One week after Copy Fail, another Linux kernel vulnerability has been publicly disclosed. The exploit, called "Dirty Frag", chains two kernel bugs to give any unprivileged user with shell access full root on your server.

The embargo was broken early, so there is no official patch yet, no CVE number, and a working exploit is already public.

Dirty Frag targets three kernel modules: esp4, esp6, and rxrpc. Ubuntu is particularly exposed because rxrpc loads automatically on Ubuntu, while most other distributions do not ship it by default. The Copy Fail fix from last week does not protect against this. Dirty Frag is a completely different attack path and requires its own fix.

What We Decided

Unlike Copy Fail, we did not push this mitigation automatically through the RunCloud agent. This fix disables three kernel modules and could impact servers running IPsec VPN tunnels or AFS. We did not want to risk breaking production servers without the owner's knowledge.

The fix needs to be applied manually. It takes one command and under a minute.

How to Apply the Fix

Before applying, run the pre-check commands to confirm the modules are not actively in use. Full pre-check steps and the one-command fix are in the community post linked below.

The mitigation blocks all three modules from loading, unloads them immediately, and survives reboots. NGINX, PHP, MySQL, SSH, and SSL are unaffected. The only services impacted are IPsec VPN tunnels using ESP mode and AFS.

If anything breaks after applying, the fix is fully reversible with three commands to restore the modules.

Permanent Patch

No official Ubuntu kernel patch is available yet. The embargo broke early, and Ubuntu has not had time to ship one. We are watching their tracker and will update the community thread as soon as a patch lands. Once it does, apply the kernel update, reboot, and remove the mitigation file.

Full Details and Next Steps

For pre-check commands, the full fix, verification steps, and reversal instructions, see our full write-up on our community forum.

The File Manager now supports three new capabilities, including file uploads, one of the most-requested features from the community.

• File uploads: Upload files directly from your browser
• Bulk actions: Select multiple files and folders to change permissions, move, rename, zip, unzip, or delete in one go.
• Move: Relocate files and folders to any directory within your web application.

Note: These features require agent version 2.17.0 or above. Files tracked by Git are protected and will not be modified or deleted, and uploading files currently has a limit of 100MB per file. 

Read the documentation →

A critical Linux kernel vulnerability, CVE-2026-31431 ("Copy Fail"), was publicly disclosed on April 29, 2026. The vulnerability has been present in the Linux kernel since 2017 and affects all major distributions, including Ubuntu 24.04, 22.04, and 20.04. It allows any local user with shell access to escalate privileges to root without requiring special tools or conditions.

What We Did

We deployed an interim mitigation to all reachable servers via the RunCloud agent. It blocks the vulnerable kernel module from loading and closes the attack surface without requiring a reboot. It has been tested against Nginx, PHP, MySQL, SSH, and SSL with no impact on normal operation.

Servers that were offline, had the agent stopped, or had firewall rules blocking agent communication at the time of deployment were not reached automatically.

Permanent Patch

Ubuntu has not released an official patched kernel at the time of writing. Once available, it will appear as a kernel update in your RunCloud dashboard. After applying the update and rebooting, the interim mitigation can be safely removed. Servers that were automatically patched by RunCloud will have the interim fix cleaned up on our end once the official kernel update is confirmed to have been applied.

Track Ubuntu's release here: https://ubuntu.com/security/CVE-2026-31431

Recommended: Keep Security Updates Turned On

Navigate to your Server Settings and confirm that Enable Security Updates is turned on. While enabled by default, confirm that it is enabled on your servers to ensure critical kernel and security patches are automatically applied.

Full Details & Next Steps

For verification steps and instructions on how to manually apply the interim fix, see our full write-up on our community forum.

This release includes a comprehensive set of upstream security patches addressing multiple vulnerabilities across core NGINX modules, improving overall stability and hardening key request-handling paths. 

