How Dirty Frag rose from the Copy Fail exploit

ReversingLabs (RL) researchers analyzed CVE-2026-31431, a Linux kernel local privilege escalation vulnerability tracked in public reporting under the names Dirty Frag and Copy Fail (CVE-2026-31431). The public embargo was broken in early May 2026 with press coverage citing the vulnerability across all major Linux distributions; Ubuntu released fixes shortly after. RL's corpus reveals that classified malicious samples were already in circulation at least 9 days before the embargo break, with sustained sample arrival continuing through publication.

As of May 8, 2026, RL has identified 163 unique samples tied to this vulnerability across two parallel threat-name conventions: 148 samples carry the exploit:CVE-2026-31431 tag with names such as Linux.Exploit.CVE-2026-31431, Linux.Exploit.CopyFail, and Linux.Trojan.Multiverze, and an additional 15 samples derived from the V4bel/dirtyfrag GitHub reference implementation are tracked separately under Linux.Exploit.DirtyFrag and Linux.Trojan.DirtyFrag. Sample variants span ELF binaries, Python scripts, and a malicious PyPI wheel.

This post documents the sample landscape, explains the shellcode analysis methodology applied to the V4bel reference implementation, and provides YARA rules and hunting queries that defenders can deploy immediately to identify CVE-2026-31431 exploit code across all observed variants.

Dirty Frag threat background

CVE-2026-31431 is a Linux kernel privilege escalation vulnerability. Press coverage characterized it as Copy-Fail-like, referencing the Dirty Pipe class of vulnerabilities (CVE-2022-0847) that abuse the kernel's page-cache to write content to read-only memory regions without the required permissions. The structure of the public reference exploits is consistent with that architectural domain. The RL corpus tracks samples under two parallel threat-name conventions reflecting how the vulnerability has been referenced in different research streams: Copy Fail (the earlier press nickname), CVE-2026-31431 (the official designation), and Dirty Frag (the name used by the V4bel/dirtyfrag GitHub reference implementation).

The earliest sample classified malicious as Linux.Exploit.CVE-2026-31431 was first seen on April 29, 2026 at 21:19 UTC. A substantial sample surge began on May 1, 2026, with more than 50 distinct samples submitted in a single overnight window. Sample arrival continued steadily through May 8, when the V4bel/dirtyfrag reference implementation was published on GitHub and circulated in press coverage citing the broken embargo.

Sample Dirty Frag landscape

The 148 samples tagged with the CVE-2026-31431 exploit field decompose into the following threat-name distribution. The 15 V4bel-derived samples are listed at the bottom under their separate threat-name set.

The fourth string targets the execve call. Here the shellcode uses push 0x3b; pop rax to load syscall 59 (0x3b) without embedding a null byte. This is standard position-independent shellcode tradecraft for /bin/sh invocation.

Condition logic

Both rules require all of them: every opcode pattern plus plaintext strings /bin/sh and TERM=xterm. The TERM=xterm environment variable is written by the shellcode to produce a functional interactive terminal in the spawned shell. Its co-occurrence with the privilege normalization syscall patterns is a reliable indicator of the reference payload.

Coverage scope

These YARA rules target the V4bel reference implementation and its derivative compilations. They will not match Python-script variants, which require text-based detection patterns rather than opcode patterns. They will not match the Multiverze trojan family unless it incorporates the same shellcode stub. For full corpus coverage, combine the YARA rules with the Spectra Intelligence threat-name and exploit-field hunting queries documented below.

YARA rule

rule DirtyFrag_Reference_Shellcode_1
{
    meta:
        author = "Malware Utkonos"
        date = "2026-05-08"
        description = "Detects shellcode from reference implementation of DirtyFrag"
        reference = "https://github.com/V4bel/dirtyfrag"
    strings:
        $op1 = { b06a 0f05 }
            // 0040007e  b06a               mov     al, 0x6a
            // 00400080  0f05               syscall
        $op2 = { b069 0f05 }
            // 00400082  b069               mov     al, 0x69
            // 00400084  0f05               syscall
        $op3 = { b074 0f05 }
            // 00400086  b074               mov     al, 0x74
            // 00400088  0f05               syscall
        $op4 = { 6a3b 58 0f05 }
            // 004000a0  6a3b               push    0x3b
            // 004000a2  58                 pop     rax  {0x3b}
            // 004000a3  0f05               syscall
        $a1 = "/bin/sh"
        $a2 = "TERM=xterm"
    condition:
        all of them
}

Figure 1. [PLACEHOLDER: Disassembly from Spectra Analyze showing the setgid/setuid/setgroups/execve syscall chain at addresses 0x40007e–0x4000a3 in the reference binary. Note the mov al compact pattern for syscalls 105, 106, and 116, and the push 0x3b; pop rax technique for execve.]

Hunting queries

The CVE-2026-31431 corpus is partitioned across two threat-name conventions in the RL classification system. To achieve full coverage, run all four queries. The first query is the strongest single hunt: it covers all 148 samples carrying the CVE-tagged exploit field, regardless of threat-name variant.

