Security Leftovers (Lots of Scaremongering Over Linux for Yet-Unknown Bug)

posted by Roy Schestowitz on May 10, 2026

• Kevin Liu ☛ Easy improvements to personal opsec

  I’ve been thinking more about how to be a little more private. In an era where LLMs can automatically deanonymize people from their writing, find zero-days en masse, and may potentially displace jobs, it seems safe to say that the variance of the next few years will be significantly higher than the two decades pre-2025.

  Threat model: A casual adversary who asks Grok-5 for “name, phone, and address of all people in [X reference group],” with the intent of causing disruption or harm. I don’t expect the strategies below to work against adversaries that are highly-competent (including but not limited to government actors) or specifically targeting you; it’s very possible they won’t even work against casual adversaries in the future.

• Andrew Helwer ☛ Laptops all have built-in security tokens these days

  I’ve been a fan of security tokens for a decade now and have accrued quite a collection. This redundancy isn’t a bad thing, as security tokens are easily misplaced and the only way to recover from a lost token is using a second token that is also registered with the service you’re trying to access. I use security tokens whenever I can! SSH authentication, universal two-factor (U2F) authentication, passwordless local login, sudo command elevation, and git commit signing are all things I use security tokens for every day. When I take my laptop traveling, there also travels a yubikey. However, it took me an oddly long time to realize that I’m a relic of a bygone era. Laptops and smartphones all have built-in security tokens these days! I’ve been carrying around yubikeys when an even better one is built right into my macbook. This post is about how I use security tokens, and how I configured my laptop’s secure element to replace my yubikey collection.

• Kernel Space / File Systems / Virtualization

  • SJVN ☛ Fix "Copy Fail" before your Linux system gets sick

    The newly disclosed Linux kernel vulnerability dubbed “Copy Fail” allows any local user to become root on most mainstream Linux systems. Yow! But the fix is in, so patch it already!

  • It's FOSS ☛ Dirty Frag is a New Linux Exploit That Grants Root, and There's No Proper Patch Yet

    A working exploit is already out, and systems that patched Copy Fail are still exposed.

  • Hackaday ☛ This Week In Security: Another Linux Exploit, Ubuntu Knocked Offline, Finals Interrupted, And Backdoored Tools

    After the CopyFail vulnerability gave root access from any user on almost all distributions last week, this week we’ve got DirtyFrag. This chains the vulnerability in CopyFail (xfrm-ESP) and a new vulnerability in a RPC function which allows similar overwriting of the page cache.

  • Security Affairs ☛ Dirty Frag: A new Linux privilege escalation vulnerability is already in the wild

    Dirty Frag: unpatched Linux kernel flaw grants root access on Ubuntu, RHEL and Fedora. A working exploit is already public.

  • Hacker News ☛ Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions

    Dubbed Dirty Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026.

  • Hackster ☛ Dirty Frag Is a Zero-Day Disaster for Linux

    This past week has been a brutal time to be a Linux user. Under normal circumstances, we gloat at Windows users about how our daily drivers are virtually unhackable. We laugh about how they use malware scanners and antivirus software. "Maybe try a real operating system," we say. But the Copy Fail exploit revealed last week, and now the Dirty Frag exploit that was just announced, have us Linux users eating a big slice of humble pie.

  • Electropages ☛ Major Linux Vulnerability – CopyFail

    Bugs in operating systems are not new, but like some of the major ones in the past, CopyFail is one that introduces major vulnerabilities into Linux as a result of a poorly coded commit back in 2017. What exactly is the new bug, why is it so dangerous, and what does this say about open-source software in general?

  • TechRadar ☛ Another major Linux security flaw revealed — 'Dirty Frag' allows root on all major distros, with no patch or fix available yet

    Some of the most widely used and influential Linux distributions are vulnerable to a zero-day flaw that allows threat actors to gain root privileges, and a patch has not yet been made public, experts have warned.

  • Security Boulevard ☛ Dirty Frag (CVE-2026-43284, CVE-2026-43500): Frequently asked questions about this Linux kernel privilege escalation vulnerability chain

    Weeks after the Copy Fail vulnerability was revealed, a new Linux kernel escalation vulnerability has been uncovered. Dubbed “Dirty Frag,” this flaw could allow a local user to gain root access on affected Linux distributions. Public exploit code has been released prior to patches being made available.

  • Active attack: Dirty Frag Linux vulnerability expands post-compromise risk [Ed: Microsoft wholeheartedly riding the FUD wave, then asks media to quote it like it "owns" Linux]

  • HowTo Geek ☛ Dirty Frag vulnerability in Linux lets hackers do more damage—here's how to protect yourself

    The Linux community is dealing with its second major security risk in as many weeks. Security researcher Hyunwoo Kim has disclosed a new zero-day vulnerability, Dirty Frag, that gives intruders more control over virtually any Linux distribution once they have an initial foothold.