• Fixed WebDAV module buffer overflow
  Resolved a vulnerability in ngx_http_dav_module where specially crafted requests could cause memory corruption, potentially leading to crashes or arbitrary code execution.
• Fixed MP4 streaming module buffer overflows
  Fixed multiple vulnerabilities in ngx_http_mp4_module where malformed MP4 files or requests could trigger memory corruption and destabilize the server.
• Fixed NULL pointer dereference in authentication methods
  Corrected a flaw in CRAM-MD5 and APOP authentication that could cause NGINX to crash when handling invalid authentication data.
• Fixed injection vulnerability in mail proxy (auth_http and XCLIENT)
  Patched an issue that could allow injection of unintended commands or data during mail authentication or client identification.
• Fixed OCSP validation bypass in stream module
  Closed a gap where SSL certificate revocation checks (OCSP) could be bypassed under certain configurations, improving TLS validation.
• Fixed SSL upstream injection issue
  Resolved a vulnerability that could allow manipulation of data in SSL connections to upstream servers.

We’ve introduced two highly requested features to make managing WordPress on RunCloud more reliable and developer-friendly, without having to manually update your wp-config.php.

Note: Both features require RunCloud Agent version 2.16.9 or later.

Easily Replace WP-Cron with a Server-Side Cron Job

WP-Cron is notoriously a source of missed schedules and unnecessary overhead. So, we’ve now made it easier than ever to replace it with a real server cron job.

What this does:

• Disables the default WordPress pseudo-cron (DISABLE_WP_CRON)
• Creates a server-level cron job that runs every 5 minutes
• Improves reliability for scheduled posts, backups, and other scheduled actions
• Reduces performance overhead from cron checks on every page load

This can be configured both when creating a new WordPress web application, as shown below: 

And, in your web application settings area under WordPress > General Settings, as shown below:

Development Mode Toggle (WP Debug Made Simple)

You can now also easily enable “Development Mode” for WordPress when debugging without having to risk exposing errors to website visitors. 

What this does:

• Enables/disables WordPress debug mode via UI

• Automatically manages:

  • WP_DEBUG
  • WP_DEBUG_LOG
  • WP_DEBUG_DISPLAY (disabled for safety)
  • SCRIPT_DEBUG
• Logs errors to a secure debug.log file
• Keeps errors hidden from visitors by default

RunCloud Agent v2.16.8 (patch)

What’s New

• Fix: Fixed an issue in OLS staging caused by enabling the Redis cache.
• Fix: Resolves a cloning issue between containerized and native servers.

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

If your server has not received the update after 72 hours, please contact our support team for manual assistance.

PHP Updates Now Available for NGINX

• PHP 8.5.5
• PHP 8.4.20

Note: If your server runs on OpenLiteSpeed, RunCloud does not handle PHP version updates. However, once a PHP version update becomes available for OpenLiteSpeed, it should also be automatically available on your server(s).

RunCloud Agent v2.16.4 (patch)

What’s New

• Fix: Resolved unexpected server shutdowns triggered by server disconnection events in certain conditions.

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

If your server has not received the update after 72 hours, please contact our support team for manual assistance.

You can now easily schedule restarts or run them automatically when required.

The 2 new ways to manage server restarts

1) Scheduled Restart

Restart your server at a fixed time based on your preferred schedule.

2) Restart when required 

Automatically restart only when a system update requires it, and run it during your next maintenance window.

In both cases, your Schedule Type can be a simple time-based preset or a Custom Cron Expression, as shown below: 

Note: When a restart may be required, you'll see a “Restart Recommended” badge on the server overview or in the servers list. You can also temporarily dismiss this reminder.

RunCloud Agent v2.16.2+10

Fixes

• Fixed an issue preventing successful cloning of WordPress sites from native servers to containerized servers.
• Resolved a bug where Auto Healing could fail when a database lock was present.
• Fixed an issue where ModSecurity interfered with multipart uploads.

Improvements

• Improved server downtime notifications to provide more reliable alerts during provider-level outages affecting connected servers.
• Added support for backups for web applications using Atomic Deployment.

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

If your server has not received the update after 72 hours, please contact our support team for manual assistance.