Recently, a local privilege escalation vulnerability in the Linux kernel was disclosed, referred to in the industry as Dirty Frag or Copy Fail 2. This vulnerability is a variant of the same class as the Copy Fail vulnerability. An attacker who has already obtained local low-privilege code execution may exploit this vulnerability to tamper with the page cache of read-only files, further escalate privileges, and gain root access.
According to publicly available information, exploit code for this vulnerability has already been circulated. Given its severity and widespread impact, we strongly recommend that all users upgrade as soon as possible to ensure the security of your systems.
I. Vulnerability Information
CVE IDs: CVE-2026-43284, CVE-2026-43500
Description: These vulnerabilities involve the xfrm-ESP and RxRPC processing paths within the Linux kernel network protocol stack. The issue originates in the zero-copy transmit path: an attacker can use splice() to inject a page from the page cache of a read-only file into the frag area of an sk_buff. On the receive side, under certain conditions, the kernel code fails to properly isolate or copy the externally shared frags before performing in-place encryption/decryption operations, resulting in writes that modify the page cache data. This issue belongs to the same page-cache write risk category as Dirty Pipe and Copy Fail; however, the attack vector is no longer via algif_aead but rather through sk_buff frag-related paths.
Severity: ⚠️High
Exploitation Prerequisites:
The exploit chain primarily involves the following two trigger paths:
xfrm-ESP Page-Cache Write: The ESP input path, when processing certain non-linear skbs, may bypass the skb_cow_data() copy-and-isolate procedure and perform in-place AEAD decryption directly on skb frags. After satisfying local trigger conditions, an attacker can cause controlled writes to the page cache.
RxRPC Page-Cache Write: The RxRPC RXKAD security verification path performs in-place decryption on the skb payload. In unpatched kernels, if an skb frag points to a page cache page of a read-only file, the decryption writes will land on the page cache, modifying the in-memory image of the read-only file.
The security impact does not rely on remote network exposure. An attacker must first have local low-privilege code execution, such as a regular user shell, a compromised service process, a container process, or another restricted execution environment. Once triggered successfully, it may lead to gaining root privileges on the host.
Affected Scope:
All users running an unpatched deepin 25 are affected. Immediate update and upgrade are recommended.
II. Fix Progress
deepin 25 (6.6 and 6.18 kernels): The security updates have been pushed – please upgrade as soon as possible!
中文 
Personal Knowledge Assistant 
Dear deepin users and community partners,
Recently, a local privilege escalation vulnerability in the Linux kernel was disclosed, referred to in the industry as Dirty Frag or Copy Fail 2. This vulnerability is a variant of the same class as the Copy Fail vulnerability. An attacker who has already obtained local low-privilege code execution may exploit this vulnerability to tamper with the page cache of read-only files, further escalate privileges, and gain root access.
According to publicly available information, exploit code for this vulnerability has already been circulated. Given its severity and widespread impact, we strongly recommend that all users upgrade as soon as possible to ensure the security of your systems.
I. Vulnerability Information
CVE IDs: CVE-2026-43284, CVE-2026-43500
Description: These vulnerabilities involve the xfrm-ESP and RxRPC processing paths within the Linux kernel network protocol stack. The issue originates in the zero-copy transmit path: an attacker can use splice() to inject a page from the page cache of a read-only file into the frag area of an sk_buff. On the receive side, under certain conditions, the kernel code fails to properly isolate or copy the externally shared frags before performing in-place encryption/decryption operations, resulting in writes that modify the page cache data. This issue belongs to the same page-cache write risk category as Dirty Pipe and Copy Fail; however, the attack vector is no longer via algif_aead but rather through sk_buff frag-related paths.
Severity: ⚠️High
Exploitation Prerequisites:
The exploit chain primarily involves the following two trigger paths:
xfrm-ESP Page-Cache Write: The ESP input path, when processing certain non-linear skbs, may bypass the skb_cow_data() copy-and-isolate procedure and perform in-place AEAD decryption directly on skb frags. After satisfying local trigger conditions, an attacker can cause controlled writes to the page cache.
RxRPC Page-Cache Write: The RxRPC RXKAD security verification path performs in-place decryption on the skb payload. In unpatched kernels, if an skb frag points to a page cache page of a read-only file, the decryption writes will land on the page cache, modifying the in-memory image of the read-only file.
The security impact does not rely on remote network exposure. An attacker must first have local low-privilege code execution, such as a regular user shell, a compromised service process, a container process, or another restricted execution environment. Once triggered successfully, it may lead to gaining root privileges on the host.
Affected Scope:
All users running an unpatched deepin 25 are affected. Immediate update and upgrade are recommended.
II. Fix Progress
deepin 25 (6.6 and 6.18 kernels): The security updates have been pushed – please upgrade as soon as possible!