Spectra Intelligence: hunt by CVE exploit field (recommended primary hunt).
exploit:CVE-2026-31431 

Spectra Intelligence: hunt by V4bel-specific threat names.
threatname:DirtyFrag

Spectra Intelligence: hunt for active trojan family adoption.
threatname:Linux.Trojan.Multiverze AND exploit:CVE-2026-31431 

Spectra Intelligence: hunt for Python-script and supply chain variants.
threatname:Script-Python.Exploit.CVE-2026-31431
threatname:Package.Exploit.CopyFail
threatname:Linux.Exploit.CopyFail

Indicators of Compromise (IOC)

The full corpus contains 163 samples and is too large for a static table. The 25 entries below are a representative subset covering the V4bel reference implementation, the highest-detection samples, the Multiverze trojan family, the Python and PyPI variants, the Copy Fail-named pre-CVE samples, and the earliest-observed samples in the corpus. The complete sample set is retrievable in real time via the hunting queries in the previous section. Hashes are SHA-256. AV column shows scanner detection count at time of writing.

MITRE ATT&CK mapping

How ReversingLabs can help

After uploading the YARA rules to Spectra Analyze, continuous local matching begins immediately. Every new Linux ELF file submitted to the appliance is evaluated against RL_DirtyFrag_Linux_PrivEsc_Shellcode_2026 and matches surface in the YARA Hunting results without manual intervention. Also upload the ruleset to Spectra Intelligence to extend matching to the Spectra Intelligence cloud sample set as new files arrive. Cloud Retro Hunting runs the ruleset against RL's cloud sample set, covering the full window of CVE-2026-31431 sample arrival from April 29, 2026 onward.

For Python-script and PyPI-package variants that the YARA rules do not cover, Spectra Intelligence threat-name and exploit-field queries provide complete corpus visibility. The exploit:CVE-2026-31431 query alone returns 148 samples spanning every variant type observed in the wild.

For software supply chain exposure, Spectra Assure and the free Spectra Assure Community analyze open-source package risk. The malicious copyfail PyPI wheel identified in this research demonstrates the exposure: a transitive dependency in any Python build pipeline could pull a kernel exploit into the developer environment. Scan your inbound package set for this hash and family pattern.

At the time of writing, AV detection rates across the CVE-2026-31431 corpus range from two to 17 scanner matches. RL's analyst classification and Spectra Core complex binary analysis confirmed malicious classification across all 163 samples ahead of broad AV consensus. This is the operational value of deploying these queries and rules now: you are not waiting for vendor signature updates.

Key recommendations for remediating Dirty Frag

• Patch immediately. Ubuntu has released fixes for CVE-2026-31431. All Linux distributions are reported affected. Apply vendor kernel updates and reboot to load the patched kernel. See vendor advisories for Red Hat, Debian, SUSE, and other distributions.
• Hunt with the CVE exploit field as the primary query. exploit:CVE-2026-31431 returns the full set of 148 samples carrying this CVE in the RL corpus, regardless of which variant or threat-name convention applies. Run this first.
• Add the V4bel-specific queries. threatname:Linux.Exploit.DirtyFrag and threatname:Linux.Trojan.DirtyFrag cover the 15 reference-implementation samples that do not carry the CVE exploit field. Run both.
• Deploy the YARA rules now. Upload both rules to Spectra Analyze and enable continuous cloud matching. Start a retro hunt to cover files submitted in the past, which spans the full pre- and post-embargo window.
• Scan your software supply chain for the malicious PyPI package. The copyfail-0.1.0-py3-none-any.whl wheel (SHA-256 7bd2a8093d…) is in PyPI distribution scope. Use Spectra Assure to scan inbound packages and their transitive dependencies in your build pipelines.
• Investigate Multiverze trojan presence. Linux.Trojan.Multiverze samples in the corpus indicate active malware family adoption of this exploit. Hunt for multiverse indicators in your environment, particularly on hosts that have not yet received the kernel patch.
• Audit setuid and setgid binaries on production Linux hosts. Any binary with the setuid bit set is a potential post-exploitation target. Review the list and remove permissions where not required.
• Alert on ELF execution from writable paths. Monitor for execution of ELF binaries staged in /tmp, /dev/shm, or world-writable directories. These are common staging locations for locally compiled exploit code.
• Monitor for privilege escalation process chains. Alert on process events where a low-privilege parent spawns a child process with UID 0, particularly where the parent binary is an unsigned ELF or a Python interpreter executing a script not in your software inventory.

The detection gap is now

CVE-2026-31431 is broader, older, and more weaponized than the public embargo break narrative suggests. RL classified the first malicious samples on April 29, more than a week before the public embargo break drew press attention. By May 8, the corpus contained 163 samples spanning compiled ELF binaries, Python scripts, a PyPI wheel, and active trojan family adoption by Linux.Trojan.Multiverze. The V4bel/dirtyfrag GitHub reference implementation, often treated in coverage as the exploit, is one of multiple parallel research and development streams.

The shellcode pattern in the V4bel reference implementation is structurally stable, and the YARA rules documented here detect it with high specificity. RL researchers assess with high confidence that the rules detect the V4bel reference binary without modification. The team also assesses with moderate confidence that they will match derivative compilations preserving the shellcode stub. We assess with low confidence that the rules will materially affect the Multiverze, Python-script, or PyPI-package variants, which require text-based and metadata-based detection rather than opcode pattern matching. Combine the YARA rules with the Spectra Intelligence hunting queries to achieve full corpus coverage.

Patch the kernel. Run the queries. Deploy the rules. The detection gap is now.