As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

CVE-2026-31431, CVE-2026-43284, CVE-2026-43500: Copy Fail and Dirty Frag Vulnerabilities in Linux Kernel

This advisory addresses the Linux kernel vulnerabilities known as "Copy Fail" (CVE-2026-31431) and "Dirty Frag" (CVE-2026-43284 and CVE-2026-43500). Publicly available research indicates these vulnerabilities may allow an unprivileged local user to achieve local privilege escalation on affected systems. Remote exploitation is not possible with these vulnerabilities. The published exploit shows that in non-containerized deployments, a local user can gain root privileges. In containerized environments that execute arbitrary or untrusted third-party workloads, these vulnerabilities could potentially be leveraged to facilitate container escape and host compromisedscenarios.

CVE-2026-31431

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place. This change primarily undoes commit 72548b093ee3, with the exception of how associated data is copied. As the source and destination stem from different mappings, there’s no advantage to in-place operations in algif_aead. Remove complexity added for in-place operation and copy the AD directly.

CVE-2026-43284, CVE-2026-43500

Two related vulnerabilities, collectively referred to as "Dirty Frag," exist in the IPsec (ESP) and RxRPC networking stacks of the Linux kernel. An unprivileged local attacker can exploit these vulnerabilities to deterministically overwrite the kernel Page Cache, enabling Local Privilege Escalation (LPE) to full root-level control.

Given the high severity of these issues, users should apply the solutions immediately to reduce security risks.

 

The Identified Vulnerability Type and Potential Impact
CVE ID VULNERABILITY TYPE IMPACT
CVE-2026-31431 CWE-669: Incorrect Resource Transfer Between Spheres Local Privilege Escalation (root)
CVE-2026-43284 CWE-123: Write-what-where Condition Local Privilege Escalation (root)
CVE-2026-43500 CWE-787: Out-of-bounds Write Local Privilege Escalation (root)
Vulnerability Scoring Details
CVE ID BASE SCORE VECTOR SEVERITY

UNAUTHENTICATED
REMOTE EXPLOIT

CVE-2026-31431

CVSS 3.1: 7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

High

No

CVE-2026-43284

CVSS 3.1: 8.8

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

High

No

CVE-2026-43500

CVSS 3.1: 7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

High

No

AFFECTED PRODUCTS AND SOLUTIONS

Solutions

The table below lists all affected product series. Users should follow the solutions below to remediate affected systems.

PRODUCT SERIES

AFFECTED VERSIONS

SOLUTIONS

UC Series

  • UC-1200A Series

  • UC-2200A Series

  • UC-3400A Series

  • UC-4400A Series

  • UC-8600A Series

  • UC-8200 Series

Moxa Industrial Linux (MIL)

  • MIL3 v1.4 and earlier, and MIL4 v1.0

  • MIL3 v1.4 and earlier, and MIL4 v1.0

  • MIL3 v1.2 and earlier, and MIL4 v1.0

  • MIL3 v1.3 and earlier, and MIL4 v1.0

  • MIL4 v1.1 and earlier

  • MIL3 v1.5 and earlier

Please refer to Update Instructions - For MIL-based Products as the primary remediation step

For additional support, please contact Moxa Technical Support

V Series

  • V1200 Series

  • V3200 Series

  • V3400 Series

Moxa Industrial Linux (MIL)

  • MIL3 v1.2.0 and earlier

  • MIL3 v1.1 and earlier

  • MIL3 v1.1 and earlier

VM Series

  • VM-1220 Series

Moxa Industrial Linux (MIL)

  • MIL3 v1.1.0 and earlier

IoThinx Series

  • ioThinx 4530 Series

Moxa Industrial Linux (MIL)

  • MIL3 v2.1 and earlier

AIG Series

  • AIG-302 Series

  • AIG-502 Series

Firmware

  • v1.4.0 and earlier

  • v1.0.0

BXP Series

  • BXP-A100 Series

  • BXP-A101 Series

  • BXP-C100 Series

Debian ordered via CTOS

  • Debian 11 V1.0

  • Debian 12 V1.0

 

Please refer to Update Instructions - For Debian-based Products as the primary remediation step

For upstream security information, please refer to Debian Security Advisories.

