A newly disclosed Linux vulnerability called Dirty Frag allows attackers with unprivileged access to escalate privileges to root by exploiting kernel networking and memory-fragmentation handling. Microsoft Defender has detected limited active exploitation in the wild, and the flaw can be leveraged after initial compromise through SSH, web shells, containers, or low-privileged accounts.

Security researchers have disclosed details of Dirty Frag, a new unpatched local privilege escalation vulnerability in the Linux kernel that builds upon Copy Fail (CVE-2026-31431), a recently disclosed flaw already under active exploitation. The vulnerability has been reported to Linux kernel maintainers.

A new Linux zero-day exploit, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command. [...]

Less than two weeks after the public disclosure of the Copy Fail vulnerability (CVE-2026-31431), another local privilege escalation (LPE) vulnerability in the Linux kernel has been revealed. Referred to as "Dirty Frag," this vulnerability was discovered and reported by Hyunwoo Kim (@v4bel) [1]. In this diary, I will provide a brief background on Dirty Frag, and discuss its relationship to Copy Fail.