Security Advisory: Linux kernel vulnerabilities that allow a local user to gain root through page-cache changes

Changelog

Key points for customers

• These vulnerabilities affect Linux servers where an attacker already has permission to run code locally. They are privilege-escalation issues, not direct, internet-facing remote exploits.
• They affect all customer nodes on the Instaclustr Managed Platform.
• NetApp Instaclustr has deployed validated mitigations fleet-wide in June 2026, meaning all customers are now mitigated against this exploit.
• Complete fixes (updated Linux packages) will be delivered through our normal security maintenance cycle in July 2026, in line with our standard quarterly remediation process.
• We continue to monitor this group of issues, including CVE-2026-46300 (Fragnesia), where upstream fixes are still evolving.
• We will contact affected account owners before July patching where scheduling or maintenance choices apply.

Issue details

NetApp Instaclustr is monitoring multiple related Linux vulnerabilities. These vulnerabilities allow an attacker who is already active on a machine to gain root privileges (full administrator access) by changing the in-memory copy of important system files. The file on disk is unchanged, but every program that runs from that file uses the modified copy until the machine is rebooted.

Public researchers have given some of these issues catchy names like Copy Fail, Dirty Frag, and Fragnesia. Rather than write a separate advisory for each one, NetApp Instaclustr is publishing a single advisory for the whole group because the customer-facing risk and the response are the same.

What this group of issues are

• An attacker who can already run code on a Linux server can use these flaws to become root on that server.
• The attacker works by changing the cached version of files in memory, including system tools that normally only the administrator can edit. The on-disk file stays the same, but the running system sees the modified version.
• New CVEs in this group are likely to continue appearing as researchers and Linux maintainers find additional ways the same change can be made in different parts of the system.

What this group of issues are not

• These are not remotely exploitable, internet-facing vulnerabilities; successful exploitation requires prior local access to the host.
• An attacker first needs permissions and access to run code on the server — for example a stolen login, a compromised application, or a malicious workload running on the same host.
• Firewalls, network controls, and access management still matter, but they are not a substitute for installing the Linux updates that address this group of issues.

When an attacker is most likely to be able to exploit this

The exact conditions are slightly different for each CVE, but in general, an attacker has opportunity when:

• They have permissions to run code on the server as a normal (non-root) user.
• The server is running a Linux version that has not yet been updated with fixes from the OS vendor. For the most up-to-date information on which package version contains the fix, always check your Linux vendor’s security advisory (Debian, Ubuntu, Red Hat, and others).
• The server allows certain Linux features (for example containers or networking modules) that some of these exploits need.

Why one advisory instead of one per CVE

Linux security work in this area is moving quickly. Fixes for one CVE can interact with nearby code and reveal further problems, which may then receive their own CVEs. Publishing a new advisory for each issue could create the wrong impression that everything is resolved as soon as the first CVE is patched and would not add materially new information.

This advisory is a living document. NetApp Instaclustr will:

• Add a new row to the table below per new CVE as they appear and NetApp Instaclustr confirms the CVE belongs to this group.
• Update the changelog at the top of this page when something material changes.
• Keep customer guidance consistent wherever possible, as a reliable source of information for our customers.

For the most up-to-date information on which Linux package version contains the fix, always check your Linux vendor’s security advisory (Debian, Ubuntu, Red Hat, and others). This advisory explains what NetApp Instaclustr is doing to mitigate these related CVEs and what we recommend you do.

Known CVEs in this group

The table below itemises the CVEs described in this advisory. The “area affected” column is a short, plain-language description; the linked references have the full technical detail.

Important: Addressing one of these CVEs does not automatically protect you from the others. Some of them affect different parts of Linux and require separate fixes from your operating system vendor. NetApp Instaclustr’s June mitigations and July OS updates are designed to address this group as a whole; if you manage your own hosts, make sure your servers run the latest vendor-supported Linux updates.

Impact analysis

NetApp investigated this group of issues and assessed how it may affect customers of the Instaclustr Managed Platform, as well as Enterprise Support customers who run their own Linux servers.

Managed service customers

This group of related vulnerabilities has a high impact on nodes running in our control plane and on customer nodes. Our response has two phases:

1. June 2026 — mitigations: We have rolled out validated mitigations for Copy Fail, Dirty Frag, and Fragnesia across all managed instances. New clusters will receive mitigations automatically as part of standard platform operations.
2. July 2026 — complete fix (standard patch cycle): We will deliver full operating system fixes through our normal July security maintenance cycle, replacing temporary mitigations with vendor kernel updates where available.

New clusters

• New clusters created on the Instaclustr Managed Platform will use the mitigated version once the mitigation has been tested and released.
• After our July 2026 image and maintenance rollout, new clusters will use patched secure operating system images through our standard release process.

Existing clusters

• No action is required for the June mitigation rollout; mitigations are applied as part of our standard deployment cadence.
• July 2026: Existing clusters will receive full OS remediation through our scheduled security maintenance process. Affected account owners will receive communication ahead of maintenance where scheduling applies.
• If you previously received communication about out-of-cycle June OS patching or opt-in for earlier patching, that approach has been superseded by this two-phase plan. You do not need to opt in to receive June mitigations.

Enterprise Support customers

1. Subscribe to your Linux distribution’s security announcements so you know when updated kernel packages are available.
2. Apply the updated operating system packages as soon as they are released and verify your workloads afterwards.
3. Consider temporary mitigations only with your OS vendor’s guidance and proper change control — they are not a substitute for patching.

For more on the security controls NetApp Instaclustr runs around your clusters, see the NetApp Instaclustr Security Features overview.

What we recommend

The recommendations below outline actions you can take. Layer 1 is the most important; Layers 2 and 3 are supporting measures and do not replace Layer 1.

Layer 1 — Let NetApp Instaclustr apply fixes (managed platform)

• June: A mitigation has been rolled out to all customers managed nodes.
• July: Participate in our standard security maintenance when we schedule operating system updates that contain the full vendor fixes.
• For questions about timing on your account, contact NetApp Instaclustr Support.

Layer 2 – Optional extra protections (use carefully)

• Turning off particular Linux networking features or modules as a temporary measure can reduce risk for some of the CVEs, but:
  • It does not cover the whole group.
  • It can break legitimate features (for example IPsec VPNs).
  • Please only do this with proper change control and your operating system vendor’s guidance.
• Some Linux distributions let you restrict certain advanced features (such as unprivileged user namespaces) that some of these exploits use. Note that this provides only partial protection.

Layer 3 – Reduce who and what can run on your servers

• Be careful about what untrusted code you allow to run on the same server as your important workloads (custom Kafka Connect plugins, ad-hoc developer scripts, build agents, etc.).
• Apply least privilege — only give people and services the access they need.
• If you ever suspect exploitation has happened, treat it as a server compromise and review your secrets, backups, and connections to other systems accordingly.

If you have further questions about these vulnerabilities, mitigations, or patching, contact NetApp Instaclustr Support. Existing customers can also raise a support ticket through the support portal.

References

NetApp Instaclustr

• Instaclustr Support
• Instaclustr Security Features overview

CVE entries and distribution trackers

• NVD — CVE-2026-31431
• NVD — CVE-2026-43284
• NVD — CVE-2026-43500
• Debian Security Tracker — CVE-2026-46300
• CISA KEV — CVE-2026-31431

Researcher and technical community references

• V4bel/dirtyfrag (GitHub)
• Theori — Copy Fail repository (GitHub)
• copy.fail
• v12-security/pocs — Fragnesia (GitHub)