DRP Series

  • DRP-A100 Series

  • DRP-C100 Series

Debian ordered via CTOS

  • Debian 11 V1.0

RKP Series

  • RKP-A110 Series

  • RKP-C110 Series

  • RKP-C220 Series

Debian ordered via CTOS

  • Debian 11 V1.0

  • Debian 12 V1.0

 

 

MXsecurity Series

Software v2.3.1 and earlier

Software v2.3.3 or later

 

Update Instructions

Affected products run either Moxa Industrial Linux (MIL) or Debian Linux. Each OS type requires a different update procedure. Before proceeding, confirm your device's OS type from the Affected Products table, then follow the corresponding section below.

The following packages are available to remediate affected systems.

PRODUCT SERIES

PACKAGE NAME with VERSION

UC-1200A Series

MIL3.4.1 and before

  • linux-image-5.10.0-cip-rt-moxa-am64x=5.10.234-cip57-rt25-moxa9-1+deb11u6

  • sparklan-qca9377-driver-5.10.0-cip-rt-moxa-am64x=5.10.234-cip57-rt25-moxa9-1+deb11u6

MIL4.0.0

  • linux-image-6.12.0-cip-moxa-am64x=6.12.39-cip5-moxa13-1+deb13

UC-2200A Series

MIL3.4.1 and before

  • linux-image-5.10.0-cip-rt-moxa-am64x=5.10.234-cip57-rt25-moxa9-1+deb11u6

  • sparklan-qca9377-driver-5.10.0-cip-rt-moxa-am64x=5.10.234-cip57-rt25-moxa9-1+deb11u6

MIL4.0.0

  • linux-image-6.12.0-cip-moxa-am64x=6.12.39-cip5-moxa13-1+deb13

UC-3400A Series

MIL3.4.1 and before

  • linux-image-5.10.0-cip-rt-moxa-am62x=5.10.234-cip57-rt25-moxa9-1+deb11u6

  • ublox-m2-maya-w271-driver-5.10.0-cip-rt-moxa=5.10.234-cip57-rt25-moxa9-1+deb11u6

MIL4.0.0

  • linux-image-6.12.0-cip-moxa-am62x=6.12.39-cip5-moxa13-1+deb13

  • ublox-m2-maya-w271-driver-6.12.0-cip-moxa=6.12.39-cip5-moxa13-1+deb13

UC-4400A Series

MIL3.4.1 and before

  • linux-image-5.10.0-cip-rt-moxa-imx8mp=5.10.234-cip57-rt25-moxa9-1+deb11u6

  • emwicon-wmx7205-driver=5.10.234-cip57-rt25-moxa9-1+deb11u6

MIL4.0.0

  • linux-image-6.12.0-cip-moxa-imx8mp=6.12.39-cip5-moxa13-1+deb13

UC-8200 Series

MIL3.4.1 and before

  • linux-image-5.10.0-cip-rt-moxa-imx7d=5.10.234-cip57-rt25-moxa9-1+deb11u7

UC-8600 Series

MIL4 v1.0

  • linux-image-6.12.0-cip-moxa-j7200=6.12.39-cip5-moxa13-1+deb13

V1200 Series

MIL3

  • linux-image-5.10.0-cip-rt-moxa-imx8mp=5.10.234-cip57-rt25-moxa9-1+deb11u6

  • emwicon-wmx7205-driver=5.10.234-cip57-rt25-moxa9-1+deb11u6

V3200 Series

MIL3

  • linux-image-5.10.0-cip-rt-moxa-tigerlake=5.10.234-cip57-rt25-moxa24-1+deb11

  • wmx7205-5.10.0-moxa-tigerlake=5.10.234-cip57-rt25-moxa24-1-tigerlake+deb11

V3400 Series

MIL3

  • linux-image-5.10.0-cip-rt-moxa-tigerlake=5.10.234-cip57-rt25-moxa24-1+deb11

  • wmx7205-5.10.0-moxa-tigerlake=5.10.234-cip57-rt25-moxa24-1-tigerlake+deb11

VM-1220

MIL3

  • linux-image-5.10.0-cip-rt-moxa-am64x=5.10.214-cip46-rt19-moxa12-1+deb11u2
ioThinx 4533

