Copy Fail and Dirty Frag Linux Kernel Privilege Escalation Vulnerabilities Affecting Moxa Industrial Computing Platforms (MPSA-263140)
Moxa has published security advisory MPSA-263140 disclosing three high-severity Linux kernel vulnerabilities — collectively referred to in the security community as "Copy Fail" and "Dirty Frag" — that affect a broad cross-section of the company's industrial computing, edge connectivity, and remote I/O platforms. The affected devices run Moxa Industrial Linux (MIL) v1.0 through v1.5 or Debian 11/12 delivered through the company's CTOS provisioning, and the underlying flaws reside in core Linux kernel subsystems rather than in Moxa-specific code. Because these subsystems are shared with virtually every modern Linux distribution, the same weaknesses have been reported across cloud and enterprise environments worldwide.
The three vulnerabilities are all local privilege escalation flaws. CVE-2026-31431 ("Copy Fail"), with a CVSS v3.1 score of 7.8, stems from an incorrect in-place operation in the kernel's algif_aead cryptographic interface. CVE-2026-43284 and CVE-2026-43500 (together "Dirty Frag"), carrying CVSS v3.1 scores of 8.8 and 7.8 respectively, are interconnected weaknesses in the IPsec ESP (esp4/esp6) and RxRPC kernel paths that allow an unprivileged local attacker to deterministically overwrite the kernel page cache and obtain root-level control. None of the three vulnerabilities can be triggered remotely; an attacker must already possess the ability to execute code on the device as an unprivileged local user.
The practical risk these flaws introduce is the conversion of limited, low-privilege access into full root control of an industrial device. In operational technology environments, a Moxa UC-series computer, AIG gateway, or remote I/O controller that an adversary can reach through a compromised application, an exposed service, or stolen low-tier credentials becomes a foothold from which the attacker can disable security controls, tamper with control logic, manipulate field communications, or pivot deeper into the OT network. A working public proof-of-concept for the Dirty Frag flaws has been reported, lowering the barrier to exploitation, and at the time of Moxa's advisory release validated firmware patches were still pending, leaving interim mitigations as the primary defense.
Threats and Vulnerabilities
CVE-2026-31431, known as "Copy Fail" and carrying a CVSS v3.1 score of 7.8, is an incorrect resource transfer weakness (CWE-669) in the Linux kernel's algif_aead module, which exposes authenticated-encryption cryptographic algorithms to userspace through the kernel crypto socket interface. The module incorrectly performs cryptographic operations in place when the source and destination buffers actually originate from different memory mappings, corrupting kernel memory in a controllable way. The upstream fix reverts the affected code to operating out-of-place. An unprivileged local user can leverage the resulting memory corruption to modify privileged in-memory data and escalate to root, with high impact to confidentiality, integrity, and availability.
CVE-2026-43284, the more severe half of "Dirty Frag" with a CVSS v3.1 score of 8.8, is a write-what-where condition (CWE-123) in the kernel's IPsec ESP implementation (the esp4 and esp6 modules). By abusing the handling of fragmented ESP packets, an unprivileged local attacker can deterministically overwrite arbitrary contents of the kernel page cache — the in-memory representation of files backing the running system — and thereby corrupt trusted on-disk content as it is served from memory. The scope-changed CVSS vector reflects that the impact extends beyond the originally privileged component. The affected code path has been present since roughly 2017, giving the flaw an exceptionally wide exposure window across deployed kernels, and a public proof-of-concept has been reported.
CVE-2026-43500, the second "Dirty Frag" vulnerability with a CVSS v3.1 score of 7.8, is an out-of-bounds write (CWE-787) in the kernel's RxRPC subsystem, which underpins the AFS network filesystem protocol. Like its companion flaw, it allows an unprivileged local attacker to overwrite the kernel page cache and achieve root-level privilege escalation, but through the RxRPC fragment-handling path rather than IPsec ESP. The vulnerable RxRPC code was introduced around June 2023, giving this variant a narrower exposure window than CVE-2026-43284. On Moxa devices the two Dirty Frag paths are interconnected, and depending on the specific kernel version a device may be exploitable through one path or the other; both must be addressed. None of these three vulnerabilities support remote exploitation.
