Skip to main content

Ongoing updates on Copy.fail and variants

Posted on: May 14, 2026

Bulletin ID: 2026-030-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 05/13/2026 18:30 AM PDT
 

⚠️This is an ongoing issue. This bulletin will be updated as more information becomes available.


Description:

AWS is aware of the "copy.fail" or "DirtyFrag" class of issues - a set of privilege escalation issues affecting the Linux Kernel. We will update this bulletin as more information becomes available.

Please see below for current patching timelines for affected services related to the "Copy.fail" kernel issue and all its variants. AWS recommends that customers apply all updates addressing these issues as soon as they are available. Please email aws-security@amazon.com with any security questions or concerns.
 

CVE-2026-46300 (also known as "Fragnesia")

CVE-2026-46300 is a local privilege escalation that affects the Linux Kernel module espintcp. Amazon Linux does not provide this module, and is not impacted. For more information see Security Bulletin (ID: 2026-029-AWS).

Updates on additional services will be published as soon as they become available.

 

CVE-2026-43284 and CVE-2026-31431 (also known as "DirtyFrag" or copy.fail 2)

CVE-2026-43284 and CVE-2026-31431 are a set of privilege escalation issues affecting a number of Linux Kernel modules, including xfrm_user, esp4, and esp6. For more information see: https://aws.amazon.com/security/security-bulletins/2026-027-aws/.
 

Affected services:

  • Amazon Linux: Amazon Linux kernels 4.14, 5.4, 5.10, 5.15, 6.1, 6.12, and 6.18 are affected. AWS has released updates to Amazon Linux addressing this issue. We recommend that customers apply the available kernel updates for their environment.

  • Bottlerocket:  Updated Bottlerocket AMIs will be released by 2026-05-19.

  • ECS: ECS Optimized AMIs addressing this issue will be made available by 2026-05-19.

  • EKS: Updates for EKS-optimized AMIs will be made available by 2026-05-19.

  • EMR: AWS will release updates for EMR by 2026-05-26.

  • Fargate: Platform versions will be released with patches in all regions by 2026-05-25.

  • AWS Deep Learning AMIs (DLAMI): AWS Deep Learning AMIs are affected. Updated AMIs for Neuron Base, Trainium, and Inferentia have been released. Customers using Neuron DLAMIs on EC2 should launch new instances with the latest Neuron DLAMI version.

  • Sagemaker: SageMaker is rolling out patched compute environments across all services for CVE-2026-43284 and CVE-2026-43500:

     - All Notebook instances that are created or restarted after May 20, 2026 will automatically include the patched kernel. Customers should restart their notebooks to pick up the latest kernel version.

     - All HyperPod clusters will be available to be patched by May 20, 2026. This will require customers updating their cluster software to pick up the latest kernel.

     - All SageMaker Inference Endpoints, Studio, and Canvas resources created, restarted, or updated after May 20, 2026 will include the patched kernel. Customers should restart their Studio and Canvas apps to pick up the latest kernel version.

     - All SageMaker Training Jobs, Processing Jobs, and Batch Transform jobs launched after May 20, 2026 will automatically use the patched kernel. No customer action required.

     - AWS will begin patching all existing SageMaker resources as soon as the patches are available with the exception of HyperPod as noted above.

No customer action is required for Fargate/ ECS Managed instances customers.

 

CVE-2026-31431 (also known as copy.fail)

CVE-2026-31431 is a privilege escalation issue affecting the Linux Kernel module algif_aead. For more information see: https://aws.amazon.com/security/security-bulletins/2026-026-aws/.

Affected services:

  • Amazon Linux: Amazon Linux kernels 4.14, 5.4, 5.10, 5.15, 6.1, 6.12, and 6.18 are affected. AWS has released updates to Amazon Linux addressing this issue. We recommend that customers apply the available kernel updates for their environment.

  • Bottlerocket: AWS has released updates addressing this issue for all supported versions of Bottlerocket. Customers should apply all available updates to their Bottlerocket hosts.

  • ECS: Updates addressing this issue for ECS on EC2 and ECS Managed Instances are available. Customers should apply all available updates.

  • EKS: Updates addressing this issue for EKS-optimized AMIs are available. Customers should apply all available updates.

  • EMR: AWS will release updates for EMR by 2026-05-20.

  • Fargate: AWS will release updates for Fargate 1.3 by 2026-05-19 and for Fargate 1.4 by 2026-05-15.

  • AWS Deep Learning AMIs (DLAMI): AWS Deep Learning AMIs instances are affected. Updated AMIs addressing this issue for Neuron Base, Trainium and Inferentia area available. Customers using DLAMIs on EC2 should launch new instances from the latest DLAMI versions.

  • Sagemaker:

     - All Notebook instances that are created or restarted after 2026-05-15 will automatically include the patched kernel. Customers should restart their notebooks to pick up the latest kernel version.

     - All Hyperpod clusters will be available to be patched by 2026-05-15. Customers will be required to update their cluster software to pick up the latest kernel.

     - All SageMaker Inference Endpoints, Studio, and Canvas resources created, restarted, or updated after 2026-05-15 will include the patched kernel. Customers should restart their Studio and Canvas apps to pick up the latest kernel version.

     - All SageMaker Training, Processing Jobs, and Batch Transform jobs launched after 2026-05-15 will automatically use the patched kernel. No customer action required.

     - AWS will begin patching all existing SageMaker resources as soon as the patches are available with the exception of HyperPod as noted above.


Please email aws-security@amazon.com with any security questions or concerns.