sync && echo 3 | sudo tee /proc/sys/vm/drop_caches > /dev/null && modprobe -n -v esp4'
doneImportant caveats:
- If your servers use IPsec VPN, this mitigation will break it. Check with
ip xfrm statebefore applying. - This is a workaround, not a fix. Once Ubuntu issues a patched kernel, install it and remove
/etc/modprobe.d/dirtyfrag.conf. - The
drop_cachesstep flushes any potentially corrupted page cache. It causes a temporary performance dip as caches rebuild. - Copy Fail (CVE-2026-31431) uses a different module (
algif_aead) and requires its own mitigation. Check your distribution’s advisory.
What this means
We’re entering a period where AI-assisted vulnerability discovery is outpacing the patch cycle. Copy Fail was disclosed April 29. Dirty Frag was disclosed May 7 with its embargo already broken. That’s two deterministic root exploits in nine days, affecting every major Linux distribution.
The defensive playbook hasn’t changed: reduce attack surface, patch fast, monitor for exploitation. But “patch fast” assumes patches exist. When an embargo breaks and the exploit is public before the fix ships, the only option is mitigation. Know which kernel modules your servers actually need. Blacklist everything else. And watch your distribution’s security advisories like your infrastructure depends on it, because it does.