Have you run your Linux distribution updates recently? You probably should, because Dirty Frag and Copy Fail are coming for you. Two major Local Privilege Escalation (LPE) security issues have been revealed in a short time, which is not ideal.
For Copy Fail that was revealed at the end of April, the website describes it simply enough for you:
"An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root"
That's pretty bad. There's thankfully some patches rolling out across different distributions for it.
And now we also have Dirty Frag, which has been fully revealed early due to an embargo being broken and so Linux distribution developers will need to scramble to get patches ready for it. The impact is very similar to Copy Fail, enabling an attacker to gain root access to your system to do whatever they feel like.
However, a quick workaround (taken from the Dirty Frag disclosure) can be done as noted to protect yourself via terminal:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
This is a special case, because no current patches exist. It should be fine to run on any distribution.
Keep a close eye on updates coming in over the next week, you're going to need them.
Article taken from GamingOnLinux.com.
About the author - Liam Dawe
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can follow me personally on Mastodon [External Link].
See more from me
See more from me
Some you may have missed, popular articles from the last month:
You can also find comments for this article on social media: All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.
18 comments
Note that both vulnerabilities are for a local user to gain root access.
They're being blown up out of proportion, if you ask me. And I'm not happy at all about the tools used to find them or the methods to reveal them before a patch could be written and distributed.
They're being blown up out of proportion, if you ask me. And I'm not happy at all about the tools used to find them or the methods to reveal them before a patch could be written and distributed.
11 Likes
PlayingOnLinuxphone a day ago
From the [issues](https://github.com/V4bel/dirtyfrag/issues) it seems Debian 12 is not affected, 13 and 14 are. I cannot say how trustworthy. The one-line-command also deletes the compromised cache, so infected systems should be clean after that command (if no malware got installed) if I understand it correctly. After this command it is still required to update once your distro delivers a patch. It seems the disclosure went wrong and got published too early, so distros may take a bit longer to deliver a patch than usual.
0 Likes
Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...
Last edited by Eike on 8 May 2026 at 9:34 am UTC
9 Likes
Quoting: EikeNo, but someone still needs to have a local user account. So this is a big problem for multi-user systems. But I imagine most of us operate their home machine for themselves only, so for most of "us" it's not immediately exploitable.Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...
5 Likes
Quoting: EhvisIt means someone has to run something locally, which you the single user do all the time.Quoting: EikeNo, but someone still needs to have a local user account. So this is a big problem for multi-user systems. But I imagine most of us operate their home machine for themselves only, so for most of "us" it's not immediately exploitable.Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...
However that something must be untrustworthy for there to be a threat. Most of what you use is from distro packages, so should be fine. Steam games aren't (closed source), so you just have to cross your fingers and trust the developer.
What you should never do, is download random binaries off of the internet and run them (because what is this, windows?)
Last edited by ShabbyX on 8 May 2026 at 12:11 pm UTC
5 Likes
Quoting: ShabbyXHowever that something must be untrustworthy for there to be a threat. Most of what you use is from distro packages, so should be fine. Steam games aren't (closed source), so you just have to cross your fingers and trust the developer.True, but the funny thing is. Can those really do much more damage with a "Fail" or a "Frag" than they could do without it? If you're serious about security and do everything you can to separate things, the answer would be yes. But in practice it is most likely a no.
4 Likes
Quoting: EhvisIf you run a virus scanner it will most likely keep the Anti-virus killer at bay.Quoting: ShabbyXHowever that something must be untrustworthy for there to be a threat. Most of what you use is from distro packages, so should be fine. Steam games aren't (closed source), so you just have to cross your fingers and trust the developer.True, but the funny thing is. Can those really do much more damage with a "Fail" or a "Frag" than they could do without it? If you're serious about security and do everything you can to separate things, the answer would be yes. But in practice it is most likely a no.
Tor-browser and if I remember correctly firefox have their own download folder sandboxing.
Apache sandboxes itself.
Python enforces sandboxing beyond calling user.
All flatpacks are sandboxed beyond calling user.
It's true that not all sandoxed perectly and obtaining user access is already a great breach, but if you want to have an indication what it limits simply run
cat /etc/passwdEach of the lines is a seperate user, which when it obtains root access suddenly can read your files.
Edit:
With the exception of root and your personal account ofcourse.
Last edited by LoudTechie on 8 May 2026 at 1:42 pm UTC
1 Likes
Copy Fail was for me a big thing, because it's for so far I can remember the first Linux specific n-day vulnerability that showed commoditization.
Explanation:
I've seen many attacks and attack attempts on Linux specific things.
The others all used zero-days.
This is the first time I see miscreants use an n-days in the Linux ecosystem.
