Bulletin ID: 2026-027-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 05/07/2026 19:45 PM PDT
Modification Date: 05/11/2026 10:45 AM PDT
 

Description:

Amazon is aware of a class of issues in the Linux kernel (CVE-2026-43284) related to the original issue (CVE-2026-31431). The issues commonly referred to as "DirtyFrag" are present in a number of loadable modules, including xfrm_user/esp4/esp6. On systems that allow unprivileged users to create sockets directly or through CAP_NET_ADMIN, or allow the creation of unprivileged user namespaces (user+net), an actor may gain access to kernel memory and thus escalate their privileges.

Customer Action Required for Affected Services

Amazon Linux: Amazon Linux kernels 4.14, 5.4, 5.10, 5.15, 6.1, 6.12, and 6.18 are affected. AWS has released updates to Amazon Linux addressing this issue and customers should apply the latest kernel updates. We recommend referring to the Amazon Linux Security Center (ALAS) for updated information related to this issue.

We recommend that customers apply the available kernel updates for their environment. To mitigate known vectors without applying kernel updates, customers should take the following actions:

1. Check if the modules are loaded on the host for all affected modules with the following command:
   
       lsmod | grep -E "esp4|esp6|rxrpc"
   
   If any of the affected modules are listed in the output, they are currently loaded. If they represent unexpected usage, reboot after the following commands. If they represent known usage, please evaluate other mitigation options.
   
   
2. Disable future loading of the affected modules individually with the following commands:
   
       echo 'install esp4 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
       echo 'install esp6 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
       echo 'install rxrpc /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
   
   Alternatively, if the affected modules are not currently loaded, disable loading of all additional kernel modules with the following command:
   
       sysctl -w kernel.modules_disabled=1
   
   Please note, this change is permanent until the next reboot.
   
   To mitigate the vector specific to namespaces, the following command disables the option to create them:
   
       sysctl -w user.max_user_namespaces=0

For customers who are using the modules mentioned above, please monitor your environment for anomalous setuid executions. To find more information about "Copyfail v1", please refer to our Security Bulletin.

More information will be published as soon as updates are available.

References:

• CVE-2026-31431
• CVE-2026-43284
• https://explore.alas.aws.amazon.com/CVE-2026-43284.html
• AL2023 - kernel 6.1
• AL2023 - kernel 6.12
• AL2023 - kernel 6.18
• AL2 - kernel 4.14
• AL2 - kernel 5.4
• AL2 - kernel 5.10
• AL2 - kernel 5.15

Please email aws-security@amazon.com with any security questions or concerns.