Rocky Linux just went through an intense week on the security front. Between May 11 and 14, the project released patches for two serious privileges scheduling vulnerabilities in the Linux kernel — CopyFail and Dirty Frag — and, as a structural response to this type of situation, launched a new optional security repository. For those who use Rocky as a workstation base or audiovisual production server, it is worth understanding what happened and what changes in practice.
CopyFail (CVE-2026-31431): a failure present since 2017
CopyFail was released on April 29 by researchers from Xint Code (Theori) and is registered as CVE-2026-31431. The failure is present in virtually every Linux mainstream kernel built since 2017.
The problem lies in the module algif_aead kernel — the AEAD socket interface of the encryption API for user space (AF_ALG). A logical flaw in authencesn, chained through the AF_ALG and the system call splice(), allows a local user without privileges to perform a 4 bytes controlled writing in the cache page. By corrupting memory copy of a setuid binary as /usr/bin/su — without touching anything on the record — An attacker can climb to root in seconds.
What makes CopyFail particularly worrying is reliability. The 732 byte proof-of-concept in Python does not depend on race conditions, does not require distribution adjustments and does not require special privileges. The same script works without modifications in different distros. File integrity tools detect nothing because nothing on disk is changed. A silent, portable vector — exactly the kind of problem you can't ignore in environments with multiple users or shared nodes.
Patches are available for Rocky Linux 8.10, 9.7 and 10.1. To apply, just execute sudo dnf --refresh update 'kernel*' followed by reboot. An important note: on Rocky Linux, the module algif_aead is compiled directly into the kernel image (CONFIG_CRYPTO_USER_API_AEAD=y), not as a loadable module. The orientation that circled on other channels about disabling the module via rmmod does not apply here — kernel update is the correct correction.
Dirty Frag: the second trigger
Practically in parallel, Dirty Frag emerged. — another vulnerability of scheduling local privileges in the kernel, also with public exploit available before upstream corrections were widely distributed. Like CopyFail, Dirty Frag stands out for the reliability of exploration: security researchers characterized the attack as highly deterministic, which means that any attacker with local access has a direct path to high privileges. rockylinux
Environments that should treat this with special urgency include systems with multiple users and access via shell, workloads in containers and IC infrastructure, HPC clusters and university systems, as well as any multi-tenant environment where local access is shared or easily obtained. Individual-use work stations with controlled physical access are at lower risk, but updating is still recommended.
The security repository: a deliberate exception
The project's response to these two incidents goes beyond the punctual patches. Rocky Linux has launched an optional security repository designed for a specific, narrow scenario: a significant vulnerability is public, the exploit code exists, and upstream fixes are not yet available. That's the criterion. It is not a general-purpose fast-track channel and does not replace the normal Rocky Linux release process.
This represents a relevant change in posture. Rocky Linux was built on a commitment to stay in sync with Enterprise Linux upstream — No surprises, no forks, no deviations. This stability is exactly what makes organizations trust the project with their production workloads. But stability has a gap: when a serious vulnerability is publicly disclosed before the upstream fixtures are widely available, administrators are waiting, sometimes for days, while the exploit code is already circulating.
Repository is disabled by default — That's intentional. The standard Rocky Linux experience remains exactly what it has always been: predictable, stable and fully compatible with the upstream. Administrators who want access to accelerated fixtures can activate the repository when needed.
The packages in this repository are explicitly versioned to be replaced by the next release upstream. When Red Hat, for example, publishes his fix, will automatically replace Rocky's package. That's intentional. — the project wants users to return to packages aligned to the upstream as soon as possible.
To activate punctually: sudo dnf --enablerepo=security update. For permanent enabling, just configure via DNF like any other repository.
What that means for those who use Rocky in audiovisual production
Rocky Linux takes a specific place in the Linux audiovisual ecosystem: it is the platform with official Blackmagic support for DaVinci Resolve and one of Blender's main testing environments. This position implies that many installations run on machines with shared local access — stations in color rooms, internal network rendering servers, VFX pipeline nodes. Exactly the environment profile where local privilege scheduling vulnerabilities have real impact.
The combination of two public exploits with high execution reliability, appearing in a day window, justifies the immediate update. The new security repository, in turn, is a positive sign of project maturity: a structural solution that does not abandon the commitment to upstream compatibility, but recognizes that there are times when waiting has cost.