I suspect this proofs I don't run an anti-virus scanner company, because it probably has happened before.
Yet, I don't know these examples.
Explanation:
I've seen many attacks and attack attempts on Linux specific things.
The others all used zero-days.
This is the first time I see miscreants use an n-days in the Linux ecosystem.
I suspect this proofs I don't run an anti-virus scanner company, because it probably has happened before.
Yet, I don't know these examples.
2 Likes
Kimyrielle a day ago
Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.I would caution against calling this "out of proportion". I think people wrongly assume that a "local" user has be at your keyboard to do damage. This is NOT the case. Everything you run is a "local" user, namely the account you typically work with. In this world of dependency hell, all it takes is a supply-chain attack. Someone could easily sneak some code into something you download and execute with your local privileges, and boom, you're toast.
They're being blown up out of proportion, if you ask me. And I'm not happy at all about the tools used to find them or the methods to reveal them before a patch could be written and distributed.
2 Likes
Quoting: KimyrielleOut of proportion is still fair as there are articles/headlines everywhere that absolutely are doing that - you're not wrong that it's still important to deal with. The kind of important to update when you are able and not really wait, but no reason to cancel plans or act like the sky is falling sort of thing either - unless you run a web server of any type or are otherwise more susceptible than an average desktop user. I will also always beat the drum about caution regarding supply-chain in general as well, and remind people that rolling distributions and languages that download 50 billion modules to do anything in a similar manner are and always will be a risk nobody actually has to take.Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.I would caution against calling this "out of proportion". I think people wrongly assume that a "local" user has be at your keyboard to do damage. This is NOT the case. Everything you run is a "local" user, namely the account you typically work with. In this world of dependency hell, all it takes is a supply-chain attack. Someone could easily sneak some code into something you download and execute with your local privileges, and boom, you're toast.
They're being blown up out of proportion, if you ask me. And I'm not happy at all about the tools used to find them or the methods to reveal them before a patch could be written and distributed.
0 Likes
Quoting: EhvisNot only for multi-user systems because if you combine this with an exploit in any userland programs that you use (say Firefox) or some daemon that accepts incoming connections from the outside (say sshd or apache) then an attacker will first gain local access over a network through that exploit and then use this exploit to gain root.Quoting: EikeNo, but someone still needs to have a local user account. So this is a big problem for multi-user systems. But I imagine most of us operate their home machine for themselves only, so for most of "us" it's not immediately exploitable.Quoting: MakiNote that both vulnerabilities are for a local user to gain root access.Isn't that what privilege escalation is all about?
You got to local user, then you enhance your rights and become root.
I mean, it's not like "local user" means someone has to sit at your keyboard...
3 Likes
Linux_Rocks 22 hours ago
Quoting: ShabbyXWhat you should never do, is download random binaries off of the internet and run them (because what is this, windows?)But where's the fun in that? What if you like to live dangerously? 🎲
2 Likes
The_Real_Bitterman 15 hours ago
Quoting: ShabbyXWhat you should never do, is download random binaries off of the internet and run them (because what is this, windows?)You're on Gaming on Linux. So you probably game on Linux yourself. Therefore, you sure do download random binaries from the Internet.
1 Likes
Any Debian based Linux affected (I use MX-Linux with Liquorix kernel, it's not bleeding edge like Arch, but it's close):
$ sudo lsmod | grep esp4
okasion@tictac:~
$ sudo lsmod | grep esp6
okasion@tictac:~
$ sudo lsmod | grep rxrpc
okasion@tictac:~
$ echo 3 | sudo tee /proc/sys/vm/drop_caches
3
$ sudo update-initramfs -u -k all
update-initramfs: Generating /boot/initrd.img-6.18.16-2-liquorix-amd64
update-initramfs: Generating /boot/initrd.img-6.18.15-3-liquorix-amd64
update-initramfs: Generating /boot/initrd.img-6.14.2-1-liquorix-amd64
that's it, you're safe and the machine won't "forget" the changes when you reboot. It's practically the same Liam wrote with the generation of the kernels with the "fix".
There's also a namespace vulnerability, but I don't recommend applying the fix for now, it mostly affects servers, and can break some browsers and/or Docker/Kubernetes, etc:
sysctl kernel.unprivileged_userns_clone=0
THIS vulnerability it's the one a little bothering to me, I have it (as probably many of you) sysctl kernel.unprivileged_userns_clone=1 in my localhost, I use my computer 70% for dev, 30% for gaming, so it's important for me being able to run XFCE, Firefox, Docker, Kubernetes, things like that.
