Moxa CVE-2026-31431, CVE-2026-43284, CVE-2026-43500: Copy Fail and Dirty Frag Vulnerabilities in Linux Kernel

Act NowCVSS 8.8MPSA-263140May 26, 2026

MoxaManufacturing

Summary

Three Linux kernel vulnerabilities (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500) allow unprivileged local users to achieve privilege escalation to root on affected systems. The "Copy Fail" vulnerability affects crypto operations, while "Dirty Frag" affects IPsec (ESP) and RxRPC networking stacks. These are local-only attacks (not remotely exploitable), but can enable container escape in environments running untrusted workloads. A permanent kernel patch is in development. Moxa has released this advisory early with interim mitigations to allow customers to defend while awaiting the permanent fix.

What this means

What could happen

An unprivileged local user on an affected system can gain root-level control of the operating system, allowing complete compromise of the device and any processes it runs. In containerized environments, attackers could escape the container and compromise the host system.

Who's at risk

Moxa Industrial Edge Computing systems and other Moxa products running Linux kernel are affected. This impacts manufacturing facilities relying on Moxa industrial gateways, routers, and edge controllers for data acquisition, protocol conversion, and plant network connectivity. Any facility where Moxa devices are used for process monitoring, data logging, or remote access deserves immediate attention.

How it could be exploited

An attacker with local access to the system (e.g., a low-privilege user account) can exploit the kernel vulnerabilities through user-space applications to trigger privilege escalation. The attacker can manipulate memory operations in the IPsec/RxRPC networking stack or crypto operations to overwrite kernel memory and gain root access. No network access or special credentials are required beyond an existing local account.

Prerequisites

Local user account on the affected system (unprivileged access sufficient)
Ability to execute arbitrary applications or code on the system

actively exploited (KEV)no patch available (interim mitigations only)local privilege escalation to rootaffects all kernel versionscontainer escape possible in multi-tenant environments

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Linux KernelAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/5

HOTFIXApply kernel security patch immediately upon availability from Moxa; this will be a critical firmware/OS update requiring validation and scheduling in a maintenance window

WORKAROUNDImmediately implement interim mitigation: Restrict local login access to only authorized users through strong access controls (e.g., disable local user creation, enforce strong password policies, use centralized authentication)

WORKAROUNDIf running containerized workloads with untrusted code, immediately isolate or disable those containers until kernel patch is available

HARDENINGAudit all local user accounts on affected systems and remove or disable unnecessary accounts that could be exploited to gain initial access

HARDENINGImplement network segmentation to limit which devices can SSH or otherwise remotely login to systems running vulnerable kernel versions

CVEs (3)

CVE-2026-31431 CVE-2026-43284 CVE-2026-43500

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e487dbee-ff16-4e22-9877-581b5eb8cd7e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.