TL;DR
DirtyFrag and Copy Fail 2: Electric Boogaloo are kernel-level LPEs that abuse the esp4 and esp6 IPsec modules. Block all three modules (esp4, esp6, rxrpc) immediately to eliminate the attack surface. Patch kernels when ready.
Impact: Any unprivileged process becomes root. Chains with web RCE, weak credentials, or plugin vulnerabilities to escalate from application-level compromise to full kernel control.
Immediate Action (5 Minutes per Host)
sudo tee /etc/modprobe.d/dirtyfrag.conf <<'EOF'
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
EOF
sudo rmmod esp4 esp6 rxrpc 2>/dev/null || trueVerify:
lsmod | grep -E 'esp4|esp6|rxrpc' # Should return nothing
cat /etc/modprobe.d/dirtyfrag.conf # Should show all three install linesThen patch your kernel. Once releases become available for your distro.
Ansible Deployment
Deploy across your Magento infrastructure in one run:
- hosts: magento_servers
become: true
tasks:
- name: Write dirtyfrag modprobe block
copy:
dest: /etc/modprobe.d/dirtyfrag.conf
content: |
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
owner: root
group: root
mode: "0644"
- name: Unload esp4 if loaded
command: rmmod esp4
failed_when: false
changed_when: true
- name: Unload esp6 if loaded
command: rmmod esp6
failed_when: false
changed_when: true
- name: Unload rxrpc if loaded
command: rmmod rxrpc
failed_when: false
changed_when: trueRun once:
ansible-playbook deploy-dirtyfrag-disable.yaml -i hosts.yamlValidation
Both commands should return nothing:
# Check modules are not loaded
lsmod | grep -E 'esp4|esp6|rxrpc'
# Check modprobe block is in place
cat /etc/modprobe.d/dirtyfrag.conf
# Check for active IPsec security associations (should be empty on a plain web server)
ip xfrm state
ip xfrm policy
Test Module Blocking
Verify the modules cannot be loaded:
modprobe esp4 2>&1 # Should fail: "modprobe: ERROR: could not insert 'esp4'"
modprobe esp6 2>&1 # Should fail
modprobe rxrpc 2>&1 # Should failIPsec Impact Assessment
Before blocking, check whether any active tunnels depend on kernel IPsec:
ip xfrm state # Active IPsec security associations
ip xfrm policy # Active IPsec policiesEmpty output means you’re not using kernel IPsec and it’s safe to block.
What is affected by blocking esp4/esp6:
| Affected | Not Affected |
|---|---|
| Kernel IPsec (strongSwan, Libreswan, OpenSwan in kernel mode) | OpenVPN (TLS-based) |
| Site-to-site VPNs using ESP transport/tunnel mode | WireGuard (own kernel module) |
| Some customer-managed AWS VPN attachments | SSH |
| rxrpc / AFS mounts | MySQL, Redis, Varnish, Elasticsearch |
For a standard Magento web server, these modules are not required. If you’re running kernel-level IPsec for database connectivity or a managed VPN, test in staging before applying to production, or apply only to hosts confirmed not using kernel IPsec.
Why Block Modules Instead of Patching Immediately?
- Speed: 30 seconds per host vs. downtime for kernel updates
- No restart needed: Takes effect immediately
- Low blast radius: Standard Magento hosts don’t use esp4/esp6/rxrpc
- Bridge time: Gives time to test kernel patches in staging
- Defence in depth: Keep the block even after patching
Kernel Patching
Find patched kernels:
- Ubuntu / Debian:
apt update && apt upgrade - RHEL / CentOS / Fedora:
dnf update kernel - Amazon Linux 2:
yum update kernel - SUSE:
zypper update kernel-default - Arch:
pacman -Syu
uname -r # Verify kernel version after rebootRelationship to CopyFail (CVE-2026-31431)
These are separate exploits with separate mitigations. If you already applied the CopyFail fix, you still need this one.
| Exploit | Module blocked | Config file |
|---|---|---|
| CopyFail (CVE-2026-31431) | algif_aead | /etc/modprobe.d/disable-algif.conf |
| DirtyFrag / Copy Fail 2 | esp4, esp6, rxrpc | /etc/modprobe.d/dirtyfrag.conf |
Both files can coexist. Apply both.
Credits
- Initial DirtyFrag heads up: Sansec
- Follow-up Copy Fail 2 heads up: Jeroen Boersma
References
Related docs:
Blog posts:
Upstream: