Security Advisory: Linux kernel vulnerabilities that allow a local user to gain root through page-cache changes
Key points for customers
- This vulnerability affects Linux servers where an attacker has permissions to run code locally; it is a privilege escalation issue, not a direct internet-facing remote exploit.
- This vulnerability affects all nodes in our control plane as well as all customer nodes.
- NetApp Instaclustr has commenced control plane patching and will begin fleet patching rollout in June 2026, with PCI instances to be patched as a priority and non-PCI instances shortly after.
- Concerned non-PCI customers may opt in to be patched earlier in the priority rollout.
- Affected account owners will receive an email to schedule patching and remediation for clusters in the account.
Issue details
NetApp Instaclustr is monitoring multiple related Linux operating system vulnerabilities. These related vulnerabilities allow an attacker already active on the machine to assume root user permission (full administrator) by a Linux change to the in-memory copy of important system files. The file on disk is not changed, but every program that runs from that file uses the changed copy until the machine is rebooted.
Public researchers have given some of these issues catchy names like Copy Fail, Dirty Frag and Fragnesia. Rather than write a separate advisory for each one, NetApp Instaclustr is publishing a single advisory for the whole group because the customer-facing risk and the response are the same.
What this group of issues are
- An attacker who can already run code on a Linux server can use these flaws to become root on that server.
- The attacker works by changing the cached version of files in memory, including system tools that normally only the administrator can edit. The on-disk file stays the same, but the running system sees the modified version.
- New CVEs in this group are likely to keep appearing as researchers and Linux maintainers find more ways the same change can be made in different parts of the operating system.
What this group of issues are not
- These are not remotely exploitable, internet-facing vulnerabilities; successful exploitation requires prior local access to the host.
- An attacker first needs permissions and access to run code on the server — for example a stolen login, a compromised application, or a malicious workload running on the same host.
- Firewalls, network controls and access management still matter, but they are not a substitute for installing the Linux operating system updates that fix this group of issues.
When an attacker is most likely to be able to exploit this
The exact conditions are slightly different for each CVE, but in general, an attacker has opportunity when:
- They have permissions to run code on the server as a normal (non-root) user.
- The Linux operating system has not been updated to a version that contains the fixes from the OS vendor. For the most up-to-date information on which exact Linux package version contains the fix, please always check your Linux vendor’s security advisory (Debian, Ubuntu, Red Hat, etc.).
- The server allows certain Linux features (like containers or networking modules) that some of these exploits need.
Why one advisory instead of one per CVE
Linux operating system security work in this area is moving fast. Fixes for one CVE can interact with nearby code and reveal further problems, which then get their own CVE. A new advisory could give the wrong impression that everything is resolved as soon as the first CVE is patched and will not introduce any materially new information.
This advisory is a living document. NetApp Instaclustr will:
- Add a new row to the table below per new CVE as they appear and NetApp Instaclustr confirms the CVE belong to this group.
- Update the changelog at the top of this page when something material changes.
- Keep customer guidance consistent wherever possible, as a reliable source of information for our customers.
For the most up-to-date information on which exact Linux package version contains the fix, please always check your Linux vendor’s security advisory (Debian, Ubuntu, Red Hat, etc.). This advisory tells you what NetApp Instaclustr is doing to mitigate the related CVEs and what we recommend you do.
Known CVEs in this group
The table below itemises the CVEs described in this advisory. The “area affected” column is a short, plain-language description; the linked references have the full technical detail.
