Free AWS Security Whitepaper
    Toc Consulting Logo
    AWS Security Digest·Week 20 of 2026·May 12-17, 2026·2 items

    DirtyFrag Hits Half of AWS

    AWS publishes bulletin 2026-030-AWS, a single rolling document for the Copy.fail / DirtyFrag Linux kernel privilege-escalation class. If you run Amazon Linux, Bottlerocket, ECS, EKS, EMR, Fargate, or SageMaker, this is the bulletin you bookmark. Security Agent meanwhile learns to read whole repositories.

    In this issue1critical1high

    Highlights

    2 items
    $ tail -f /var/log/aws-security.log
    high/Feature Launch/

    Security Agent Now Reads Whole Repos

    A new AWS Security Agent capability performs deep, context-aware analysis of an entire codebase instead of matching against known vulnerability patterns.

    It reasons about application architecture, trust boundaries, and data flows to surface systemic vulnerabilities that pattern matchers miss, then emits remediation suggestions tied to specific file and line locations.

    Available in preview at no additional charge for existing Security Agent customers, in all Regions where Security Agent runs.

    Security Agent
    critical/CVE/

    DirtyFrag Master Bulletin Lands

    CVE-2026-46300CVE-2026-43284CVE-2026-31431Bulletin 2026-030-AWSBulletin 2026-026-AWS

    AWS consolidated three Linux kernel privilege-escalation CVEs into one rolling master bulletin: CVE-2026-46300 ("Fragnesia"), CVE-2026-43284 ("DirtyFrag"), and CVE-2026-31431 ("copy.fail 2").

    The vulnerable code paths span the espintcp, xfrm_user, esp4, esp6, and algif_aead kernel modules.

    Important caveat: Amazon Linux and Bottlerocket do not provide the espintcp / IPsec module path triggering CVE-2026-46300, so they are not affected by that specific CVE. SageMaker notebooks created or restarted after May 20, 2026 will include the patched kernel automatically.

    This is the bulletin to bookmark. AWS is updating it continuously as patches land per service.

    Affected
    • Amazon Linux (4.14, 5.4, 5.10, 5.15, 6.1, 6.12, 6.18)
    • Bottlerocket
    • ECS · EKS · EMR · Fargate
    • AWS Deep Learning AMIs
    • SageMaker (Notebooks, HyperPod, inference, Studio, Canvas, training jobs)
    Amazon LinuxBottlerocketECSEKSFargateSageMakerEMR

    Key Takeaway

    1 item
    $ cat WEEKLY_SUMMARY.md

    Copy.fail / DirtyFrag is the patch story of the month. Most teams will be safe-by-default if they use managed AMIs and let auto-patching run, but anyone running custom AMIs, pinned kernel versions, or long-lived SageMaker notebooks needs an explicit plan. Bookmark 2026-030-AWS: that is the single source of truth, and AWS is updating it as the patches land per service.

    Filed Under
    DirtyFragCopy.failFragnesiaCVE-2026-46300CVE-2026-43284CVE-2026-31431Linux KernelAmazon LinuxBottlerocketSageMakerSecurity Agent
    Previous
    Week 19 - May 5-11, 2026

    Need Custom Security Briefings?

    These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.

    All DigestsSubscribe via RSSGet in Touch