Linux Copy Fail and Dirty Frag vulnerabilities
May 15, 2026 update: included information about Fragnesia (CVE-2026-46300) and added more details about cloud infrastructure.
May 21, 2026 update: updated information with ECS release by AWS addressing CopyFail (CVE-2026-31431).
May 26, 2026 update: updated AWS schedule for the Fargate service updates.
Issue
Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284) and Fragnesia (CVE-2026-46300) are three high profile Linux kernel vulnerabilities which allow local privilege escalation, disclosed on May 2, May 8 and May 13 2026, respectively.
Impact on SpinetiX products
DSOS
Dirty Frag (CVE-2026-43284) and Fragnesia (CVE-2026-46300) do not affect DSOS because none of the affected kernel modules (esp4, esp6, rxrpc, ipcomp4 and ipcomp6) is included nor compiled as part of DSOS.
Copy Fail (CVE-2026-31431) does affect DSOS on all models except HMP350, HMP300 and DiVA. However, it requires local access to be exploited and thus it needs to be coupled with another remote code execution vulnerability, and SpinetiX is not aware of any on DSOS. This is therefore being treated as a non-critical vulnerability and will be patched in DSOS 4.9.8.
The only known vector to execute remote code on DSOS is the JavaScript engine in the SVG and HTML renderers and these do not give access to the AF_ALG kernel APIs required to exploit these vulnerabilities.
Cloud infrastructure
The SpinetiX cloud infrastructure is a serverless architecture, all code running in containers provisioned on-demand and covered by the shared security model of Amazon Web Services (AWS). The only exception is the video conversion platform, which runs on AWS EC2 machines managed by SpinetiX and thus requires manual updates.
In any case, serverless workloads are cross-tenant isolated on AWS as each tenant runs on its own dedicated Firecracker micro VM on top of the machine used to run the workload. Exploiting vulnerabilities cross-tenant would require not only exploiting the kernel vulnerability but also escaping the micro VM through some other vulnerability.
AWS has fully addressed Copy Fail (CVE-2026-31431) in all its services. See 2026-026-AWS security bulletin, ALAS CVE-2026-31431 and 2026-030-AWS security bulletin.
As of May 26, 2026, AWS has addressed Dirty Frag (CVE-2026-43284) in most services. The only pending service used by SpinetiX is Fargate, which is scheduled to have the fixes fully deployed by May 29, 2026. See 2026-027-AWS security bulletin, ALAS CVE-2026-43284 and 2026-030-AWS security bulletin.
Concerning Fragnesia (CVE-2026-46300), AWS reports not being affected as the module that allows the exploit is not included. Nevertheless AWS released updates for Amazon Linux 2023. See 2026-029-AWS security bulletin, ALAS CVE-2026-46300 and 2026-030-AWS security bulletin.
Regarding the manual updates for the video conversion platform, SpinetiX has deployed the ECS Optimized AMIs made available by AWS, including the updates for Dirty Frag (CVE-2026-43284) which became available on May 20, 2025.