Two 732-Byte Scripts Just Torched Nine Years of Linux Security
A 732-byte Python script can hand any low-privilege user root access on virtually every Linux system shipped since 2017. That's not hyperbole—that's CVE-2026-31431, aka "Copy Fail," and it's already being exploited in the wild.
But wait, there's more! Before system admins could even catch their breath, CVE-2026-43284 and CVE-2026-43500 (collectively "Dirty Frag") dropped on May 7th. Two catastrophic privilege escalation vulnerabilities in eight days. Linux is having a very bad month.
The Real Story
What makes this situation genuinely terrifying isn't just the vulnerabilities themselves—it's how perfectly crafted they are for maximum damage:
<> "Copy Fail has four unique properties: portable, tiny, stealthy, and cross-container" - Xint.io and Theori security teams/>
Copy Fail doesn't need race conditions. It doesn't need kernel offset knowledge. It just works. Everywhere. Ubuntu, RHEL, Fedora, Debian, Arch—every major distribution is vulnerable. The flaw has been lurking in the Linux kernel's cryptographic subsystem since August 2017, hiding in the algif_aead module like a digital time bomb.
Dirty Frag takes a different approach, exploiting ESP (IPsec) and RxRPC protocol modules. Microsoft's security team noted it "abuses Linux kernel networking and memory-fragment handling behavior" and provides "additional attack paths that expand exploitation opportunities."
Here's what keeps me up at night: These aren't edge-case vulnerabilities requiring exotic configurations. ESP modules are enabled by default in most enterprise environments running VPNs. RxRPC supports distributed file systems. These are standard deployments.
The Nine-Year Problem
Copy Fail's timeline is genuinely staggering. A logic flaw introduced in August 2017 went undetected until 2026. Think about that:
- Every Docker container
- Every Kubernetes cluster
- Every cloud instance
- Every edge device
Shipped with this vulnerability baked in. CISA confirmed active exploitation as of May 4th, which means attackers found it before defenders did. Classic.
Patch Roulette
The kernel patches for Copy Fail were actually released in late March 2026. But here's the kicker—by early May, distribution-level patches still hadn't fully propagated. That's a 5+ week vulnerability window where sysadmins thought they were safe but absolutely weren't.
Meanwhile, Dirty Frag's CVE-2026-43500 component still doesn't have patches available as of May 8th. The attack surface just keeps growing.
Container Escape Nightmare
Both vulnerabilities offer container escape scenarios, though proof-of-concept exploits for this attack vector haven't been published yet. But let's be honest—they're coming.
The "cross-container" nature of Copy Fail means it can hop between containerized environments. In a world where everything runs in containers, this is basically a skeleton key for lateral movement.
The Bigger Picture
This isn't just about two vulnerabilities. It's about a recurring class of kernel exploits that manipulate page cache behavior. Copy Fail echoes 2022's Dirty Pipe vulnerability, suggesting we haven't learned the fundamental lessons about kernel memory management.
<> The vulnerabilities represent "major risk to servers and data" - CISA/>
What frustrates me most? The Linux security model assumes you can trust local users to some degree. These vulnerabilities completely shatter that assumption. Any user account, no matter how restricted, can escalate to full admin access.
Time to Patch (Again)
If you're running Linux in production—and let's face it, you probably are—this is your wake-up call. Check your kernel versions. Verify your distribution patches. Test your container isolation.
Because somewhere out there, someone is running that 732-byte Python script. And they're not asking permission.