MIL3

  • linux-image-5.10.0-cip-rt-moxa-imx7d-rt=5.10.194-cip39-rt16-moxa27-1+deb11

AIG-302 Series

MIL3

  • linux-image-5.10.0-cip-rt-moxa-imx7d=5.10.234-cip57-rt25-moxa9-1+deb11u7

AIG-502 Series

MIL3

  • linux-image-5.10.0-amd64-moxa-kabylake=5.10.251-5-moxa+deb11
  • moxa-it87-wdt-driver-amd64=5.2+1.5.0-1+deb11u2
  • moxa-it87-serial-driver-amd64=1.4.1+u2+deb11u2
  • moxa-it87-gpio-driver-amd64=5.2+1.5.0-1+deb11u2
  • insyde-phy-alloc-driver-amd64=5.10+8+deb11u3
  • moxa-mxu11x0-driver-amd64=5.10+5.1+deb11u3
  • moxa-mxuport-driver-amd64=5.10+5.1+deb11u3
  • moxa-intel-spi-driver-amd64=1.1.0+deb11u2

 

For MIL-based Products

MIL-based products receive security updates through the Moxa apt server.

Select the procedure that matches your network environment:

  • Online: your device has direct access to the Moxa apt server.
  • Offline: your device operates in an air-gapped or restricted network.
Online update procedures

sudo apt update

sudo apt install <package_name with version>

 

Offline update procedures

This procedure is intended for systems operating in air-gapped environments.

Prerequisites

  • An internet-connected staging machine of the same product model and MIL system version as the target system.

Offline Phase 1 - Download on Staging Machine

sudo apt update

mkdir /tmp/cve-update && cd /tmp/cve-update

apt download <package_name with version>

  • Transfer the downloaded .deb files to the target system via an authorized secure medium (e.g., approved USB drive) per your enterprise security policy.

Offline Phase 2 - Install on Target System

  • Back up critical configuration files or take a system snapshot.

  • Navigate to the directory containing the transferred .deb files and install:

cd /path/to/deb-files/

sudo dpkg -i *.deb

  • Note: If dependency errors occur, ensure all required dependency packages are included.

 

Post-Update Verification
  • After updating the security patches, the system must be rebooted. After the system has rebooted, perform a version check to ensure the update was successful.

  • Run the following command for each package listed under your product series in the Packages List above:

dpkg-query -W <package_name>

 

Post-Update Cleanup

If you previously applied the interim mitigations, check Mitigation Removal to remove them after the update has been successfully applied and verified.

 

For Debian-based Products

The BXP, DRP, and RKP Series run Debian Linux. Security updates are applied through the Debian security repository and the Moxa x86 SDK.

Select the procedure that matches your network environment:

  • Online: your device has direct access to the Debian security repository.
  • Offline: your device operates in an air-gapped or restricted network.
Prerequisites

Download the x86 SDK from the Resources tab on the product page on the Moxa website.

Update Procedures
  • Step 1 - Add the Debian security repository

    • Online: run on the target system. Offline: run on the staging machine.
    • Debian 11 (Bullseye):

      echo "deb http://security.debian.org/debian-security bullseye-security main contrib non-free" | sudo tee -a /etc/apt/sources.list

    • Debian 12 (Bookworm):

      echo "deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware" | sudo tee -a /etc/apt/sources.list

  • Step 2 - Update the package index and upgrade the kernel

    • Online

      • sudo apt-get update

        sudo apt-get install --only-upgrade linux-image-amd64 -y

    • Offline
      • Download on staging machine
      • sudo apt-get update

        mkdir /tmp/cve-update && cd /tmp/cve-update

        sudo apt-get download linux-image-amd64

      • Transfer the downloaded .deb files to the target system via an authorized secure medium. Then on the target system, back up critical configuration files and install:
      • cd /path/to/deb-files/

        sudo dpkg -i *.deb

      • Note: If dependency errors occur, ensure all required dependency packages are included.
  • Step 3 - Reinstall the x86 SDK

    • Reinstall the x86 SDK to rebuild the kernel modules against the updated kernel.

    • unzip <downloaded_sdk>.zip

      cd Moxa_x86_Linux_SDK_<ver>_Build_<build_date>

      ./install.sh -y

  • Step 4 - Reboot the system

    • reboot

  • Step 5 - Cleanup
    • If you previously applied the interim mitigations, check Mitigation Removal to remove them after the update has been successfully applied and verified.

 

Mitigations

 

Interim Mitigation — Module Blacklisting

When updates cannot be deployed immediately, the following mitigation can be applied. This procedure disables the vulnerable kernel modules and effectively closes the known attack vectors for CVE-2026-31431, CVE-2026-43284, and CVE-2026-43500 on affected systems.

