Several recent Linux kernel vulnerabilities have required a swift response from infrastructure operators.

Among them, Copy Fail and Dirty Frag drew attention because they involve local privilege escalation scenarios. Copy Fail is tracked as CVE-2026-31431.

Dirty Frag covers two distinct vulnerabilities, CVE-2026-43284 and CVE-2026-43500, tied to Linux kernel components.

At Clever Cloud, we treated these vulnerabilities as critical infrastructure matters. Our goal was twofold: quickly shrink the exposure window, then sustainably improve our kernel selection and deployment process.

This article reviews our approach, the decisions made, and the changes brought to our operations pipeline

Why these vulnerabilities called for a fast response

Copy Fail and Dirty Frag belong to the family of local privilege escalation vulnerabilities. In this type of scenario, an attacker must already be able to execute code locally, but can then attempt to gain higher privileges on the affected machine.

Dirty Frag rests on two Linux kernel flaws.

They notably affect modules related to ESP, used by IPsec, and to RxRPC. On a cloud platform, this type of vulnerability calls for a rapid analysis. The risk is not limited to a single isolated machine.

Scenarios tied to shared environments, containerized workloads, and isolation mechanisms must also be assessed.

What we verified

We analyzed the potential impact of these vulnerabilities on our environments. This step is not just about reading security advisories. It also involves verifying whether a theoretical scenario can become relevant in our operating context.

In the case of Copy Fail, the flaw came under embargo together with its patch. We published a new system image with the patch applied in the days that followed.

Our customers' applications were redeployed shortly after.

In the case of Dirty Frag, our internal analyses confirmed that these vulnerabilities had to be taken seriously. ESP modules are enabled in our kernels to support some specific customer needs. Fortunately, RxRPC-related modules are not present in our environment, as they serve no purpose for our usage.

We do not detail the technical steps of the exploitation here, since the purpose of this article is to inform our customers, not to publish a reproducible procedure.

This validation confirmed the operational decision: handle the matter immediately, reduce the exposed surface, then force the necessary redeployments.

Our operational response

Rolling out immediate measures

We first applied quick measures on the affected kernels. In the case of Dirty Frag, the publicly recommended measures focus in particular on the kernel components related to ESP and RxRPC.

On Clever Cloud's side, the goal was clear: reduce the identified exposed surfaces and shrink the exposure window without waiting for a standard maintenance cycle.

Redeploying the affected workloads

A kernel update only matters if the affected systems actually restart on a patched environment. We therefore launched a progressive redeployment of applications, then handled the cases that blocked this redeployment.

This phase matters. On a managed platform, the fix is not limited to producing an image or compiling a kernel. The execution chain must also actually use the expected version.

Improving the process along the way

We also took advantage of this sequence to replace a temporary mechanism with a cleaner integration into our orchestration pipeline.

Concretely, the kernel choice is now passed more explicitly through our internal pipeline, all the way to Supernova, our hypervisor agent. This evolution replaces the stiffer workaround put in place in the heat of the moment.

That is the central point of this intervention: fix fast, then make the fix more reliable for future operations.

What this changes for Clever Cloud customers

For customers, the expected effect is simple: reduce exposure without any manual action on their part whenever the platform can handle the redeployment.

Clever Cloud runs an architecture that relies in particular on isolation through virtualization. This approach is documented on our security pages and in our technical content on running containers inside virtual machines. It does not eliminate every risk, but it limits certain lateral movement scenarios compared to models where multiple workloads share the same execution environment directly.

We avoid, however, presenting this isolation as an absolute guarantee. A kernel vulnerability must always be taken seriously.

That is why we combined mitigation, redeployment, and improvement of our operations pipeline.

What we take away

This sequence confirms three principles.

First, a kernel vulnerability must be analyzed in its actual operating context. A public alert is not enough. We need to understand whether the conditions required for exploitation can exist on the platform.

Second, reaction speed matters. The Copy Fail and Dirty Frag vulnerabilities were disclosed publicly within a few days of each other, with analyses published by several players in the Linux and cloud ecosystem.

Finally, a useful security response must not only fix the problem of the moment. It must also improve the system that will handle the next incident.

That is what we did here: handled the vulnerabilities, shrank the exposure window, and strengthened our kernel management process.

Q&A

What is a local kernel vulnerability?

A local kernel vulnerability is a flaw that already requires execution capability on the affected machine. It can then allow gaining higher privileges, such as root, if the kernel is vulnerable.

Why do these flaws concern cloud platforms?

Cloud platforms run many workloads with isolation mechanisms. A kernel flaw can become critical if it allows crossing certain boundaries between processes, containers, or execution environments.

Are Dirty Frag and Copy Fail the same vulnerability?

