Table of Contents
Quick Summary
- Fedora 44 shipped an important kernel update (7.0.4-200.fc44) that fixes Dirty Frag and Copy Fail 2.
- To fix Dirty Frag and Copy Fail 2 vulnerabilities in Fedora 44, run
sudo dnf upgrade --advisory FEDORA-2026-8cffa03dadand reboot. - Fedora patched CVE-2026-43500 (the RxRPC half) before upstream mainline even had a fix for it. That is unusual. Because distributions typically wait for upstream. But the Fedora team treated this as a genuine emergency, not a routine update cycle.
Fedora 44 Kernel 7.0.4 Fixes Dirty Frag and Copy Fail 2
Fedora 44 just got a significant security update. The Fedora team pushed Linux Kernel 7.0.4-200.fc44 to the stable updates channel, and it carries a critical fix for the Dirty Frag and Copy Fail 2 vulnerabilities. If you currently use Fedora Linux 44, you should apply it today.
What are Dirty Frag and Copy Fail 2?
To understand why this update is important, you need a bit of background.
On May 7, 2026, security researcher Hyunwoo Kim publicly disclosed a new Linux kernel exploit called Dirty Frag. It actually chains two separate vulnerabilities together:
- CVE-2026-43284: A flaw in the IPsec ESP subsystem (the
esp4andesp6kernel modules) - CVE-2026-43500: A flaw in the RxRPC subsystem
Together, these two bugs let any unprivileged local user gain full root access on a vulnerable system.
The exploit is also deterministic. It does not depend on a race condition or precise timing, so it works reliably every time. On top of that, a working proof-of-concept is already public, which means attackers do not need to build their own tools.
Dirty Frag is the successor to Copy Fail (CVE-2026-31431), another Linux kernel privilege escalation bug disclosed just a week earlier.
The two bugs belong to the same class of vulnerabilities. Both abuse the Linux page cache to corrupt in-memory copies of files, allowing an attacker to hijack privileged executables.
A separate exploit called Copy Fail 2: Electric Boogaloo also targets the same Dirty Frag code paths, so fixing Dirty Frag covers that one too.
Importantly, Dirty Frag remains dangerous even on systems where you already applied the Copy Fail mitigation. The two bugs hit different kernel subsystems, so disabling algif_aead (the Copy Fail workaround) does nothing to stop Dirty Frag.
Fedora Team Responded Quickly
The embargo on Dirty Frag broke ahead of schedule on May 7, before distributions had time to prepare. Despite this, the Fedora team shipped a patched kernel 7.0.4-200.fc44 within roughly 24 hours. The update landed in the stable channel on May 8, 2026.
The fix covers both CVEs. The changelog shows two specific commits:
xfrm: esp: avoid in-place decrypt on shared skb frags— closes CVE-2026-43284rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present— closes CVE-2026-43500
Notably, CVE-2026-43500 did not yet have an upstream patch at the time of disclosure. Fedora still shipped a fix for it, which reflects how seriously the team treated this vulnerability.
What Changed From Kernel 6.19?
Fedora Linux 44 originally launched on April 28, 2026, with Kernel 6.19. So this update also brings the general improvements that come with the 7.0 branch.
Linux Kernel 7.0 is a solid release. Some highlights include:
- XFS self-healing: XFS can now fix metadata corruption online, without unmounting the filesystem.
- Improved swap performance: A redesigned swap table delivers meaningful speedups in memory-heavy workloads.
- Rust infrastructure: Rust support has graduated from experimental to a stable, permanent part of the kernel build system.
That said, the security fix is the reason to install this update now. The rest is a welcome bonus.
Who Is Affected?
Dirty Frag affects a wide range of Linux distributions, including Fedora. The vulnerable code paths date back to around 2017 (for the ESP bug) and 2023 (for the RxRPC bug). So most Fedora 44 users running the original 6.19 kernel are exposed.
The risk is highest in shared environments, like multi-user systems, CI/CD runners, container hosts, and Kubernetes nodes, because those are places where an unprivileged attacker is most likely to already have a local shell.
Update Fedora 44 Today
The update rolls out to all Fedora 44 variants, including Workstation, Silverblue, and Kinoite. Applying it is straightforward.
For standard Fedora (DNF):
sudo dnf upgrade --advisory FEDORA-2026-8cffa03dad
sudo reboot
Or, to install the update directly by name:
sudo dnf --refresh upgrade
sudo reboot
If your mirrors have not synced yet, wait an hour and try again. Most Fedora mirrors refresh every three hours.
After rebooting, confirm your kernel version:
uname -mrs
You should see 7.0.4-200.fc44 or newer.
Linux 7.0.4-200.fc44.x86_64 x86_64
What If I Cannot Reboot Right Now?
If you need a temporary workaround while you wait for a maintenance window, you can block the vulnerable modules from loading:
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
| sudo tee /etc/modprobe.d/dirty-frag-mitigation.conf
This prevents the exploit from running, but it also disables IPsec VPN support. Review your workload before applying this in a production environment. Either way, you should plan to reboot into the patched kernel as soon as you can.
Related Read: Fragnesia: The “Copy Fail 3.0” Exploit Granting 100% Linux Root
Conclusion
The Fedora team quickly shipped a complete fix for Dirty Frag, including the RxRPC half, before many other distributions had anything ready. If you run Fedora 44, update now, reboot, and verify your kernel version.
Resources:
