A printed CVE advisory stack with red flags marking four Linux kernel LPE entries

Security Advisory

Four Linux Kernel Privilege Escalation CVEs in Three Weeks

Copy Fail, Dirty Frag, Fragnesia, and ssh-keysign-pwn. Four local privilege-escalation bugs disclosed between April 29 and May 13, 2026. Patches are out. Here is the SMB-scoped action plan for the week.

By William Bradshaw | May 18, 2026 | 7 min read

Linux kernel privilege-escalation bugs are a constant of the threat landscape. The reason this particular three-week window is worth a dedicated advisory is the clustering. Four separate local-root paths into the same broad code area (cryptographic interface, XFRM ESP, RxRPC, ptrace) landed inside 19 days. One of them (Copy Fail) is already on the CISA Known Exploited Vulnerabilities catalog with active exploitation observed in the wild. Working proofs of concept are public for at least three of the four.

For SMBs running Linux in production, the practical implication is that any unprivileged user (or anything that gets to an unprivileged user, including a web-server compromise, a leaked SSH key, a compromised CI runner) now has multiple reliable paths to root on most unpatched kernels. The defense is straightforward: patch this week, validate the patch landed, and confirm no exploitation occurred between disclosure and the patch window.

The Four CVEs at a Glance

All four affect the upstream Linux kernel and have been backported into RHEL, AlmaLinux, Rocky Linux, CloudLinux, Debian, and Ubuntu LTS lines. CVSS scores and disclosure dates as of publication.

Name	CVE	Disclosed	Component	Outcome	Active Exploitation
Copy Fail	CVE-2026-31431	2026-04-29	algif_aead / af_alg / crypto_authenc_esn	Local root	Yes (CISA KEV)
Dirty Frag	CVE-2026-43284 CVE-2026-43500	2026-05-06	esp4 / esp6 / rxrpc	Local root	PoC public
Fragnesia	CVE-2026-46300	2026-05-13	esp4 / esp6 (XFRM ESP-in-TCP receive path)	Local root	PoC referenced
ssh-keysign-pwn	CVE-2026-46333	2026-05-13	ptrace exit-race / pidfd_getfd	Read root-owned secrets (SSH host keys, /etc/shadow)	PoC public

All four require local access (an existing unprivileged account or a compromised service running as a low-privileged user). None are remotely exploitable on their own. For SMB attack-chain reasoning, treat each one as the second stage that follows a web-app compromise, a stolen SSH key, or a hijacked CI runner.

Copy Fail (CVE-2026-31431)

A logic flaw in the kernel cryptographic interface (specifically the AF_ALG userspace crypto API and the algif_aead module). An unprivileged local user with the ability to open a socket on the AF_ALG family can trigger improper memory handling during in-place crypto operations, leading to local root. CVSS 7.8, attack vector local, no user interaction required.

Why this one matters most. Disclosed April 29, added to the CISA Known Exploited Vulnerabilities catalog within a week, with active exploitation observed against cloud workloads. If you are on a vulnerable kernel today, assume the runway between disclosure and the first opportunistic scan against your IP space is days, not weeks.

Patches. Red Hat shipped RHSA-2026:13565 on May 4. AlmaLinux, Rocky Linux, and Oracle Linux followed within 48 hours. Debian and Ubuntu LTS lines are patched as of mid-May. Apply the security update and reboot to activate the new kernel. For systems that cannot reboot immediately, the vendor mitigation is to blacklist algif_aead, af_alg, and crypto_authenc_esn via initcall_blacklist kernel boot parameters. This may impact workloads that use the userspace crypto API (some VPN clients, kernel TLS configurations, hardware crypto offload setups), so test before rolling out broadly.

Dirty Frag (CVE-2026-43284 and CVE-2026-43500)

A pair of related bugs in the kernel networking fragment-handling code, specifically the ESP4 and ESP6 modules (IPsec) and the RxRPC module (used by AFS and some kernel services). The flaw involves a missing SKBFL_SHARED_FRAG marker when paged fragments are coalesced, which under the right conditions allows an unprivileged local user to coerce kernel decryption operations to write to read-only memory regions such as the SUID binary table.

Practical impact. Reliable local privilege escalation to root on any system with the ESP modules loaded (most Linux installations) or RxRPC loaded (most AlmaLinux 9 and 10 systems with kernel-modules-partner installed). Working proof of concept is public.

Patches. Distribution patches landed throughout the first week of May. Apply the kernel update and reboot. For unpatched systems, the recommended mitigation is to blacklist esp4, esp6, and rxrpc via a modprobe configuration file, then drop page caches. This will break IPsec ESP transport (used by some site-to-site VPN configurations) and AFS or RxRPC-dependent workloads, so confirm what is using these modules before disabling them. lsmod | grep -E 'esp4|esp6|rxrpc' shows what is currently loaded.

Fragnesia (CVE-2026-46300)

Disclosed May 13 by William Bowling at the V12 security team, less than a week after Dirty Frag. Same attack surface (ESP4, ESP6, RxRPC), different bug. The mechanism involves the XFRM ESP-in-TCP receive path performing in-place AES-GCM decryption against page-cache pages, which an unprivileged local user can leverage to flip bits in read-only files such as /usr/bin/su and achieve root.

