## Azure Kubernetes Service Under Scrutiny as Three Linux Kernel Privilege Escalation Flaws Surface in Weeks Three Linux kernel local privilege escalation vulnerabilities targeting auto-loadable modules were disclosed in rapid succession between late April and mid-May 2026, raising concerns about container escape risks in Azure Kubernetes Service environments. The flaws share a common attack vector: kernel modules that can be triggered by unprivileged processes, including workloads running inside containers, potentially granting root access to the host system. The first vulnerability, labeled "Copy Fail" (CVE-2026-31431), was disclosed on April 29, 2026, exploiting the `algif_aead` module responsible for hardware-accelerated authenticated encryption. Rated 7.8 on the CVSS scale, this high-severity flaw could allow an unprivileged process to escalate to root privileges by triggering the vulnerable module. Just over a week later, on May 8, researchers disclosed "DirtyFrag" (CVE-2026-43284, CVE-2026-43500), affecting the `esp4`, `esp6`, and `rxrpc` modules. Days after that, on May 13, the "Fragnesia" vulnerability (CVE-2026-46300) emerged, targeting the same `esp4` and `esp6` modules. All three vulnerability families have been mitigated through kernel module blacklisting. The clustering of disclosures within a two-week window signals intensified scrutiny of kernel module autoloading behavior, particularly in containerized environments where namespace isolation does not prevent module loading. Azure has applied mitigations to AKS deployments, but security teams managing Kubernetes clusters are advised to verify that vulnerable modules remain blacklisted and to monitor for any attempt to trigger autoloading from untrusted workloads. The incidents underscore the persistent attack surface introduced by kernel modules that respond to requests from userspace without sufficient privilege checks. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: linux-kernel, privilege-escalation, container-security, azure-kubernetes-service, cve - **Credibility**: unverified - **Published**: 2026-05-13 19:48:25 - **ID**: 82725 - **URL**: https://whisperx.ai/en/intel/82725