Skip to main content

"Dirty Frag" and other issues in Amazon Linux kernels

Posted on: May 8, 2026

Bulletin ID: 2026-027-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 05/07/2026 19:45 PM PDT
 

Description:

Amazon is aware of a class of issues in the Linux kernel related to the original issue (CVE-2026-31431). The issues commonly referred to as "DirtyFrag" are present in a number of loadable modules, including xfrm_user/esp4/esp6 and ipcomp4/ipcomp6. On systems that allow unprivileged users to create sockets directly or through CAP_NET_ADMIN, or allow the creation of unprivileged user namespaces (user+net), an actor may gain access to kernel memory and thus escalate their privileges.

Customer Action Required for Affected Services

We are working to confirm the full range of affected versions.

To mitigate known vectors while patches are pending, customers should take the following actions:

  1. Check if the modules are loaded on the host for all affected modules with the following command:

    lsmod | grep -E "esp4|esp6|ipcomp4|ipcomp6|rxrpc"

    If any of the affected modules are listed in the output, they are currently loaded. If they represent unexpected usage, reboot after the following commands. If they represent known usage, please evaluate other mitigation options.

  2. Disable future loading of the affected modules individually with the following commands:

    echo 'install esp4 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
    echo 'install esp6 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
    echo 'install ipcomp4 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
    echo 'install ipcomp6 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf 
    echo 'install rxrpc /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf

    Alternatively, if the affected modules are not currently loaded, disable loading of all additional kernel modules with the following command:

    sysctl -w kernel.modules_disabled=1

    Please note, this change is permanent until the next reboot.

    To mitigate the vector specific to namespaces, the following command disables the option to create them:

    sysctl -w user.max_user_namespaces=0
     

For customers who are using the modules mentioned above, please monitor your environment for anomalous setuid executions.

We are preparing updates to address these issues. To find more information about "Copyfail v1", please refer to our Security Bulletin.

More information will be published as soon as updates are available.

References:


Please email aws-security@amazon.com with any security questions or concerns.