Parallel bug discovery triggers premature Linux LPE disclosure

The free and open source Linux kernel has seen three serious local privilege escalation (LPE) vulnerabilities in recent weeks, starting with the Copy Fail bug uncovered at the end of last month.

A further two LPEs emerged last week, with proofs-of-concept: Dirty Frag, and Copy Fail 2.

Hyunwoo Kim reported the Dirty Frag bug to the Linux security team, and it was embargoed until May 12 to allow patches to be developed and be ready for distribution.

However, on May 7 the embargo was broken by "an unrelated third-party", and Kim disclosed the Dirty Frag vulnerability early, before full patches were ready.

The embargo breach was accidental, the developer who spotted the Copy Fail 2 vulnerability, Trevor who also uses the handle _SiCK, confirmed to iTNews. 

They were not aware of the embargo for Dirty Frag, and discovered the LPE primitive in a code commit.

"Anyone can read code commits," Trevor said.

"There was no magic involved; I cannot break an embargo which I never entered into, or agreed to therein," they added.

"If code is indeed speech, the very idea of trying to censor it from eyes when it is open source is laughable," Trevor said.

Trevor said no artificial intelligence (AI) was used for the vulnerability discovery.

Dirty Frag and Copy Fail 2 in same class of vulnerabilities

Both Dirty Frag and Copy Fail 2 can be used to raise standard users on Linux-based systems to root status, which is the top-level account that has full administrative rights and privileges.

As they are logic bugs not dependent on timing windows, neither vulnerability requires a race condition win, and they do not panic the Linux kernel on failure; they also have a high rate of success. 

Technically, Dirty Frag chains two page-cache primitives in two different subsystems; when exploited together, Dirty Frag can achieve root on most Linux distributions such as Ubuntu 24.04.4, Red Hat Enterprise Linux 10.1, openSUSE Tumbleweed, Fedora 44 and CentOS Stream 10.

It is a bug in the same family as Copy Fail, Kim - who reported the bug - said.

Copy Fail 2, meanwhile, is indexed as CVE-2026-43284, with the vulnerable code dating back to January 2017.

Trevor (_SiCK) tested Copy Fail 2 on Ubuntu 24.04 and 26.04 Long Term Support, Debian 13, Arch Linux, and achieved root with the LPE.

A patch has been developed for Copy Fail 2, but as of writing, only one bug has been fixed for the Dirty Frag vulnerability.

Blacklisting the esp4 and esp6 kernel modules mitigates against Copy Fail 2, but it also stops the IPsec protocol used to secure data traffic from working.

For Dirty Frag, blacklisting the rxrpc module is also required as well as esp4 and esp6, but doing so stops the distributed Andrew File System (AFS) from working.

Linux disclosure process under pressure from parallel discovery

While Copy Fail 2 wasn't found with AI, parallel discovery of bugs via large language models was raised by engineer Jeremy Stanley, of the Open Infrastructure Foundation, at the end of April this year as problematic for vulnerability embargoes.

"I'm sorely tempted, both due to the increased volume and the risk of premature disclosure, to just assume that any vulnerability reported as a result of research using an LLM is trivially discoverable by others, and give up trying to pretend there's any point to working it under embargo," Stanley wrote.

"Similarly, it makes sense to me that patch development and descriptive prose shouldn't be produced with LLM assistance for any vulnerability that is being worked under an embargo," he added.

Developer Greg Dahlman made the point that embargo periods of 14 days at the most are far shorter than training cycles for foundational AI models; using an LLM on embargoed vulnerabilities is unlikely to surface them for others, due to the time-scales involved.

Instead, Dahlman posited that LLMs have dramatically lowered the cost of vulnerability discovery and reporting, but not the cost and speed of patching the bugs at the same rate, an asymmetry that shortening or completely dropping embargoes won't fix.

Linux kernel stable tree maintainer Greg Kroah-Hartman concurred, and said duplicate reports about the same issue are seen from different groups, within the time period it takes to get a fix merged, in just a few days.