| CVE | Public name | Area affected | Public CVSS v3.1 score | NetApp assessed score in the Instaclustr environment |
|---|---|---|---|---|
| CVE-2026-31431 | Copy Fail | A part of the Linux operating system that handles encryption operations on behalf of applications | 7.8 (High) — kernel.org / NVD. Also listed in the CISA Known Exploited Vulnerabilities (KEV) catalogue. | 7.2 (High) environmental score; Instaclustr priority: High (standard-to-accelerated patching). |
| CVE-2026-43284 | Dirty Frag (first part) | A part of the Linux operating system that handles IPsec / encrypted network traffic | 8.8 (High) — kernel.org. CISA-ADP also lists 7.8 (High). | 7.6 (High) provisional environmental score. |
| CVE-2026-43500 | Dirty Frag (second part) | A second Linux networking module that can be used in the same kind of attack | 7.8 (High) — NVD and CISA-ADP. | 7.6 (High) provisional environmental score (assessed together with CVE-2026-43284 under our Dirty Frag analysis). |
| CVE-2026-46300 | Fragnesia | A related part of the Linux operating system that handles encrypted network traffic over TCP | Not yet assessed by NVD. | We are still assessing this CVE in our environment. |
Important: Patching one of these CVEs does not automatically protect you from the others. Some of them live in different parts of Linux and need separate fixes from your operating system vendor. Always make sure your servers are running the latest available vendor-supported Linux update.
Impact analysis
NetApp investigated this group of issues and how they might affect customers of the Instaclustr Managed Platform as well as Enterprise Support customers who run their own Linux servers.
Managed service customers
This group of related vulnerabilities have a high impact on nodes running within our control plane and on customer nodes. Accordingly, patching will commence in June 2026 with PCI clusters being the priority and non-PCI clusters expected to be patched shortly afterwards. Non-PCI customers who are concerned about exposure may opt in to be patched earlier. All patching will proceed once the security patch is available and has been validated internally.
New clusters
- New clusters created on the Instaclustr Managed Platform will use the patched secure operating system image once we have rolled the fixes through our standard release process.
- Until that point, please follow any temporary mitigations communicated by NetApp Instaclustr Support.
Existing clusters
- PCI customers will be patched automatically as soon as the validated security patch is ready for rollout in June 2026.
- Non-PCI clusters are to be patched shortly after the PCI cluster rollout. Concerned non-PCI customers will have the opportunity to opt in for earlier priority patching.
- Affected customers should expect to hear from us shortly regarding patching and remediation.
- An email will be sent to all affected account owners, both PCI and non-PCI, to schedule cluster patching.
Enterprise Support customers
- Subscribe to your Linux distribution’s security announcements so you know when updated kernel packages are available.
- Apply the updated operating system packages as soon as they are released and verify your workloads afterwards.
For more on the security controls NetApp Instaclustr runs around your clusters, see the NetApp Instaclustr Security Features overview.
What we recommend
Our recommendations below outlines actions that you can take. Layer 1 is the most important. Layers 2 and 3 are supporting measures and are not replacements for Layer 1.
Layer 1 – Keep your Linux operating system up to date (the main fix)
- Install the Linux operating system updates from your distribution vendor (Debian, Ubuntu, Red Hat, etc.) that contain the fixes for these CVEs. This is the only complete fix.
- For the Instaclustr Managed Platform, NetApp Instaclustr Support will deploy updated operating system images through standard security maintenance process.
Layer 2 – Optional extra protections (use carefully)
- Turning off particular Linux networking features or modules as a temporary measure can reduce risk for some of the CVEs, but:
- It does not cover the whole group.
- It can break legitimate features (for example IPsec VPNs).
- Please only do this with proper change control and your operating system vendor’s guidance.
- Some Linux distributions let you restrict certain advanced features (such as unprivileged user namespaces) that some of these exploits use. Note this is partial protection only.
Layer 3 – Reduce who and what can run on your servers
- Be careful about what untrusted code you allow to run on the same server as your important workloads (custom Kafka Connect plugins, ad-hoc developer scripts, build agents, etc.).
- Apply least privilege — only give people and services the access they need.
- If you ever suspect exploitation has happened, treat it as a server compromise and review your secrets, backups and connections to other systems accordingly.
If you have any further questions about this vulnerability or patching you can contact NetApp Instaclustr Support here. Existing customers can raise a support ticket here.
References
NetApp Instaclustr
CVE entries and distribution trackers
- NVD — CVE-2026-31431
- NVD — CVE-2026-43284
- NVD — CVE-2026-43500
- Debian Security Tracker — CVE-2026-46300
- CISA KEV — CVE-2026-31431