No. Copy Fail is tracked as CVE-2026-31431. Dirty Frag covers CVE-2026-43284 and CVE-2026-43500. These vulnerabilities are close in impact, but they are distinct.

What action is required from Clever Cloud customers?

No general action is required from customers for environments handled by the platform. The automation brought by Clever Cloud allowed everything to be updated without action needed. Specific cases are tracked individually.

Animé par : Horacio GONZALEZ
Avec la participation de :
- Mathieu SANTOSTEFANO
- Sébastien BRUNAT
- Julien DURILLON

Episode enregistré le 26 septembre 2025

Montage : Yann BRESSON @ Smartmedias

Chapitrage et Liens

00:00:16 - Présentation des invités

00:03:30 - FrankenPHP annonce le support de gRPC pour les apps PHP

• https://dunglas.dev/2025/09/the-best-of-both-worlds-go-powered-grpc-for-your-php-and-api-platform-apps/

00:12:10 - Stop saying “PHP is not dead” https://liamhammett.com/think-of-an-elephpant

• En disant “PHP is not dead”, le cerveau humain entend d’abord “PHP is dead”

00:15:30 - Futur : PHP 9, pas mal de changements

• https://benjamincrozat.com/php-90 

00:23:00 - Open Infrastructure is Not Free 

• https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/
  • Appel à la prise de conscience que les infra qui fait tourner les packages managers n’est pas gratuite et sont en danger de financement

00:30:45 - Behind The Scenes of Bun Install - https://bun.com/blog/behind-the-scenes-of-bun-install 

00:37:40 - Linux Multikernel architecture - https://www.phoronix.com/news/Linux-Multi-Kernel-Patches

• Pourrait améliorer le changement de kernel à chaud
• Pourrait permettre une séparation plus sécurisée de certains workloads sans dégainer un hyperviseur
• Sur la mailing-list, les gens ne sont pas tous convaincus par la possibilité d’une implémentation dans un futur proche.

00:46:10 - Client Pulsar natif PHP

• https://github.com/ikilobyte/pulsar-client-php 
• PR Symfony pour Kafka dans Messenger : https://github.com/symfony/symfony/pull/51070

01:00:36 - Musique de fin – Meute - You and me (Disclosure) live at Coachella https://www.youtube.com/watch?v=HmvNo6aUIDo

Animé par Julien Durillon - @juuduu
avec la participation de :

• Arnaud Lefebvre - @blackyoup
• Agathe - @agathe
• Adrien Mahieux - @saruspete

Épisode enregistré le 25 septembre 2024

Chapitrage et Liens

00:00:16 : Introduction et présentation des participants

6.9
00:02:14 Les nouveautés de BPF
Arenas : yet another partage de mémoire entre le programme BPF et le userspace. Plus sympa à utiliser que les rings et les maps
Tokens : ça simplifie le fait de donner des accès à des fonctionnalités BPF à d’autres softs. On n’a pas très bien compris l’usage, faites-vous inviter au prochain épisode pour nous l’expliquer

00:09:06 Deprecation d’ext2
Sera cassé en 2038, vous savez pourquoi
Pour le UEFI, on utilise fat32 qui devrait tenir jusqu’à 2107
cf. https://cscie92.dce.harvard.edu/spring2024/slides/FAT32%20File%20Structure.pdf p37

00:16:23 Support AMD Secure Nested Paging
Chiffrement des “shadow page tables” directement dans le proc

00:22:14 Fuse bypass dans certains cas
FUSE (Filesystem in Userspace) permet de monter des FS non supportés par le kernel
Ça fonctionne en lançant un “serveur” fuse
La modif en question permet dans certains cas de bypass le serveur et d’écrire directement dans les fichiers visés en mmap

6.10
00:25:29 mseal
On peut définir des bouts de la ram comme étant readonly. En cas de stack overflow, l’attaquant ne pourra pas aller écrire dedans
Utilisé par chrome pour le sandboxing
Tant que le process tourne, la mémoire reste bloquée

00:30:46 integrity and security to tpm2 support
Trusted Platform Module : du hardware qui permet de faire du chiffrement / stockage de clé ou certifs
On ne peut plus trop écouter ce qui passe électroniquement sur le bus.

00:36:36 Faster io_uring zerocopy perf

00:41:15 numa
Migration des huge pages entre nœuds

00:50:11 : Musique de fin - Lipps Inc. - Funky town - https://www.youtube.com/watch?v=uhzy7JaU2Zc

Animé par Horacio Gonzalez - @LostInBrittany
avec la participation de :
- Antoine Sabot-Durand- @antoine_sd
- Erwan Rougeux - @ERougeux
- Florentin Dubois - @FlorentinDUBOIS

Épisode enregistré le 18 juillet 2024

👋 Venez discuter avec nous sur @clever_cloudFR pour nous dire ce que vous avez pensé de ce nouvel épisode.