$ sudo lsmod | grep esp4
okasion@tictac:~
$ sudo lsmod | grep esp6
okasion@tictac:~
$ sudo lsmod | grep rxrpc
okasion@tictac:~
$ echo 3 | sudo tee /proc/sys/vm/drop_caches
3
$ sudo update-initramfs -u -k all
update-initramfs: Generating /boot/initrd.img-6.18.16-2-liquorix-amd64
update-initramfs: Generating /boot/initrd.img-6.18.15-3-liquorix-amd64
update-initramfs: Generating /boot/initrd.img-6.14.2-1-liquorix-amd64
that's it, you're safe and the machine won't "forget" the changes when you reboot. It's practically the same Liam wrote with the generation of the kernels with the "fix".
There's also a namespace vulnerability, but I don't recommend applying the fix for now, it mostly affects servers, and can break some browsers and/or Docker/Kubernetes, etc:
sysctl kernel.unprivileged_userns_clone=0
THIS vulnerability it's the one a little bothering to me, I have it (as probably many of you) sysctl kernel.unprivileged_userns_clone=1 in my localhost, I use my computer 70% for dev, 30% for gaming, so it's important for me being able to run XFCE, Firefox, Docker, Kubernetes, things like that.
0 Likes
Quoting: anokasionAny Debian based Linux affected (I use MX-Linux with Liquorix kernel, it's not bleeding edge like Arch, but it's close):Sorry but what you wrote is no fix at all, you simply checked if the module was currently loaded (and they won't be, the exploit however will dynamically load them in). What Liam wrote in the article was a rule to blacklist those modules so they are never loaded.
$ sudo lsmod | grep esp4
okasion@tictac:~
$ sudo lsmod | grep esp6
okasion@tictac:~
$ sudo lsmod | grep rxrpc
okasion@tictac:~
$ echo 3 | sudo tee /proc/sys/vm/drop_caches
3
$ sudo update-initramfs -u -k all
update-initramfs: Generating /boot/initrd.img-6.18.16-2-liquorix-amd64
update-initramfs: Generating /boot/initrd.img-6.18.15-3-liquorix-amd64
update-initramfs: Generating /boot/initrd.img-6.14.2-1-liquorix-amd64
that's it, you're safe and the machine won't "forget" the changes when you reboot. It's practically the same Liam wrote with the generation of the kernels with the "fix".
There's also a namespace vulnerability, but I don't recommend applying the fix for now, it mostly affects servers, and can break some browsers and/or Docker/Kubernetes, etc:
sysctl kernel.unprivileged_userns_clone=0
THIS vulnerability it's the one a little bothering to me, I have it (as probably many of you) sysctl kernel.unprivileged_userns_clone=1 in my localhost, I use my computer 70% for dev, 30% for gaming, so it's important for me being able to run XFCE, Firefox, Docker, Kubernetes, things like that.
4 Likes
Caldathras 6 hours ago
Quoting: LoudTechieTor-browser and if I remember correctly firefox have their own download folder sandboxing.Regarding Firefox, not to my knowledge. On my systems, Firefox defaults to my Download folder. No sandboxing that I'm aware of -- unless this is a feature I have to enable.
1 Likes
Quoting: CaldathrasYeah it should default to your download folder, but can you look beyond it. Can you work in your document folder.Quoting: LoudTechieTor-browser and if I remember correctly firefox have their own download folder sandboxing.Regarding Firefox, not to my knowledge. On my systems, Firefox defaults to my Download folder. No sandboxing that I'm aware of -- unless this is a feature I have to enable.
Tor-browser maintains its own seperate folder, but I thought firefox limited itself to only the download folder.
Based on what you said I would assume the answer is no, but I still wanted to clarify what I meant.
0 Likes
Quoting: LoudTechieProblem here though is that sandboxing will not protect against this. Sandboxing protects against malicious userspace or userspace code with open exploits in them IF and only IF there also are no privilege escalation vulnerability in the running kernel.Quoting: CaldathrasYeah it should default to your download folder, but can you look beyond it. Can you work in your document folder.Quoting: LoudTechieTor-browser and if I remember correctly firefox have their own download folder sandboxing.Regarding Firefox, not to my knowledge. On my systems, Firefox defaults to my Download folder. No sandboxing that I'm aware of -- unless this is a feature I have to enable.
Tor-browser maintains its own seperate folder, but I thought firefox limited itself to only the download folder.
Based on what you said I would assume the answer is no, but I still wanted to clarify what I meant.
0 Likes
Patreon
PayPal
How to setup OpenMW for modern Morrowind on Linux / SteamOS and Steam Deck
How to install Hollow Knight: Silksong mods on Linux, SteamOS and Steam Deck