On April 29, 2026, a Linux kernel privilege escalation called Copy Fail (CVE-2026-31431) became public on the oss-security mailing list. A short Python script, runnable by any unprivileged user, returned a root shell on most enterprise Linux servers running kernels from 2017 onward.

Right after the kernel privilege-escalation chain in the XFRM/ESP subsystem (Copy Fail, Dirty Frag, Fragnesia), Qualys disclosed a different Linux kernel issue. This time in the ptrace access-check path. CVE-2026-46333 is reserved for tracking this vulnerability. A public proof-of-concept exists. An unprivileged local user on an affected host can use it to read root-owned secrets (SSH host private keys and the shadow password database) without obtaining root privileges directly.

Less than a week after Dirty Frag, researcher William Bowling and the V12 team disclosed a third Linux kernel local privilege escalation in the same broad area (XFRM / ESP) and named it Fragnesia. A working public proof-of-concept exists. Any unprivileged local user can use it to gain root in a single command.

Most kernel CVEs follow a predictable rhythm for hosting providers: read the advisory, schedule a maintenance window, reboot during off-peak. Copy Fail (CVE-2026-31431) breaks that rhythm. It's a deterministic vulnerability, universal across Linux distributions, and lets a single compromised account on a shared host pivot to root over every other account on the same node. CISA added it to the actively-exploited list with a May 15 federal patch deadline. A severe combination for shared hosting: high impact on multi-tenant servers, and a fix that requires a reboot on every box.