Linux kernel bugs rarely get names that sound memorable, but when they do, they usually signal something serious. Two recent examples, DirtyFrag and Copy Fail, have drawn attention because they show how small flaws in kernel memory handling can turn into powerful local privilege escalations.
Copy Fail, tracked as CVE-2026-31431, was publicly disclosed in late April 2026 and affects the Linux kernel’s AF_ALG crypto interface. Researchers found that the bug could be abused through a chain involving AF_ALG and splice() to create dangerous memory behavior, which made it especially interesting to security teams watching kernel attack surfaces.
DirtyFrag appeared shortly afterward and was described as being in the same broad family of “copy-fail” style problems, but it is not the same bug. Instead, it was tied to page-cache write issues in kernel networking paths such as esp4, esp6, and RxRPC, and it was reported publicly after researchers identified two related vulnerabilities. In other words, DirtyFrag is a reminder that the underlying design weakness is bigger than one code path or one subsystem.
The discovery timeline also matters. Copy Fail was attributed to researchers who demonstrated how a kernel copy operation could be pushed into unsafe behavior, while DirtyFrag was surfaced soon after by separate reporting and discussion in the Linux security community. That sequence made the pair feel connected, but the important detail is that they were discovered through different subsystems and different exploitation routes.
For defenders, the lesson is straightforward: kernel features that manipulate shared memory, page cache state, or in-place data movement deserve extra scrutiny. Bugs in these areas are often subtle, hard to reproduce, and capable of causing far more damage than a simple crash. When those flaws are exposed in the wild, the result is not just a patch cycle, but a reminder that the kernel’s most efficient code paths can also be its most dangerous.