Patch [FIX] Tuesday – [Emergency Episode: DirtyFrag Exploit Before Patch], Ep. 31.

Breaking from the normal Patch Tuesday cadence for an emergency drop. On May 7, security researcher Hyunwoo Kim published a working proof-of-concept for DirtyFrag - a Linux kernel local privilege escalation chain that gets unprivileged users to root on every major distribution. The embargo was broken by a third party before distribution backports were ready, so the exploit is public and the patch is not.CTO Jason Kikta and Landon Miles walk through what makes DirtyFrag different from the Copy Fail mitigation many teams already deployed (spoiler: the CopyFail mitigation does NOT cover this), why AWS is calling it a class rather than a single CVE, and the five kernel modules you need to block right now: esp4, esp6, ipcomp4, ipcomp6, and rxrpc.In this episode:Why the embargo break matters and what changed on May 7How DirtyFrag chains CVE-2026-43284 and CVE-2026-43500 to defeat both Ubuntu's namespace policy and the absence of rxrpc.ko on other distrosWhy this is the third generation of a bug class (DirtyPipe → Copy Fail → DirtyFrag) and what that means for what comes nextThe Automox Worklet that mitigates both arms across your Linux fleet, and what it deliberately does not doTested affected platforms: Ubuntu 24.04, RHEL 10.1, AlmaLinux 10, CentOS Stream 10, openSUSE Tumbleweed, Fedora 44Back to the regular Patch Tuesday schedule next week.Links:Full blog post and mitigation guidance Automox Worklet (in-console for customers): Worklet source on GitHubHyunwoo Kim's PoC and write-upAWS Security Bulletin 2026-027CVE-2026-31431 (Copy Fail, parent issue)