Client Impact
For organizations operating affected Moxa platforms, the operational impact centers on the loss of the device's trust boundary. The affected models span a wide range of industrial roles — UC-series and V-series embedded computers, VM-series machines, ioThinx 4530 remote I/O, AIG-series IIoT gateways, and the BXP, DRP, and RKP edge and rugged computing lines — many of which sit at the IT/OT boundary, aggregate field data, or run customer applications. Because the vulnerabilities turn any unprivileged local foothold into full root control, a single compromised application or service on one of these devices can lead to complete takeover of the device, manipulation of the data and control traffic it handles, disabling of host-based protections, and lateral movement into adjacent control-system segments. The local-only attack vector means the immediate prerequisite is some form of existing access, but in converged or remotely managed OT environments that prerequisite is frequently within reach of an adversary.
From a compliance and governance standpoint, unpatched root-escalation flaws on industrial endpoints map directly to control expectations under IEC 62443, NIST SP 800-82r3, and, for applicable critical-infrastructure operators, NERC CIP. These frameworks require timely patch and vulnerability management, least-privilege enforcement, and protection of the integrity of control devices — all of which are undermined while a known local-to-root path remains open. Operators in regulated sectors should document the exposure, apply the interim mitigations, and track Moxa's pending firmware releases as part of their formal vulnerability-management and risk-acceptance processes, as failure to act on a publicly known, proof-of-concept-backed kernel flaw could constitute a reportable control gap.
Mitigations
Because validated firmware patches were still pending at the time of Moxa's advisory, organizations should apply the following interim measures, prioritized by the device's exposure and role, and treat firmware patching as the eventual permanent remediation.
1. Restrict and monitor local access to affected Moxa devices, enforcing least privilege so that no untrusted application or account runs as an unprivileged-but-present local user; the local-only attack vector makes minimizing local footholds the single most effective control.
2. For systems that do not require the affected functionality, blacklist the vulnerable kernel modules using configuration files under /etc/modprobe.d/ or kernel boot parameters — specifically algif_aead for Copy Fail, and rxrpc for the RxRPC Dirty Frag path.
3. For IPsec-dependent systems where disabling esp4/esp6 is not feasible, restrict unprivileged user namespaces by setting user.max_user_namespaces=0, which removes the unprivileged path used to reach the vulnerable ESP code.
4. Where operationally acceptable, drop the kernel page cache and apply available kernel hardening to reduce the determinism the Dirty Frag exploits rely on, recognizing this is a temporary risk-reduction step and not a fix.
5. Monitor Moxa's MPSA-263140 advisory for the release of validated firmware, inventory all affected UC, V, VM, ioThinx, AIG, BXP, DRP, and RKP devices now, and schedule patch deployment as soon as fixed versions are published.
Applied together, these measures materially reduce the likelihood that a low-privilege foothold can be escalated to root while permanent firmware fixes are validated and staged for deployment.
1898 & Co. Response
1898 & Co. actively tracks vendor and kernel-level vulnerability disclosures affecting operational technology and industrial computing platforms, including the Moxa MPSA-263140 advisory and the broader Copy Fail and Dirty Frag kernel flaws. Our team translates these disclosures into asset-specific exposure assessments, helping clients quickly determine which devices in their environment run affected Moxa Industrial Linux or CTOS-provisioned Debian builds and which interim mitigations apply to each role and deployment.
Our managed threat detection and response services are built for the realities of OT environments, where patching is constrained by uptime requirements and change-control windows. For vulnerabilities like these — where validated patches lag public disclosure and proof-of-concept code already circulates — we help clients implement and validate compensating controls, baseline normal local-process and privilege behavior, and detect the anomalous activity that precedes or accompanies a privilege-escalation attempt.
With deep experience spanning industrial control systems, network architecture, and incident response, 1898 & Co. supports clients across the full vulnerability lifecycle: inventory and exposure analysis, mitigation engineering, detection development, and coordinated patch deployment once firmware is released. Our consultants combine practical OT operations experience with adversary-focused threat intelligence to ensure that defensive actions are both technically sound and operationally feasible.
Sources
1. Moxa Security Advisory MPSA-263140 — Copy Fail and Dirty Frag Vulnerabilities in Linux Kernel