Have you run your Linux distribution updates recently? You probably should, because Dirty Frag and Copy Fail are coming for you. Two major Local Privilege Escalation (LPE) security issues have been revealed in a short time, which is not ideal.
For Copy Fail that was revealed at the end of April the website notes it simply enough for you "An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root" - pretty bad. There's thankfully some patches rolling out across different distributions for it.
And now we also have Dirty Frag, which has been fully revealed early due to an embargo being broken and so Linux distribution developers will need to scramble to get patches ready for it. The impact is very similar to Copy Fail, enabling an attacker to gain root access to your system to do whatever they feel like.
However, a quick workaround (taken from the Dirty Frag disclosure) can be done as noted to protected yourself via terminal:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
This is a special case, because no current patches exist. It should be fine to run on any distribution.
Keep a close eye on updates coming in over the next week, you're going to need them.
Article taken from GamingOnLinux.com.
About the author - Liam Dawe
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can follow me personally on Mastodon [External Link].
See more from me
See more from me
Some you may have missed, popular articles from the last month:
You can also find comments for this article on social media: All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.
11 comments
Note that both vulnerabilities are for a local user to gain root access.
They're being blown up out of proportion, if you ask me. And I'm not happy at all about the tools used to find them or the methods to reveal them before a patch could be written and distributed.
They're being blown up out of proportion, if you ask me. And I'm not happy at all about the tools used to find them or the methods to reveal them before a patch could be written and distributed.
5 Likes
PlayingOnLinuxphone 10 hours ago
From the [issues](https://github.com/V4bel/dirtyfrag/issues) it seems Debian 12 is not affected, 13 and 14 are. I cannot say how trustworthy. The one-line-command also deletes the compromised cache, so infected systems should be clean after that command (if no malware got installed) if I understand it correctly. After this command it is still required to update once your distro delivers a patch. It seems the disclosure went wrong and got published too early, so distros may take a bit longer to deliver a patch than usual.
0 Likes
Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...
Last edited by Eike on 8 May 2026 at 9:34 am UTC
5 Likes
Quoting: EikeNo, but someone still needs to have a local user account. So this is a big problem for multi-user systems. But I imagine most of us operate their home machine for themselves only, so for most of "us" it's not immediately exploitable.Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...
1 Likes
Quoting: EhvisIt means someone has to run something locally, which you the single user do all the time.Quoting: EikeNo, but someone still needs to have a local user account. So this is a big problem for multi-user systems. But I imagine most of us operate their home machine for themselves only, so for most of "us" it's not immediately exploitable.Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...
However that something must be untrustworthy for there to be a threat. Most of what you use is from distro packages, so should be fine. Steam games aren't (closed source), so you just have to cross your fingers and trust the developer.
What you should never do, is download random binaries off of the internet and run them (because what is this, windows?)
Last edited by ShabbyX on 8 May 2026 at 12:11 pm UTC
2 Likes
Quoting: ShabbyXHowever that something must be untrustworthy for there to be a threat. Most of what you use is from distro packages, so should be fine. Steam games aren't (closed source), so you just have to cross your fingers and trust the developer.True, but the funny thing is. Can those really do much more damage with a "Fail" or a "Frag" than they could do without it? If you're serious about security and do everything you can to separate things, the answer would be yes. But in practice it is most likely a no.
1 Likes
Quoting: EhvisIf you run a virus scanner it will most likely keep the Anti-virus killer at bay.Quoting: ShabbyXHowever that something must be untrustworthy for there to be a threat. Most of what you use is from distro packages, so should be fine. Steam games aren't (closed source), so you just have to cross your fingers and trust the developer.True, but the funny thing is. Can those really do much more damage with a "Fail" or a "Frag" than they could do without it? If you're serious about security and do everything you can to separate things, the answer would be yes. But in practice it is most likely a no.
Tor-browser and if I remember correctly firefox have their own download folder sandboxing.
Apache sandboxes itself.
Python enforces sandboxing beyond calling user.
All flatpacks are sandboxed beyond calling user.
It's true that not all sandoxed perectly and obtaining user access is already a great breach, but if you want to have an indication what it limits simply run
cat /etc/passwdEach of the lines is a seperate user, which when it obtains root access suddenly can read your files.
Edit:
With the exception of root and your personal account ofcourse.
Last edited by LoudTechie on 8 May 2026 at 1:42 pm UTC
0 Likes
Copy Fail was for me a big thing, because it's for so far I can remember the first Linux specific n-day vulnerability that showed commoditization.
Explanation:
I've seen many attacks and attack attempts on Linux specific things.
The others all used zero-days.
This is the first time I see miscreants use an n-days in the Linux ecosystem.
I suspect this proofs I don't run an anti-virus scanner company, because it probably has happened before.
Yet, I don't know these examples.
Explanation:
I've seen many attacks and attack attempts on Linux specific things.
The others all used zero-days.
This is the first time I see miscreants use an n-days in the Linux ecosystem.
I suspect this proofs I don't run an anti-virus scanner company, because it probably has happened before.
Yet, I don't know these examples.
1 Likes
Kimyrielle 4 hours ago
Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.I would caution against calling this "out of proportion". I think people wrongly assume that a "local" user has be at your keyboard to do damage. This is NOT the case. Everything you run is a "local" user, namely the account you typically work with. In this world of dependency hell, all it takes is a supply-chain attack. Someone could easily sneak some code into something you download and execute with your local privileges, and boom, you're toast.
They're being blown up out of proportion, if you ask me. And I'm not happy at all about the tools used to find them or the methods to reveal them before a patch could be written and distributed.
0 Likes
Quoting: KimyrielleOut of proportion is still fair as there are articles/headlines everywhere that absolutely are doing that - you're not wrong that it's still important to deal with. The kind of important to update when you are able and not really wait, but no reason to cancel plans or act like the sky is falling sort of thing either - unless you run a web server of any type or are otherwise more susceptible than an average desktop user. I will also always beat the drum about caution regarding supply-chain in general as well, and remind people that rolling distributions and languages that download 50 billion modules to do anything in a similar manner are and always will be a risk nobody actually has to take.Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.I would caution against calling this "out of proportion". I think people wrongly assume that a "local" user has be at your keyboard to do damage. This is NOT the case. Everything you run is a "local" user, namely the account you typically work with. In this world of dependency hell, all it takes is a supply-chain attack. Someone could easily sneak some code into something you download and execute with your local privileges, and boom, you're toast.
They're being blown up out of proportion, if you ask me. And I'm not happy at all about the tools used to find them or the methods to reveal them before a patch could be written and distributed.
0 Likes
Quoting: EhvisNot only for multi-user systems because if you combine this with an exploit in any userland programs that you use (say Firefox) or some daemon that accepts incoming connections from the outside (say sshd or apache) then an attacker will first gain local access over a network through that exploit and then use this exploit to gain root.Quoting: EikeNo, but someone still needs to have a local user account. So this is a big problem for multi-user systems. But I imagine most of us operate their home machine for themselves only, so for most of "us" it's not immediately exploitable.Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...
0 Likes
Patreon
PayPal
How to setup OpenMW for modern Morrowind on Linux / SteamOS and Steam Deck
How to install Hollow Knight: Silksong mods on Linux, SteamOS and Steam Deck