The Rocky Linux project has always prioritized stability, compatibility, and trust within the Enterprise Linux ecosystem. Historically, this has meant waiting for official upstream Enterprise Linux releases before publishing updates to Rocky Linux systems.

Today, we are announcing a new capability designed specifically for exceptional security situations where immediate action is necessary to better protect our users and infrastructure operators.

Introducing the Rocky Linux Security Repository

We are introducing a new optional security repository for Rocky Linux.

This repository allows the Rocky Linux project to provide urgent security updates in situations where a critical vulnerability exists, public exploitation is available, and upstream Enterprise Linux releases may not yet be available.

This is an intentional and carefully considered departure from our long-standing policy of never releasing packages ahead of upstream Enterprise Linux. Rocky Linux remains fully committed to Enterprise Linux compatibility and alignment with upstream sources. However, we also recognize that certain security situations require a faster response to reduce risk for administrators and organizations operating critical infrastructure.

Because this represents a change from our traditional release approach, the security repository is NOT enabled by default. This preserves the predictable and stable behavior our users expect while giving administrators the flexibility to opt into accelerated security fixes when desired.

Using the repository is straightforward:

$ sudo dnf --enablerepo=security update

Administrators may also choose to enable the repository permanently through standard DNF repository configuration.

The security repository is intended to provide hot-fixes as a temporary solution for urgent circumstances involving critical security exposure and immediate risk mitigation. Versioning of these packages is designed such that the official upstream packages will always update our hot-fixes. It is not a replacement for the normal Rocky Linux release process and should not be interpreted as a broader change in our commitment to upstream Enterprise Linux compatibility.

Dirty Frag Security Update Available

With the introduction of the new security repository and with engineering assistance from CIQ, we are also announcing the immediate availability of a security update addressing the recently disclosed Linux kernel vulnerability known as “Dirty Frag”.

Dirty Frag is a serious local privilege escalation vulnerability affecting Linux kernel versions dating back to 2017. Public proof-of-concept exploit code is already available, and security researchers have described exploitation as highly reliable and deterministic.

Unlike many historical privilege escalation vulnerabilities, Dirty Frag does not rely on unstable race conditions or timing-sensitive behavior, making exploitation substantially more practical for attackers once local access has been obtained.

While exploitation requires local access to a system, environments with shared users, container workloads, CI infrastructure, HPC clusters, university systems, shell access environments, and multi-tenant systems should treat this vulnerability as especially urgent.

The public disclosure of Dirty Frag occurred before coordinated upstream fixes were broadly available, creating a narrow but important window where downstream vendors and distributions needed to evaluate how best to protect their communities.

After careful consideration, we determined that making a fix available immediately through the optional security repository was the responsible course of action.

Our Commitment

The Rocky Linux community remains committed to delivering a stable, predictable, and fully Enterprise Linux compatible platform.

In rare situations such as this, protecting our users may require accelerated action while still preserving administrator choice and operational flexibility.

The new security repository provides a mechanism for rapid response during exceptional security events while allowing the default Rocky Linux experience to remain aligned with the traditional upstream Enterprise Linux release model.

We appreciate the continued support of our community, contributors, partners, and the organizations helping strengthen the Rocky Linux ecosystem.

We would also like to extend our sincere thanks to CIQ for their continued investment in Rocky Linux, commitment to the open source community, and for providing engineering resources, infrastructure, testing, and rapid coordination that helped make this accelerated response possible. CIQ’s kernel team was instrumental in helping to remediate this vulnerability as quickly and responsibly as possible.

TL;DR: A high-severity local privilege escalation vulnerability in the Linux kernel has been publicly disclosed with a working exploit. Patches are available now for Rocky Linux 8.10, 9.7, and 10.1. Update your kernel and reboot.

What happened

On April 29, security researchers from Theori disclosed a Linux kernel vulnerability they named CopyFail, tracked as CVE-2026-31431. The flaw has been present in essentially every mainstream Linux kernel built since 2017.

The bug sits in the kernel’s algif_aead module – the AEAD socket interface of the userspace crypto API (AF_ALG). A logic flaw in authencesn, chained through AF_ALG and the splice() system call, allows an unprivileged local user to perform a controlled 4-byte write into the page cache. By corrupting the in-memory copy of a setuid binary like /usr/bin/su – without touching anything on disk – an attacker can escalate to root in seconds.

What makes this one stand out: the 732-byte Python proof-of-concept requires no race conditions, no per-distribution tuning, and no special privileges. The same script works unmodified across distributions. File integrity tools won’t catch it because nothing on disk changes. This makes it especially dangerous on multi-tenant hosts, Kubernetes nodes, and CI/CD runners where a shared page cache means one compromised workload can threaten the whole node.

The researchers have published the exploit publicly. Treat this as actively exploitable.

How to fix it

Patches are available now for all supported Rocky Linux releases. Run the following and reboot:

bash

sudo dnf --refresh update ‘kernel*’

sudo reboot

That’s it. The --refresh flag ensures you pull the latest metadata without re-downloading packages you already have.

Patched kernel versions:

• Rocky Linux 8.10: kernel-4.18.0-553.123.1.el8_10 and above
• Rocky Linux 9.7: kernel-5.14.0-611.54.1.el9_7 and above
• Rocky Linux 10.1: kernel-6.12.0-124.55.1.el10_1 and above

Confirm your running kernel after reboot with uname -r.

A note on the algif_aead module

You may have seen advice elsewhere to disable algif_aead via rmmod or a modprobe.d entry as an interim workaround. On Rocky Linux, that approach does not apply – algif_aead is compiled directly into the kernel image (CONFIG_CRYPTO_USER_API_AEAD=y), not shipped as a loadable module. The correct fix is the kernel update above.

Thank you

Thanks to Brian Pak and the team at Xint Code (Theori) for finding this, handling coordinated disclosure responsibly, and publishing a thorough technical write-up. If you want to understand exactly how a single logic bug becomes a fully reliable privilege escalation, their write-up is worth your time.

Additional reading

• copy.fail – Researcher disclosure site with technical details and the proof-of-concept
• Xint Code technical write-up – Full root cause analysis and exploit mechanics
• CVE-2026-31431 on NVD – Official CVE record
• GitHub: theori-io/copy-fail-CVE-2026-31431 – Exploit source and issue tracker
• Ars Technica coverage – Broader context on industry response