CVE-2026-31431 "Copy Fail" + CVE-2026-43284 / CVE-2026-43500 "Dirty Frag" — Linux kernel LPE pair confirmed in complementary post-compromise campaigns

If you did nothing this week: Microsoft Security Blog observed active campaigns deploying both Linux LPE families post-compromise; the daily 2026-05-09 UPDATE synthesised the operator-side selection logic as Copy Fail (algif_aead page-cache write) used on hosts where the module is available, Dirty Frag (xfrm-ESP and RxRPC page-cache writes) on hosts where user namespaces are enabled without algif_aead. Microsoft documents the same initial-access vector (SSH credential stuffing on exposed management ports) feeding both chains, and both defeat conventional on-disk file-integrity monitoring because the write lands in the kernel page cache rather than on disk (Microsoft Security Blog, 2026-05-08 · daily 2026-05-09 update).

Copy Fail (CVE-2026-31431, CVSS 7.8) is deterministic — no kernel-version offsets, no timing windows. A public 732-byte Python exploit exists; Go and Rust reimplementations have appeared in public code repositories; Kaspersky validated the container-to-host escape vector on Docker / LXC / Kubernetes when algif_aead is loaded on the host kernel (default on most distributions) (CERT-EU Advisory 2026-005, 2026-04-30 · Unit 42 — Copy Fail · BSI WID-SEC-2026-1232 · daily 2026-05-06 deep dive). Dirty Frag chains CVE-2026-43284 (xfrm-ESP / IPsec) with CVE-2026-43500 (RxRPC) into another deterministic root primitive via page-cache write primitives in both subsystems; researcher Hyunwoo Kim disclosed it 2026-05-07/08 after a third party reverse-engineered the upstream patch and broke embargo. CVE-2026-43500 distro patches remain pending at week-end (Wiz Research, 2026-05-08 · Red Hat RHSB-2026-003 · Ubuntu — Dirty Frag fixes-available · NCSC-CH 12547 · daily 2026-05-09). Both map to T1068 Exploitation for Privilege Escalation and T1548.001 Setuid and Setgid Abuse. Defenders should treat file-integrity monitoring as insufficient detection for either family — runtime detection lands on auditd execve of /usr/bin/su / /usr/bin/sudo / /usr/bin/passwd from anomalous parent processes, EDR process-ancestry rules for root from non-root contexts, and (for Copy Fail specifically) eBPF or EDR alerts on AF_ALG socket creation in container namespaces.

Mitigation hierarchy when patches are not yet deployable: kernel patches first (Ubuntu 6.1.98-1ubuntu1, RHEL kernel-5.14.0-503.14.1, Debian 12 pending at week-end; upstream 6.18.22 / 6.19.12 / 7.0 for Copy Fail); blacklist algif_aead via modprobe.d and update-initramfs -u; modprobe -r esp4 esp6 rxrpc for Dirty Frag (breaks IPsec VPNs and AFS); seccomp profiles blocking AF_ALG socket creation for containerised workloads; disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Ubuntu / Debian, user.max_user_namespaces=0 on RHEL) to remove CAP_NET_ADMIN as a default acquisition path for Dirty Frag.