Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild

This report analyses two related Linux kernel privilege-escalation issues—Copy Fail (CVE-2026-31431) and DirtyFrag—showing how subtle page-cache corruption via legitimate kernel interfaces (AF_ALG/AF_RXRPC and splice()) can reliably yield local root. It documents public proof-of-concepts and in-the-wild exploitation (Copy Fail), and provides practical detection rules (auditd, EQL/ES|QL queries, syscall aggregation), mitigation guidance (kernel updates, module blacklisting, page-cache drop, and unprivileged namespace restrictions), and recommended audit rules to improve defender visibility.