Linux Just Got Two Local Privilege Escalation Bugs in One Week—Both AI Discovered, and the OpenSSF's Christopher Robinson Says 30% of the Security Reports He Triages Are Duplicates From People Running the Same Scanners

Key Takeaways

• Three Linux kernel privilege escalation bugs—Dirty Frag, Copy Fail, and Fragesia—were disclosed within seven days, all discovered by AI scanning tools that read the same kernel source tree.
• Christopher Robinson, head of security at the Open Source Security Foundation, estimates that roughly 30% of Linux security bug reports now arrive as duplicates because multiple AI tools find the same flaw simultaneously.
• CloudLinux CEO Igor Seletskiy noted that the historical baseline was one or two kernel level local privilege escalation bugs per year; the May 2026 pace is two in a single week.
• Google's Threat Intelligence Group measured the median time from bug disclosure to active exploitation: 63 days in 2018, negative one day in 2024, and an estimated negative seven days in 2025.
• Linus Torvalds is publicly arguing that AI discovered bugs should be disclosed in the open rather than through private embargo coordination, on the grounds that the same model that found the bug can find it again next week regardless.

What Are Dirty Frag, Copy Fail, and Fragesia?

All three exploit the Linux page cache, the kernel abstraction that holds pages of file content in memory to avoid round trips to disk. Dirty Frag is the original. It involves the kernel handing out a page reference that survives an unexpected revocation, allowing a local user to read or modify file content the user does not own. The exploit takes the form of a small C program that triggers the race window deterministically on common hardware configurations.

Copy Fail is a closely related cryptographic code path bug. The same page cache structure is used by kernel crypto helpers when satisfying read calls against encrypted file systems. A failure in the error path lets a local user observe partial plaintext, which is enough to derive an attack against the encrypted volume.

Fragesia is the sequel that emerged a week after Dirty Frag. It targets the same page cache abstraction but in a different syscall path. The exploit yields root level access on a default Linux installation that has not yet picked up the Dirty Frag mitigation.

Greg Kroah Hartman, the long time stable kernel maintainer, characterized the individual findings as "very minor" in isolation—the attack model requires local code execution, which is increasingly rare in modern deployments where the boundary between privileged and unprivileged is enforced at the container or VM layer. The minor framing is a defensible read on a single bug; it is a less defensible read on a class of bugs that the next AI scanner run will surface again.

What Did the AI Tools Actually Find?

The scanners in question are large language model assisted static and symbolic analysis pipelines. The Google Project Zero team has been running similar internal tools for two years; other vendors—Trail of Bits, GitHub Advanced Security, and several academic groups—have shipped versions during 2025 and 2026. The pipelines read the kernel source, identify suspect patterns in error handling, race conditions, and integer boundary checks, and synthesize a proof of concept exploit when a candidate looks plausible.

For the kernel maintainers, the practical effect is a flood of plausible looking bug reports that need triage. Many are real but cover the same root cause as another report. Some are reasoning errors that look like bugs and are not. A few are entirely novel and important. The 30% duplicate figure Robinson cites is a manifestation of the same model architecture being widely available and the same source code being widely scanned.

Seletskiy's framing—"we typically see one or two kernel level LPE vulnerabilities per year. Now two appear one week apart"—captures the operational headache. Production environments that historically scheduled kernel patches against an annual or semi annual cadence may now need weekly or bi weekly patch cycles, because the steady state of disclosed bugs has shifted upward in step with scanner adoption.

Why Is Mean Time to Exploit Now Negative?

Google Threat Intelligence Group's annual measurement of mean time to exploit (MTE) has tracked the gap between vulnerability disclosure and the first observed in the wild exploitation. The number used to be measured in weeks or months. The 2018 figure was 63 days. By 2024 the average had dropped to roughly negative one day—exploitation was being observed before the public patch. The 2025 estimate is negative seven days. Exploitation is now consistently a week ahead of disclosure for high impact bugs.

The reason is partly that attackers run the same scanners. A research team finds Dirty Frag in May. So does a model running on an attacker's hardware in April. The asymmetry is not in the discovery; it is in what each party does with the discovery. The defender writes a coordinated disclosure note and a patch series. The attacker writes an exploit.

The negative MTE is the strongest available argument for Torvalds's position on disclosure. If the bug is going to be exploited a week before patching anyway, there is little gained from a private embargo period. Public disclosure at least lets the broader community start mitigation work earlier. The counterargument—that public disclosure speeds exploitation against the small but real population of systems an attacker did not already target—is becoming harder to defend in aggregate.

What Should Defenders Do Differently?

The practical shifts that follow from the May 2026 picture:

• Tighten the local code execution boundary. Most of the AI surfaced bugs in 2026 are local privilege escalation. Reducing the number of contexts in which untrusted code runs—via containerization, gVisor, Firecracker, mandatory access control—removes the prerequisite for exploitation.
• Move SELinux and AppArmor from permissive to restrictive. The default permissive postures most distros ship with leave many of the page cache code paths reachable. Restrictive policies that log and block rather than warn are increasingly worth the operational cost.
• Patch on a weekly cycle for kernel CVEs. The annual cadence that worked when one or two kernel LPEs landed per year does not work when two land per week.
• Treat AI scanner output as input, not as conclusion. The 30% duplicate rate means the same scanner findings will continue to recirculate. Internal triage that deduplicates against a maintained list of root causes—not just CVE identifiers—catches the same class of bug across multiple report waves.
• Subscribe to the kernel security mailing list for raw early warning. Coordinated disclosure timelines have shortened. Tracking bugs at the maintainer queue level beats waiting for the downstream distribution advisory.

The longer arc, echoed in the Verizon 2026 DBIR finding that exploited vulnerabilities now account for 31% of breaches, is that the defender side of the AI assisted security economy needs to scale at the same pace as the attacker side. Both are running the same scanners. The question is which side is faster at acting on the output. The May 2026 numbers—negative MTE, 30% duplicate rate, two LPEs in a week—say defenders are losing that race at the moment. The next twelve months will decide whether the gap closes.