Bulletin ID: 2026-029-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 05/13/2026 13:45 AM PDT
 

⚠️This is an ongoing issue. Information is subject to change. Please refer to our Security Bulletin (ID: 2026-030-AWS) for the most updated patching information.

Description:

Amazon is aware of CVE-2026-46300, a report of an additional privilege escalation issue in the Linux kernel related to the DirtyFrag/copy.fail class of issues (CVE-2026-43284). The proof of concept uses a vector via the loadable module espintcp. Amazon Linux does not provide this module, and is not affected.

As defense in depth we will include a correctness patch to the core networking code to harden against possible similar issues in network protocol implementations that rely on this behavior.

Related Security Bulletins - copy.fail variants:

1. Security Bulletin 2026-027-AWS - CVE-2026-43284 and CVE-2026-31431 (also known as "DirtyFrag" or copy.fail 2)
2. Security Bulletin 2026-026-AWS - CVE-2026-31431 (also known as copy.fail)

References:

• https://github.com/v12-security/pocs/tree/main/fragnesia
• "Dirty Frag" and other issues in Amazon Linux kernels

Please email aws-security@amazon.com with any security questions or concerns.