IMPORTANT: Before applying this mitigation, read the Functional Impact Analysis section below. Disabling IPsec modules (esp4/esp6) will interrupt all VPN tunnels. Do not apply this mitigation blindly on systems that depend on IPsec for network connectivity. Additionally, Step 3 (flushing the page cache) may cause a brief I/O performance degradation as cached data must be reloaded from the disk. It is recommended to execute this step during a scheduled maintenance window on I/O-intensive systems.

 

Step 1: Mitigate CVE-2026-31431 (algif_aead module)

For AIG-302 and UC-8200 Series:

algif_aead is compiled as a built-in kernel module in this firmware and cannot be removed at runtime via modprobe or blacklisting. The only mitigation is to block its initialization at boot using the initcall_blacklist kernel parameter.

⚠️ These commands modify bootloader environment variables directly. A mistake may render the device unbootable and require manual recovery via serial console. Physical access is required before proceeding.

$ sudo fw_setenv bootargs 'console=ttymxc0,115200n8 root=/dev/mmcblk2p2 rootfstype=ext4 rw rootwait fsck.mode=force fsck.repair=yes noinitrd console=ttymxc0,115200 pci=nomsi initcall_blacklist=algif_aead_init'

$ sudo fw_setenv bootcmd 'mmc rescan;load mmc 2:1 ${loadaddr} working/imx7d-moxa.itb;bootm ${loadaddr}'

$ sudo fw_setenv boot_process 2

⚠️ Before rebooting, verify the changes

$ sudo fw_printenv bootargs

$ sudo fw_printenv bootcmd

$ sudo fw_printenv boot_process

Confirm the output matches the values set above, then reboot the device for the changes to take effect.

Once the firmware update with the official fix is applied, revert the boot configuration:

$ sudo fw_setenv boot_process 0

$ sudo fw_setenv bootargs

$ sudo fw_setenv bootcmd

 

For All Other Products:

Create blacklist configuration, unload module, and verify:

$ echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-algif.conf

$ sudo rmmod algif_aead 2>/dev/null || true

$ lsmod | grep algif_aead

No output indicates module is not loaded.

 

Step 2: Mitigate CVE-2026-43284 (esp4/esp6 modules - IPsec)

Determining If IPsec Is in Use

Check if your system has the esp4/esp6 modules loaded:

$ lsmod | grep -E 'esp4|esp6'

 

If no output is returned, IPsec is not running and you can safely use the blocklist method. If the modules appear in the output, verify whether IPsec is configured by checking:

$ ip xfrm state

$ ip xfrm policy

If either command shows active entries, IPsec is in use. Choose the appropriate method below based on your IPsec requirements.

 

Blocklist Method

Warning: This method disables IPsec. Only use if your system does not require IPsec connectivity.

$ echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-ipsec.conf

$ echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/moxa-cve-2026-ipsec.conf

$ sudo rmmod esp4 esp6 2>/dev/null; true

 

User Namespace Restriction Method

This approach maintains IPsec functionality by restricting unprivileged user namespaces instead of disabling the esp4/esp6 modules.

Warning: Rootless containers, browser sandboxing features, and Flatpak will be affected. Root containers and regular applications continue to function normally.

$ echo "user.max_user_namespaces=0" | sudo tee /etc/sysctl.d/moxa-dirtyfrag.conf

$ sudo sysctl --system

 

Step 3: Mitigate CVE-2026-43500 (rxrpc module)

The rxrpc module provides RxRPC protocol support for AFS (Andrew File System). Most industrial deployments do not use AFS. Disable the module using:

$ echo "install rxrpc /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-rxrpc.conf

$ sudo rmmod rxrpc 2>/dev/null; true

$ lsmod | grep rxrpc

No output indicates the module is successfully disabled.

 

Step 4: Verification

Confirm that all targeted modules are no longer loaded:

$ lsmod | grep -E 'algif_aead|esp4|esp6|rxrpc'

No output confirms successful mitigation. If any modules remain loaded, they are in active use by running connections. Schedule a system reboot during your next maintenance window to complete the mitigation.

 

Step 5: Drop Page Cache (Optional)

⚠️ Note: This causes a temporary increase in disk I/O as the cache repopulates. On file servers or database servers, expect a brief period of reduced read performance.

