Product Security Alert - CVE-2026-31431 "Copy Fail" "Copy Fail 2" CVE-2026-43500 and "Dirty Frag" CVE-2026-43284

May 7, 2026

Alerted Vulnerabilities

On April 30, 2026, the "Copy Fail" vulnerability CVE-2026-31431 was reported to the Wind River PSIRT Team. A flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface. An incorrect 'in-place operation' was introduced, where the source and destination data mappings were different. This could lead to unexpected behavior or data integrity issues during cryptographic operations, potentially impacting the reliability of encrypted communications. https://www.cve.org/CVERecord?id=CVE-2026-31431

Additionally, on May 1, 2026 the Cybersecurity and Infrastructure Agency (CISA) reported CVE-2026-31431 in the Known Exploited Vulnerabilities (KEV) database, escalating this vulnerability to a High-Profile PSIRT case. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431

On May 08, 2026, the "Dirty Frag" vulnerability CVE-2026-43284 (also known as Dirty Frag) and CVE-2026-43500 were publicly disclosed. This is a Local Privilege Escalation (LPE) vulnerability that allows an attacker with local access (including SSH access) to gain root privileges by manipulating the page cache. The vulnerability affects a large number of Linux distributions and is particularly critical because it can be exploited deterministically and does not require race conditions.
CVE Record: CVE-2026-43284 and CVE Record: CVE-2026-43500

Additionally, on May 11, 2026, the Cybersecurity and Infrastructure Agency (CISA) reported CVE-2026-43284 in the Known Exploited Vulnerabilities (KEV) database, escalating this vulnerability to a High-Profile PSIRT case. Vulnerability Summary for the Week of May 4, 2026 | CISA

Wind River Affected Products

  • eLxr Pro - All Versions
  • Wind River Linux - All Versions
  • Wind River Studio Developer - Limited impact
  • Wind River Cloud Platform - Limited impact

  • CVE-2026-43284
  • CVE-2026-43500
  • CVE-2026-31431

Impacted Products

No other Wind River Products use the Linux Kernal and are not impacted by this vulnerablity.

Mitigations

Wind River recommends officially updated packages and distros in the Remediation Section below, while the community has identified a possible work around listed here:

Source: https://cert.europa.eu/publications/security-advisories/2026-005/

Disable the algif_aead kernel module persistently on all affected systems until a patched kernel is available:

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true

This workaround does not affect dm-crypt/LUKS, kTLS, IPsec/XFRM, OpenSSL, GnuTLS, NSS, or SSH. It may affect applications explicitly configured to use the afalg engine or that bind aead/skcipher/hash sockets directly. Exposure can be assessed with lsof | grep AF_ALG.

Wind River recommends officially updated packages and distros in the Remediation Section below, while the community has identified a possible work around listed here:
Source: Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Detecting unpatched local privilege escalation via Linux Kernel ESP and RxRPC | Sysdig

  • Mitigate immediately on hosts that do not require IPsec transport mode or AFS by preventing the vulnerable modules from loading. AWS's 2026-027 bulletin extends the list beyond the originally disclosed three to include the surrounding xfrm_user, ipcomp4, and ipcomp6 modules. (NOTE: This will not be effective if the kernel has the functionality compiled in.)
  • Restrict AF_KEY, AF_RXRPC, and XFRM netlink syscalls in container runtimes via seccomp profiles; the default Docker profile already blocks AF_RXRPC but not AF_KEY or XFRM netlink configuration.
  • Deploy the Falco rule above to flag unprivileged use of these socket families and netlink protocols across hosts and containers.
  • Audit running workloads for legitimate IPsec and AFS users, so detection exceptions are scoped to known binaries rather than disabled.
  • Monitor for unexpected modifications to setuid binaries and /etc/passwd, and for unexpected privilege transitions following splice and vmsplice activity from unprivileged processes.

Remediation

The fix for this vulnerability has been identified:

https://lore.kernel.org/openembedded-core/?q=CVE-2026-31431
https://lore.kernel.org/all/2026050856-CVE-2026-43284-6598@gregkh/#

Wind River Engineering teams are staging and testing product updates with the upstream fix and projected timelines according to the each product's impact:

  • eLxr Pro: Kernel updated build to be released to mirror package feeds estimated imminently
  • Wind River Linux: Kernel Update to be included in the next Hot Fix / RCPL
  • Wind River Studio Developer: Kernel Update in the Next patch release
  • Wind River Cloud Platform: Kernel update in the Next patch release

Next Steps

Please visit the Wind River Security Center for ongoing updates at https://www.windriver.com/security.

Additional Resources

Please access these additional resources for these and all vulnerabilities:

Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.