Two new Linux kernel vulnerabilities have been publicly disclosed in the past two weeks:

Copy Fail (CVE-2026-31431): Disclosed April 29, 2026. CVSS 7.8 (High). A flaw in the kernel's cryptographic subsystem (algif_aead) that allows a local user to escalate privileges to root.

Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Disclosed May 7, 2026. A flaw in the kernel's IPsec (esp4/esp6) and rxrpc networking modules, also resulting in local privilege escalation to root.

Both vulnerabilities require an attacker to already have local access to the system. Once exploited, they grant full administrative (root) control.

Linux VPS customers: No action required. Our team has already applied mitigations covering both vulnerabilities, and your services are not exposed.

Premium VPS customers: Because you manage your own kernel, please update to a patched version as soon as your distribution releases it. Copy Fail is fixed in mainline kernel 6.18.22, 6.19.12, and 7.0; Dirty Frag patches are rolling out across major distributions now.

VPSDime's team monitors every kernel CVE and deploys mitigations as soon as they are warranted.