โ† Back to Cyber Intelligence News
Live Threat Intelligence API โ€” Query this CVE and all KEV alerts in real-time
cyber.mcp.brunosan.de
Cyber Threat Intelligence VULNERABILITY ๐Ÿ”ด 1ร—KEV

CVE-2026-31431 in Linux Kernel: 'Dirty Frag' LPE Vulnerability Actively Exploited, Affects Juniper and Major Distributions

๐Ÿ“… May 09, 2026 ๐Ÿ”ด Exploit Risk: 0.216 ๐Ÿ“Š Intelligence Score: 53/100 ๐Ÿ“ฐ 3 sources synthesized
TL;DR โ€” Read this first
Intelligence Metadata
First Reported Byportal.auscert.org.au
Outbreak Velocity315 minutes to 3 unique domains
Consensus3 sources across 3 unique domains
CVSS Score7.8 (Reported)
EPSS Score0.03912 (3.91st percentile)
CISA KEV StatusConfirmed
Exploit Risk Score0.2156
Race LabelFRESH EXPLOIT

Technical Analysis

CVE-2026-31431, referred to as 'Dirty Frag', is a Local Privilege Escalation (LPE) vulnerability within the Linux kernel. The vulnerability allows an authenticated local attacker with basic user privileges to execute code with root-level permissions. While the specific mechanism is not detailed in the provided intelligence, the name 'Dirty Frag' suggests a potential flaw in the kernel's handling of IP packet fragmentation. The exploit enables full system compromise by the local user.

Reports indicate the vulnerability is universal, affecting major Linux distributions and downstream products that utilize the Linux kernel, such as network appliances from Juniper. A notable discrepancy exists in scoring: while the official CVE record has not yet been assigned a CVSS score, a national CERT bulletin reports a maximum CVSS of 7.8 for affected products, which is consistent with an LPE of this nature. The core threat is the elevation from a low-privilege foothold, often gained via a separate ingress vector, to complete control of the affected system.

Affected Systems

Vendor: Linux Kernel Project, Juniper Networks, various Linux distributions
Affected Versions:
  • Major Linux Distributions (specific versions not provided)
  • Juniper Products running vulnerable Linux kernel versions (specific products not provided)
Exposure: Requires local system access. The primary risk is on multi-user systems or as a second-stage payload after an initial compromise.
Blast Radius: High. The vulnerability impacts a wide range of servers, workstations, and network appliances that are based on the Linux kernel. Any system that allows unprivileged shell access is directly at risk.

Intelligence Context

The primary driver for prioritization is the vulnerability's CONFIRMED status on CISA's KEV catalog. This is an authoritative signal of active, in-the-wild exploitation. While the EPSS score of 0.03912 (3.91st percentile) predicts a low probability of widespread exploitation, the KEV listing is based on observed reality and must take precedence. The 'FRESH EXPLOIT' label, with the KEV entry being only 8 days old, places defenders in a critical window to apply patches before exploit code becomes more commoditized. The intelligence spread from a national CERT (AusCERT) to respected technical sources like SANS ISC confirms the credibility of the threat.

Remediation & Defense

Patch immediately. The CISA KEV listing mandates urgent action. Prioritize patching on all systems where unprivileged users have access, followed by all other vulnerable systems.
Patch Status: Available
Patch Version: Refer to specific advisories from your Linux distribution or hardware vendor (e.g., Juniper).
Workarounds:
  • Restrict unprivileged shell access on critical systems.
  • Implement application whitelisting to prevent execution of unauthorized binaries.
Detection Hints:
  • Monitor for anomalous processes running with root privileges, particularly those spawned by non-root user accounts.
  • Audit system logs for unexpected kernel-level errors or crashes, potentially related to network packet processing.

Source Timeline

CVE-2026-31431 linux juniper lpe kev dirty-frag