Copy Fail, Copy Fail 2, and DirtyFrag are Linux kernel privilege escalation bugs that abuse page-cache corruption through legitimate kernel interfaces to reach root, with Copy Fail already reported as exploited in the wild and added to CISA’s Known Exploited Vulnerabilities catalog. Elastic Security Labs recommends behavior-based detection and mitigation measures such as kernel patching, module blocking, dropping the page cache, and restricting unprivileged user namespaces. #CopyFail #CopyFail2 #DirtyFrag #CISA
Keypoints
- Copy Fail, Copy Fail 2, and DirtyFrag are Linux kernel privilege escalation vulnerabilities tied to subtle page-cache corruption.
- Copy Fail creates a controlled 4-byte page-cache write by chaining AF_ALG and splice(), allowing privilege escalation through a setuid binary.
- DirtyFrag extends the same bug class into the networking stack and has ESP and RxRPC exploit paths.
- DirtyFrag can overwrite /usr/bin/su or corrupt /etc/passwd, and it does not depend on the algif_aead module.
- Copy Fail has multiple public reimplementations, and DirtyFrag is available as a public C proof of concept.
- Elastic Security Labs emphasizes detecting exploitation primitives and behavior, not just matching a specific PoC.
- Mitigations include updating the Linux kernel, blocking affected modules, dropping the page cache, and restricting unprivileged user namespaces.
MITRE Techniques
- [T1055 ] Process Injection – The exploits influence in-memory execution of privileged binaries to run attacker-controlled code as root (‘corrupt the in-memory view of a setuid binary’ and ‘causing it to run attacker-controlled code as root’).
- [T1562 ] Impair Defenses – Mitigations and defensive visibility are discussed through module blocking and detection evasion concerns (‘disabling the algif_aead module prevents the AF_ALG AEAD path’ and ‘systems that only applied the Copy Fail mitigation may still be exposed’).
- [T1068 ] Exploitation for Privilege Escalation – The vulnerabilities are directly used to gain root on Linux systems (‘highlight how subtle page cache corruption bugs can become practical, reliable paths to root’).
- [T1027 ] Obfuscated Files or Information – The exploit relies on short proof-of-concept code and different implementations to avoid simple signature matching (‘short proof-of-concept code’ and ‘multiple public reimplementations’).
- [T1106 ] Native API – The attacks use legitimate kernel interfaces and syscalls such as socket(), splice(), and unshare() (‘rely on socket(AF_ALG) to access the kernel crypto subsystem’ and ‘unshare(CLONE_NEWUSER | CLONE_NEWNET)’).
- [T1136.001 ] Create Account: Local Account – DirtyFrag can clear root’s password field in /etc/passwd, affecting local account access (‘corrupt /etc/passwd, clearing root’s password field’).
- [T1611 ] Escape to Host – The exploit chain uses user and network namespaces before triggering the page-cache write (‘unshare(CLONE_NEWUSER | CLONE_NEWNET) to gain namespace capabilities’).
Indicators of Compromise
- [File paths ] Privileged targets and configuration files affected by the exploits – /usr/bin/su, /etc/passwd
- [File names ] Kernel module blocklist files suggested for mitigation – copyfail.conf, dirtyfrag.conf
- [Kernel modules ] Modules disabled to block exploit paths – algif_aead, esp4, esp6, rxrpc
- [Syscalls ] Exploitation primitives used repeatedly by the attack chain – socket, splice, unshare
- [Socket families / protocol IDs ] Auditd-visible values linked to the relevant sockets – AF_ALG (26), AF_RXRPC (21), and bound socket family 38
- [Process names ] Common SUID binaries and shells involved in detection and abuse – su, sudo, pkexec, bash, sh, passwd, and other N items
- [Paths / executables ] Suspicious parent executable locations used in detection logic – /tmp/*, /var/tmp/*, /dev/shm/*, /home/*/*, and other N items
Read more: https://www.elastic.co/security-labs/copy-fail-dirtyfrag-linux-page-bugs-in-the-wild