➡️ Pour découvrir ou réécouter d’anciens épisodes c’est par ici !

Chapitrage

00:00:16 : Introduction et présentation des participants

00:01:35 : Développement international chez Clever Cloud : https://www.clever.cloud/blog/company/2024/06/19/clever-cloud-announces-international-growth/

00:06:49 : L’initiative MicroProfile AI : https://microprofile.io/ https://github.com/smallrye/smallrye-llm

00:30:49 : Homepage : https://gethomepage.dev/main/

https://www.home-assistant.io/ https://pi-hole.net/

00:40:10 : Calibre web : https://github.com/janeczku/calibre-web

00:45:01 : Kernel 6.10 https://www.phoronix.com/news/Linux-6.10-Hardening https://www.phoronix.com/news/GNU-Linux-Libre-6.10 https://www.phoronix.com/news/Linux-6.10-Released https://www.phoronix.com/news/Linux-6.10-Features-Recap

00:47:40 : Unraid 7.0.0-beta.2 - Highlights ZFS https://docs.unraid.net/unraid-os/release-notes/7.0.0/

https://unraid.net/blog/unraid-7-beta-2

Dans ce formidable épisode nous parlons de la disparition des protocoles TLS 1.0 et 1.1 sur Clever Cloud, de notre Operator pour Kubernetes, de Rolland Garros sauce NFT, des drivers Nvidia en open source pour Linux, des suites du DDos du bloggeur Amos, de sécurité autour d'Heroku et de Doctolib, de développement de module Kernel en Rust avant de présenter l'outil de la semaine pour enfin finir en musique.

👋 Venez discuter avec nous sur @clever_cloudFR pour nous dire ce que vous avez pensé de ce nouvel épisode.

➡️ Pour découvrir ou réécouter d’anciens épisodes c’est par ici !

Timecode & Liens

00:00:00 Introduction et présentation d’Alexandre Gourdel

Avant de passer aux sujets de sociétés, quelques annonces de Clever Cloud

00:09:40 Removal of tls 1.0 and 1.1 (Clément)
https://www.clever.cloud/blog/engineering/2022/05/03/removal-of-tls-1-0-and-1-1-from-our-load-balancers-on-june-30/

00:12:40 Et si on testait le Clever Operator pour Kubernetes ? (Florentin)
https://blog.zwindler.fr/2022/05/17/et-si-on-testait-clever-kubernetes-operator/
https://www.clever.cloud/blog/engineering/2022/04/28/introducing-the-clever-cloud-rust-sdk/

00:15:56 Kubernetes 1.24: Introducing Non-Graceful Node Shutdown Alpha (Florentin)
https://kubernetes.io/blog/2022/05/20/kubernetes-1-24-non-graceful-node-shutdown-alpha/

00:19:05 Le sport se met aux NFT (Alexandre)
https://www.francetvinfo.fr/sports/manne-financiere-communaute-de-fans-elargie-attrait-des-sponsors-les-nft-nouvel-eldorado-dans-le-monde-du-sport_5116483.html
https://club.rolandgarros.com/fr
Un détenteur d’un NFT « RG Game, Seat & Match » bénéficiera de nombreux avantages : accès à la version virtuelle du court Philippe-Chatrier ainsi qu’à des expériences exceptionnelles (jouer sur les courts de Roland-Garros, remporter des billets pour les prochaines éditions du Grand Chelem parisien et du Rolex Paris Masters, visiter les coulisses du stade Roland-Garros…). Acquérir un NFT de cette collection, c’est aussi rejoindre une communauté de fans engagés, avec qui échanger et partager votre passion.

00:28:32 Nvidia ouvre les drivers linux de ses cartes graphiques (Clément)
https://www.phoronix.com/scan.php?page=article&item=nvidia-open-kernel&num=1
En fait ils ont pas le choix
Quelques jours plus tôt, y’a deux boîtes qui ont réussi à casser LHR grâce à la fuite de février.

00:34:22 Amos a amélioré son serveur HTTP perso suite à un DDoS (Julien)
https://twitter.com/fasterthanlime/status/1520937581059448838
https://fasterthanli.me/articles/i-won-free-load-testing

00:45:45 À quoi ressemble la gestion d’un gros incident sécu, l'exemple Heroku
https://status.heroku.com/incidents/2413?updated
Tweet du seum pour heroku

00:52:48 La sécurité pour les nuls
https://www.francetvinfo.fr/internet/securite-sur-internet/enquete-doctolib-certaines-donnees-medicales-ne-sont-pas-entierement-protegees_5147644.html
Article touilleur : https://www.touilleur-express.fr/2022/03/08/le-chiffrement-de-bout-en-bout-et-la-signature-denveloppe/

