ReversingLabs documented 163 samples tied to CVE-2026-31431, also referred to as Dirty Frag or Copy Fail, with activity beginning before the public embargo break and continuing through May 8, 2026. The corpus spans ELF binaries, Python scripts, a malicious PyPI wheel, and Linux.Trojan.Multiverze adoption, and RL released YARA rules and hunting queries to detect the exploit and its variants. #CVE-2026-31431 #DirtyFrag #CopyFail #Linux.Trojan.Multiverze #V4bel #dirtyfrag #Ubuntu #PyPI
Keypoints
- ReversingLabs identified 163 unique samples linked to CVE-2026-31431 across multiple threat-name conventions.
- Activity began at least 9 days before the embargo break, with the earliest malicious sample first seen on April 29, 2026.
- The corpus includes 148 samples tagged with exploit:CVE-2026-31431 and 15 V4bel/dirtyfrag-derived samples tracked separately as DirtyFrag.
- Observed variants span ELF binaries, Python scripts, a malicious PyPI wheel, and trojanized samples attributed to Linux.Trojan.Multiverze.
- RL published YARA rules to detect the V4bel reference shellcode and hunting queries to cover the full sample set.
- The shellcode normalizes root credentials using setgid(0), setuid(0), and setgroups(0), then spawns /bin/sh with TERM=xterm.
- Ubuntu released fixes for CVE-2026-31431, and the article urges immediate patching plus supply-chain and host-based hunting.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation – The Linux kernel vulnerability is used to gain root access after exploitation (‘CVE-2026-31431 kernel vulnerability triggers root access’).
- [T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid – Shellcode calls setgid(0), setuid(0), and setgroups(0) to normalize root credentials (‘setgid(0) — set group ID to root’, ‘setuid(0) — set user ID to root’, ‘setgroups(0, NULL) — clear supplementary groups’).
- [T1059.004] Command and Scripting Interpreter: Unix Shell – The payload spawns an interactive shell via execve to launch /bin/sh (‘The fourth string targets the execve call’, ‘/bin/sh invocation’).
- [T1059.006] Command and Scripting Interpreter: Python – Python-script variants were observed in the corpus (‘Sample variants span ELF binaries, Python scripts’).
- [T1195.002] Supply Chain Compromise: Compromise Software Supply Chain – A malicious PyPI wheel carries the exploit code (‘a malicious PyPI wheel’).
Indicators of Compromise
- [SHA-256] Representative malicious samples from the corpus – e7fb35c16fbe6285d4f36764fe5f6f81b0ff51c047f5716bbb8ae60b8318d82e, 133a79e9094c14c0f41378c712fd9a3f7687e5ab6f781bd5fb94774e64f4b48d, and other 23 hashes
- [File name] Malicious PyPI package referenced in the research – copyfail-0.1.0-py3-none-any.whl, plus the dirtyfrag reference implementation
- [Threat names] RL cluster names used for detection and hunting – Linux.Exploit.CVE-2026-31431, Linux.Exploit.DirtyFrag, Linux.Trojan.Multiverze, and other named variants
- [YARA rule names] Detection rules published by RL – DirtyFrag_Reference_Shellcode_1, RL_DirtyFrag_Linux_PrivEsc_Shellcode_2026
- [Exploit/hunting query strings] Spectra Intelligence queries for corpus coverage – exploit:CVE-2026-31431, threatname:DirtyFrag, and threatname:Linux.Trojan.Multiverze AND exploit:CVE-2026-31431
Read more: https://www.reversinglabs.com/blog/dirtyfrag-linux-privilege-escalation-exploit