Recent Linux kernel vulnerabilities, specifically Copy Fail (CVE-2026-31431) and DirtyFrag, demonstrate how page cache corruption can lead to reliable privilege escalation. Copy Fail exploits the authencesn cryptographic template via splice() to write to the page cache of read-only files, while DirtyFrag extends this to the networking stack using AF_NETLINK and AF_RXRPC. These flaws are significant as they bypass traditional disk-based file integrity checks and have been observed in active exploitation.
To counter these threats, detection strategies should focus on underlying primitives rather than specific proof-of-concept implementations. Effective monitoring involves tracking system calls like socket(AF_ALG) and splice(), alongside namespace manipulations via unshare(). Mitigation involves a combination of kernel patching, module blocking (such as algif_aead or rxrpc), and restricting unprivileged user namespace creation to harden systems against these page-cache write variants.
Top comments (0)