Addressing Copy.Fail2 aka DirtyFrag in SUSE Virtualization

Security researchers have identified another security issue similar to copy.fail (CVE-2026-43284 / CVE-2026-43500), however in a different subsystem.

Upstream report: https://github.com/V4bel/dirtyfrag

This is again a bug in splice handling allowing local attackers to execute code to gain full root privileges in the system, one via the xfrm / esp4 and esp6 UDP encapsulation protocols, and via rxrpc.

Affected Versions

• All SUSE Virtualization Versions

Workaround

blacklist the esp4, esp6 and rxrpc modules:

On each node create
/etc/modprobe.d/10-copyfail2-fix.conf to remediate.

blacklist esp4
blacklist esp6
blacklist rxrpc
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

To remove the module if potentially loaded already, run:

for i in esp4 esp6 rxrpc
do
   modprobe -r $i || echo "$i module couldn't be removed, try using -f or reboot"
done

Users need to create the following CloudInit CRD to blacklist the esp4, esp6 and rxrpc kernel module across reboots.

apiVersion: node.harvesterhci.io/v1beta1
kind: CloudInit
metadata:
  name: dirtyfrag-workaround
spec:
  matchSelector: 
    harvesterhci.io/managed: "true"
  filename: 99-dirty-frag-workaround
  contents: |
    stages:
        initramfs:
        - name: "Blacklist modules"
          files:
            - path: "/etc/modprobe.d/10-copyfail2-fix.conf"
              content: |
                blacklist esp4
                blacklist esp6
                blacklist rxrpc
                install esp4 /bin/false
                install esp6 /bin/false
                install rxrpc /bin/false

Resolution

SUSE is currently working on preparing the fixes for each of the affected kernel versions. Updates will be shortly made available and published to our customers.