01:02:00 Things Are Getting Rusty In Kernel Land (Florentin)
https://hackaday.com/2022/05/17/things-are-getting-rusty-in-kernel-land/
Conférence de Georges Thomas sur “Comment développer un module kernel en Rust”
Pourquoi des modules en Rust, plutôt qu’un autre langage ?
As kernel second-in-command [Greg Kroah-Hartman] put it, “drivers are probably the first place for an attempt like this as they are the ‘end leafs’ of the tree of dependencies in the kernel source. They depend on core kernel functionality, but nothing depends on them.”
Mais qu’est-ce qui se passe ? Que se passe-t-il ?
At some point in the future, one of the interested parties, like Google, would start writing new drivers in Rust. Google seems to be very interested in converting parts of Android to Rust, likely in an attempt to thwart the continued pwnage of their OS from the likes of the NSO group.
Another interesting connection is that [Miguel Ojeda], lead developer of the Rust for Linux effort, is now employed full time by Prossimo for that purpose. Prossimo is an arm of the Internet Security Research Group, which is also famous for leading Let’s Encrypt.

01:10:45 L'Outil de la semaine
https://vscodecandothat.com/

01:16:13 La musique de l’épisode : Billy Paul - Your Song - https://www.youtube.com/watch?v=DbgYUj3jQoI

Dans ce fabuleux épisode réalisé en famille avec Quentin Adam, Marc Antoine Perennou, Julien Durillon et Pierre Zemb, nous parlons de class action sur une entente Google / Apple sur les moteur de recherche, des processeurs Mobile eye by Intel et des annonces AMD et Intel pour de nouveaux procs, de GNUPG qui devient économiquement viable, du bug Exchange de l'an 2022. On vous présente les nouvelles recrues de Clever Cloud et enfin, on vous parle Kernel !

Timecodes & liens :

00:00:00 : Introduction

00:02:03
https://appleinsider.com/articles/22/01/04/class-action-lawsuit-alleges-google-pays-apple-to-stay-out-of-the-search-engine-market - https://twitter.com/techemails?lang=fr

00:07:48
https://www.intel.com/content/www/us/en/newsroom/resources/mobileye-ces-2022.html#gs.ksmzw1
https://fr.wikipedia.org/wiki/Mobileye

00:10:49 : Annonce proc au CES
https://www.theverge.com/2022/1/4/22866452/intel-amd-cpu-ces-2022-core-i9-12900ks-ryzen-processor that's 22 for PCs, eight for gaming laptops, six in a new P series, 10 U series for thin-and-lights and four for cheap laptops and Chromebooks. Intel tease 5.5 GHz

00:13:28 : GnuPG devient économiquement viable
https://linuxfr.org/users/gouttegd/journaux/gnupg-devient-economiquement-viable-et-n-a-plus-besoin-de-dons
Annulation de tous les dons récurrents sur Paypal.
Message disant que c’est plus la peine de donner : https://gnupg.org/donate/index.html
Notamment en se faisant certifier par le Bundesamt für Sicherheit in der Informationstechnik
En parallèle, il y a aussi une nouvelle implem en rust qui, elle, expose une vraie lib : https://sequoia-pgp.org/ (rien de ouf , juste une nouvelle lib/appli)

00:18:51 : Exchange s’est tapé le bug de l’an 2022.
Microsoft releases emergency fix for Exchange year 2022 bug discovered that their servers were no longer delivering email. store the date in a signed int32 variable. Can't convert "2201010001” However, this variable can store only a maximum value of 2,147,483,647, which is less than the new date value of 2,201,010,001 for January 1st, 2022, at midnight.
https://twitter.com/pbeyssac/status/1477370059664281606

00:22:13 Clever Cloud appoints Steven Le Roux as CTO and Cédric Biron as COO to continue its structuring

00:24:50
https://sysprog21.github.io/lkmpg/

00:28:00 : Kernel 5.13
https://kernelnewbies.org/Linux_5.13 landlock

• LSM for sandboxing. Instead of targetting syscalls, targets kernel resources and objects Clang Control Flow Integrity
• Crash on UB detection instead of letting potential attacks go on 00:39:30 Randomising stack address for each syscall - security ++ but perfs –

00:41:18 Apple M1 support

00:45:00 BPF programs can call kernel functions

00:47:30 misc cgroups: basic counter-based limits

00:50:00 KVM SGX support

00:51:25 = SMALL NEWS
A virtio sound driver for improved sound experience on virtualized guests https://www.qubes-os.org/

00:54:10 zstd compressed modules

00:57:55 WWAN subsystem io_uring support for multi shot mode

01:05:20 Musique par Jul(ien) : https://www.youtube.com/watch?v=yESgLltcd-k