Full Report
[Control Systems] Moxa security advisory (AV26-509)
Analysis Summary
# Vulnerability: Copy Fail and Dirty Frag Vulnerabilities in Linux Kernel (Moxa Products)
## CVE Details
- **CVE ID:** CVE-2026-31431, CVE-2026-43284, CVE-2026-43500
- **CVSS Score:** Not explicitly provided in the summary, typically High (7.0 - 8.9) for Linux Kernel memory corruption/privilege escalation flaws.
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-416 (Use After Free).
## Affected Systems
- **Products:** UC-1200A/2200A/3400A/4400A/8600A/8200 Series, V1200, V3200, V3400, VM-1220, ioThinx 4530, AIG-302, AIG-502, BXP-A100, BXP-A101, DRP-A100, RKP-A110, RKP-C110.
- **Versions:**
- V1200 Series: MIL3 v1.2.0 and prior
- V3200/V3400/VM-1220 Series: MIL3 v1.1 and prior
- ioThinx 4530 Series: MIL3 v2.1 and prior
- AIG-302 Series: v1.4.0 and prior
- AIG-502 Series: v1.0.0
- BXP-A100, DRP-A100, RKP-A110: Debian 11 V1.0
- BXP-A101, RKP-C110: Debian 12 V1.0
- **Configurations:** Systems running affected Linux Kernel versions integrated into Moxa industrial hardware.
## Vulnerability Description
The vulnerabilities, colloquially referred to as "Copy Fail" and "Dirty Frag," reside within the Linux Kernel's memory management and networking stack. They involve flaws in how the kernel handles fragmented packets and memory copying operations. These flaws can lead to memory corruption, potential local privilege escalation (LPE), or denial of service (DoS).
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild in this advisory; however, Linux Kernel vulnerabilities of this type often have PoCs available in the security research community.
- **Complexity:** Medium (Requires specific local or network-defined conditions).
- **Attack Vector:** Network / Local (Depending on the specific CVE and kernel subsystem targeted).
## Impact
- **Confidentiality:** High (Potential memory exposure/access).
- **Integrity:** High (Potential for unauthorized modification via privilege escalation).
- **Availability:** High (System crashes or kernel panics leading to DoS).
## Remediation
### Patches
Users are advised to update to the latest firmware versions provided by Moxa for their specific product series. These updates include the patched Linux Kernel versions addressing the identified CVEs.
- Detailed firmware updates are available via the Moxa Support portal.
### Workarounds
- Enforce strict access control lists (ACLs) to limit network exposure.
- Minimize local user access to critical industrial controllers.
- Disable unnecessary network services and protocols that may process fragmented packets.
## Detection
- **Indicators of Compromise:** Unusual system reboots, kernel panic logs in `dmesg`, or unauthorized privilege changes.
- **Detection methods and tools:** Use Vulnerability Scanners (such as Nessus or OpenVAS) updated with the latest CVE signatures. Monitor system logs for memory allocation errors.
## References
- Vendor advisory: hxxps://www[.]moxa[.]com/en/support/product-support/security-advisory/mpsa-263140-cve-2026-31431,-cve-2026-43284,-cve-2026-43500-copy-fail-and-dirty-frag-vulnerabilities-in-linux-kernel
- Moxa Security Advisories: hxxps://www[.]moxa[.]com/en/support/product-support/security-advisory
- Canadian Centre for Cyber Security (AV26-509): hxxps://www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-moxa-security-advisory-av26-509