Practical impact. Same outcome as Dirty Frag (local root) but via a distinct primitive, so the Dirty Frag fix does not close Fragnesia. The two bugs do share mitigation strategy: blacklisting esp4, esp6, and rxrpc neutralizes both, which is why the per-distribution advisories grouped them together.

Patches. AlmaLinux published kernel-4.18.0-553.124.3.el8_10 and later for AlmaLinux 8, kernel-5.14.0-611.54.5.el9_7 and later for AlmaLinux 9, and kernel-6.12.0-124.56.3.el10_1 and later for AlmaLinux 10 on May 13. RHEL, Rocky, and Oracle followed the same week. Apply the security update and reboot. If you applied the Dirty Frag patch but have not yet applied Fragnesia, you are still exposed.

ssh-keysign-pwn (CVE-2026-46333)

A Qualys-discovered race condition in the kernel's ptrace exit path. When a SUID-root binary exits, there is a narrow timing window between the kernel detaching the process's memory descriptor and closing its file-descriptor table. During that window, an unprivileged process can call pidfd_getfd() and clone file descriptors out of the exiting privileged process.

Practical impact. Slightly different shape than the other three. The attacker does not become root directly. Instead, they read root-owned files via the descriptors held open by exiting SUID binaries. The publicly demonstrated targets are ssh-keysign (reads SSH host private keys) and chage (reads /etc/shadow). With the SSH host private keys, an attacker can impersonate the server in subsequent connections; with /etc/shadow, they can run offline password cracking against every account on the box.

Patches and mitigations. Kernel updates landed in the same May 13 patch wave as Fragnesia. For unpatched systems, the immediate mitigation is to set kernel.yama.ptrace_scope=3 (or CloudLinux's kernel.user_ptrace=0) via sysctl, which restricts unprivileged ptrace system-wide and neutralizes the exploit. The compatibility cost is that unprivileged users cannot debug their own processes with gdb or strace. Removing the SUID bit from /usr/libexec/openssh/ssh-keysign and /usr/bin/chage addresses the two publicly demonstrated targets but does not close the underlying primitive; other SUID binaries with sensitive file descriptors remain exposed until the kernel is patched.

What to Do This Week

The work this week is uncomplicated. The risk of skipping it is high because the bugs cluster around a single attack-chain pattern (post-compromise privilege escalation) that opportunistic attackers will reach for.

1. Inventory. Confirm you know every Linux host in your estate. Anything you cannot name is something you cannot patch. The "I forgot that box exists" pattern from our Linux patch management guide is the most common source of unpatched systems.
2. Apply the May 2026 kernel updates. For Debian and Ubuntu, run apt update && apt upgrade and reboot. For RHEL, AlmaLinux, Rocky, and Oracle, run dnf update kernel and reboot. Both Dirty Frag and Fragnesia need separate fixes; do not assume one patch closes both.
3. Verify the new kernel actually loaded. A patched kernel that has not been rebooted into is not a patched system. Run uname -r against each host after the patch window and confirm the running kernel matches the patched version. This step catches the most common failure: kernel updates that install but never activate.
4. Apply temporary mitigations on anything that cannot reboot this week. For systems with maintenance-window constraints, the module-blacklist and sysctl mitigations described above buy you time. Document them so the eventual patch window includes "remove the temporary mitigation."
5. Rotate SSH host keys on any system that was exposed to untrusted local users between May 13 and the patch window (because of ssh-keysign-pwn). The same goes for any privileged accounts whose password hashes might have been readable via the same primitive.
6. Scan after patching. A vulnerability scan run within 24 hours of the patch window confirms each host is on the corrected kernel and produces a defensible audit trail. CVE counts should drop measurably; if they do not on a specific host, that host did not actually patch.

Why Post-Patch Scanning Is Higher-Leverage Than Usual This Month

In a normal patch cycle, post-patch scanning is a closing checkbox. The CVE count drops, the report goes in the file, the cycle ends. This month is different because of the active exploitation status on Copy Fail. Any vulnerable kernel that was reachable from a compromised account between April 29 and the local patch window may already have been escalated. The scan is not only confirming the fix; it is confirming the absence of indicators of post-exploitation activity.

The open-source netvuln-tool scanner covers the kernel-version detection side. For SMBs without dedicated security staff, this is the part of the response that is easiest to defer and hardest to recover from when something has already happened. Run the scan. If you find an unpatched host, treat it as potentially compromised until you can confirm otherwise. The vulnerability scanning guide covers the end-to-end workflow.

Need Help Working Through the May 2026 Patch Cycle?

Bullium's managed-services engagements include patch coordination, post-patch scanning, and exception tracking across multi-site Linux fleets. If you are looking at a list of hosts and an active CISA KEV entry and wondering where to start, that is the right week to bring in a second set of eyes.

See Managed IT Services → Run a Validation Scan