$ sync

$ echo 3 | sudo tee /proc/sys/vm/drop_caches

 

 

Functional Impact Analysis — Read Before Applying

  • algif_aead: Minimal impact. Affects only custom applications using the Linux userspace crypto socket API. Standard industrial applications are not affected.

  • esp4 / esp6 (IPsec):

    • Blocklist Method: High impact. Disabling these modules will immediately terminate all IPsec/VPN tunnels and prevent them from restarting. Do not use this method on devices where IPsec is required for network communications or OT/IT segregation.

    • User Namespace Restriction Method: Preserves IPsec functionality but affects rootless containers (Docker/Podman), sandboxed browsers, and Flatpak applications. Privileged containers and standard applications are not affected.

  • rxrpc: Minimal expected impact. RxRPC is a specialized Linux networking protocol and is not used by standard Moxa industrial applications or typical default deployments. Disabling the rxrpc module is not expected to affect normal device operation. Customers running customized applications, third-party packages, or non-standard integrations should confirm that RxRPC is not required in their environment before applying this mitigation.

 

General Security Recommendations

To safeguard devices and networks, we recommend implementing the following recommendations to mitigate potential risks:

  1. Restrict network access.

    • Use firewalls or access control lists (ACLs) to limit communication to trusted IP addresses and networks.

    • Segregate operational networks from other networks (e.g., enterprise networks) using VLANs or physical separation.

  2. Minimize exposure.

    • Avoid exposing devices directly to the Internet.

    • Disable unused network services and ports to reduce the attack surface.

  3. Enhance device authentication and access control.

    • Implement multi-factor authentication (MFA) for accessing critical systems.

    • Use role-based access control (RBAC) to enforce the principle of least privilege.

  4. Regularly update firmware and software.

    • Keep devices updated with the latest firmware versions and security patches.

    • Establish a regular patch management schedule to address newly identified vulnerabilities.

  5. Secure remote access.

    • Use encrypted communication protocols (e.g., VPN, SSH) for remote access.

    • Restrict remote access to authorized personnel only and enforce strong authentication mechanisms.

  6. Implement anomaly detection techniques.

    • Monitor network traffic and device behavior for unusual or unauthorized activities.

    • Use tools or techniques that can identify anomalies and provide alerts for potential threats.

  7. Implement logging and monitoring.

    • Enable event logging and maintain audit trails on devices.

    • Regularly review logs for anomalies and unauthorized access attempts.

  8. Conduct regular security assessments.

    • Perform vulnerability assessments to identify potential risks.

    • Regularly review device configurations to ensure compliance with security policies.

 

 

Products Confirmed Not Affected

Only products listed in the Affected Products and Solutions section of this advisory are confirmed to be affected by these vulnerabilities. The products confirmed not affected are listed below.

  • UC Series: UC-2100 Series, UC-3100 Series, UC-5100 Series, UC-8100 Series, UC-8100A-ME-T Series, UC-8100-ME-T Series, UC-8200 Series (MIL1), UC-8410A Series, UC-8540 Series

  • V Series: V2201 Series, V2403C Series, V2406C Series

  • AIG Series: AIG-101 Series, AIG-301 Series, AIG-501 Series

  • All other Inductrial Computing products such as DA Series, MC Series, and Panel PCs, etc.

 

Revision History

VERSION

DESCRIPTION

RELEASE DATE

1.0

First release

May 26, 2026

1.1

Add Solutions for MXsecurity Series

June 18, 2026

1.2

Solutions section: Update description in Solutions section. Update Solutions for all of the affected products.

Update Instructions section: Add Update Instructions section.

Mitigation section: Update description in Interim Mitigation — Module Blacklisting section. Add Mitigation Removal section.

Solutions for CTOS section: Remove Solutions for CTOS section.

June 26, 2026

Relevant Products

AIG-302 Series · AIG-502 Series · BXP-A100 Series · BXP-A101 Series · BXP-C100 Series · DRP-A100 Series · DRP-C100 Series · ioThinx 4530 Series · MXsecurity Series · RKP-A110 Series · RKP-C110 Series · RKP-C220 Series · UC-1200A Series · UC-2200A Series · UC-3400A Series · UC-4400A Series · UC-8200 Series · UC-8600A Series · V1200 Series · V3200 Series · V3400 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback