🚨 Over the last month, 6 critical Linux kernel LPE vulnerabilities were discovered that allow local users to gain root access via page-cache overwrite attacks 🐧💀

What makes this wave interesting is that almost all of them abuse the same concept:
zero-copy optimizations ➜ page-cache overwrite ➜ replace SUID binaries ➜ root.

🔥 The bugs:

🔹 CVE-2026-31431 — Copy Fail
AF_ALG + splice() abuse enables page-cache writes.
Affects Linux 4.14+.

🔹 CVE-2026-43284 — Dirty Frag (xfrm-ESP)
Bug in the IPsec ESP decrypt path.
Local user ➜ root.

🔹 CVE-2026-43500 — Dirty Frag (RxRPC)
Another page-cache overwrite via RxRPC crypto handling.

🔹 CVE-2026-46300 — Fragnesia
“Copy Fail 3.0” 😅
Allows byte-by-byte modification of cached files.

🔹 CVE-2026-31635 — DirtyDecrypt / DirtyCBC
Length-check bug in RxRPC ➜ page-cache corruption ➜ root.

🔹 PinTheft (CVE pending)
RDS + io_uring + double-free = overwrite SUID binaries.

⚠️ Most of these vulnerabilities already have public PoCs/exploits available.

Recommendations:
✅ patch kernels ASAP
✅ reboot after updates
✅ disable unused modules (rxrpc, rds, algif_aead, esp4/esp6)

2026 is rapidly becoming the year of page-cache exploitation 🫠