Linux Copy Fail and Dirty Frag vulnerabilities
This article is related to Security.
Issue
Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284) are two high profile Linux kernel vulnerabilities which allow local privilege escalation, disclosed on May 2 and May 8 2026, respectively.
Impact on SpinetiX products
DSOS
Dirty Frag (CVE-2026-43284) does not affect DSOS because none of the affected kernel modules (esp4, esp6, rxrpc, ipcomp4 and ipcomp6) is included nor compiled as part of DSOS.
Copy Fail (CVE-2026-31431) does affect DSOS on all models except HMP350, HMP300 and DiVA. However, it requires local access to be exploited and thus it needs to be coupled with another remote code execution vulnerability, and SpinetiX is not aware of any on DSOS. This is therefore being treated as a non-critical vulnerability and will be patched in DSOS 4.9.8.
The only known vector to execute remote code on DSOS is the JavaScript engine in the SVG and HTML renderers and these do not give access to the AF_ALG kernel APIs required to exploit these vulnerabilities.
Cloud infrastructure
The SpinetiX cloud infrastructure is a serverless architecture, all code running in containers provisioned on-demand and covered by the shared security model of Amazon Web Services (AWS). AWS has rapidly addressed these vulnerabilities, and they are no longer impacted. See 2026-026-AWS security bulletin, 2026-027-AWS security bulletin, CVE-2026-31431 and CVE-2026-43284 articles on AWS.