  • Hot Hardware ☛ New Dirty-Frag Exploit Targets Linux Kernel: Serious Memory Flaw Grants Root Access

    Discovery of the Copy Fail Linux kernel exploit sparked widespread discussion and concern around Linux kernel security earlier this month, and that was for an exploit that had mostly already been patched by the time the public was made aware of it. Unfortunately, a similar follow-up Linux Kernel exploit has risen up to take Copy Fail's place, and Dirty Frag has now been disclosed ahead of any mitigation patches, making it a more dangerous exploit for real-world scenarios until formal patches are released. That's the bad news; the good news is that users of affected distros can already take measures to manually remove the weakness Dirty Frag exploits for themselves.

  • ‘Dirty Frag’ Linux zero-day exposes most distributions to LPE

    A second zero-day in the Linux kernel was reported inside of 10 days — this time “Dirty Frag,” a bug that much like the recent "Copy Fail" vulnerability affects practically all Linux distributions.

  • Information Security Media Group, Corporation ☛ 'Dirty Frag' Gives Root on Linux Distros

    Security researchers have discovered a new, critical flaw in the Linux kernel that attackers can exploit to gain root access. No patches are yet available.

  • Cybernews ☛ Two critical Linux kernel exploits dropped with no patches available

    Unprivileged users on a Linux system can gain root privileges in seconds using two recently disclosed critical kernel exploits, with no patches available. The multiplying kernel exploits put most cloud infrastructure at risk. Until patches arrive, security researchers warn users to be extra careful when installing new software or updating packages.

  • Forbes ☛ Critical New Linux Zero-Day Leaked—What Admins Need To Do Now

    If you thought that Linux was somehow the safe and secure choice of operating system, you might want to think again. Hot on the heels of the Copy Fail access vulnerability that had remained hidden for 9 years comes news that a new zero-day, with no patch available and granting hackers root, has been confirmed. On Friday, May 8, 2026, the Dirty Frag vulnerability was publicly disclosed after a strict embargo tregarding the vulnerability was broken. As such, and with a proof of concept exploit known, it’s now only a matter of time before threat actors use this in the wild to attack systems. Here’s what we know about CVE-2026-43284 and the workaround you can employ to mitigate against attacks.

  • Dolphin Publications B V ☛ Linux vulnerability ‘Dirty Frag’ affects nearly all distributions

    A new critical Linux vulnerability named Dirty Frag is causing concern among system administrators and Linux distributors. The flaw allows an attacker to gain direct root privileges from a local account on a large number of Linux systems released since 2017. However, the first patches are now available for some distributions.

    This is reported by various sources, including Tom’s Hardware and AlmaLinux. Dirty Frag was made public this week after an embargo surrounding the vulnerability was lifted prematurely. According to the information released, the issue involves a flaw in the Linux kernel located in components related to IPsec ESP and rxrpc. The vulnerability is reportedly easy to exploit and affects virtually all major Linux distributions, including Ubuntu, Fedora, RHEL-based systems, Arch Linux, and AlmaLinux.

  • Bleeping Computer ☛ New Linux 'Dirty Frag' zero-day gives root on all major distros

    A new Linux zero-day exploit, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command.

    Security researcher Hyunwoo Kim, who disclosed it earlier today and published a proof-of-concept (PoC) exploit, says this local privilege escalation was introduced roughly nine years ago in the Linux kernel's algif_aead cryptographic algorithm interface.

  • Help Net Security ☛ Dirty Frag: Unpatched Linux vulnerability delivers root access

    A week after Copy Fail, another Linux local privilege escalation vulnerability dubbed “Dirty Frag” has been revealed, along with a PoC exploit.

  • Qualys ☛ Dirty Frag: Using the Page Caches as an Attack Surface

    Dirty Frag is a Linux local privilege escalation (LPE) chain published on May 7, 2026. It combines two previously unknown kernel vulnerabilities can allow an unprivileged local user to escalate to root on many major Linux distributions.

  • WARNING: New Critical Linux Vulnerability "Dirty Frag" Enables Root Access Across Every Major Linux Distribution

    A newly disclosed Linux kernel vulnerability chain known as “Dirty Frag” is raising urgent concerns across the cybersecurity community after researchers revealed that the flaw can reliably grant root privileges on many of the world’s most widely deployed Linux distributions, including enterprise server environments and cloud infrastructure platforms.

• Hacker News ☛ New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

  Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called "darkworm."

• Security Affairs ☛ Quasar Linux RAT (QLNX): A Fileless Linux Implant Built for Stealth and Persistence

  Researchers uncovered QLNX, a Linux RAT targeting developers to steal credentials, log keystrokes, monitor systems, and enable remote access.

• New Quasar Linux implant targets developers with rootkit and backdoor capabilities

  As reported by Bleeping Computer, a new Linux implant named Quasar Linux (QLNX) has been identified, specifically targeting developers' systems with a sophisticated combination of rootkit, backdoor, and credential-stealing functionalities.

• Hacker News ☛ Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

  A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling.