Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
July 16, 2026
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Home/CyberSecurity News/Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released
CyberSecurity News

Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released

Key Takeaways A critical Linux kernel local privilege escalation (LPE) vulnerability, dubbed “Dirty Frag,” has been publicly disclosed with a proof-of-concept (PoC) exploit. The flaw,...

David kimber
David kimber
May 8, 2026 5 Min Read
52 0

Key Takeaways

  • A critical Linux kernel local privilege escalation (LPE) vulnerability, dubbed “Dirty Frag,” has been publicly disclosed with a proof-of-concept (PoC) exploit.
  • The flaw, pending CVE assignment, allows attackers to gain root privileges on nearly all major Linux distributions by chaining two distinct page-cache write vulnerabilities.
  • Dirty Frag is a deterministic logic bug with a high success rate, affecting various kernel versions and distributions, including Ubuntu, RHEL, and Fedora.
  • While one patch for the ESP variant has been merged into the netdev tree, the RxRPC patch remains unmerged, and distribution-level fixes are not yet widely available.

A severe local privilege escalation (LPE) vulnerability affecting the Linux kernel, dubbed “Dirty Frag,” has been revealed, complete with a functional proof-of-concept (PoC) exploit. This critical flaw, still awaiting CVE identifiers, enables attackers to achieve full root access across a broad spectrum of popular Linux distributions. The vulnerability was publicly disclosed following an embargo breach on May 7, 2026, as detailed in an oss-security mailing list post.

Table Of Content

  • Key Takeaways
  • Understanding the Dirty Frag Vulnerability
  • xfrm-ESP Page-Cache Write
  • RxRPC Page-Cache Write
  • Affected Distributions and Kernel Versions
  • What You Should Do

Dirty Frag is a unique LPE that chains two separate page-cache write vulnerabilities: the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write. Its mechanism is similar in class to previously identified flaws like Dirty Pipe and Copy Fail (CVE-2026-31431), but it specifically targets the frag member within the kernel’s struct sk_buff, rather than struct pipe_buffer.

Understanding the Dirty Frag Vulnerability

Security researcher Hyunwoo Kim (@v4bel) discovered and reported Dirty Frag. The vulnerability leverages the zero-copy send path, where the splice() system call embeds a reference to a read-only page cache page—such as /etc/passwd or /usr/bin/su—into the frag slot of a sender-side skb (socket buffer).

The core of the exploit lies in how the receiver-side kernel then performs in-place cryptographic operations directly on this vulnerable frag. This process permanently alters the page cache in RAM. Consequently, any subsequent read operation on that file will reflect the modified, corrupted version, even though the attacker initially only possessed read access. Unlike race-condition exploits, Dirty Frag is a deterministic logic bug; it does not rely on precise timing windows, avoids kernel panics upon failure, and boasts an exceptionally high success rate.

The two components of Dirty Frag operate as follows:

xfrm-ESP Page-Cache Write

This variant is found in esp_input(), part of the IPsec ESP receive path. When an skb is non-linear but lacks a frag list, the code bypasses the mandatory skb_cow_data() buffer allocation step. Instead, it proceeds directly to in-place AEAD decryption on the attacker-controlled frag. By manipulating the XFRMA_REPLAY_ESN_VAL netlink attribute, an attacker can precisely control both the location (file offset) and the 4-byte value of each store operation. This allows for overwriting arbitrary bytes within /usr/bin/su‘s page cache, enabling the injection of a static root-shell ELF across 48 chunks of 4 bytes each (totaling 192 bytes). Although an authentication failure (-EBADMSG) is returned, the page cache write has already been made persistent. This specific variant requires the ability to create a user namespace via unshare(CLONE_NEWUSER).

RxRPC Page-Cache Write

The second variant resides in rxkad_verify_packet_1(), which conducts an in-place single-block pcbc(fcrypt) decryption on the initial 8 bytes of the RxRPC payload. Since skb_to_sgvec() directly converts the splice-pinned page cache page into the Scatter-Gather List (SGL), the attacker-controlled page serves as both the source and destination. The 8-byte stored value is derived from fcrypt_decrypt(C, K), where K is a freely specified session key registered using add_key("rxrpc", ...)—an operation that requires no special privileges. Attackers can brute-force K in user space until the desired plaintext is generated, for example, transforming the password field on the first line of /etc/passwd into an empty string, thereby facilitating a PAM nullok authentication bypass.

Neither vulnerability alone provides universal coverage across all Linux environments:

  • ESP variant: Generally available on most distributions but necessitates user namespace creation, which is blocked on certain Ubuntu configurations by AppArmor policies.
  • RxRPC variant: Does not require namespace privileges, but the rxrpc.ko module is absent by default on many distributions like RHEL 10.1, though it ships and auto-loads on Ubuntu.

The ingenious chaining of these two exploits effectively eliminates these blind spots, enabling root access on virtually every major Linux distribution. The exploit first attempts the ESP path and, if unshare(CLONE_NEWUSER) fails, automatically falls back to the RxRPC path, targeting /etc/passwd.

Affected Distributions and Kernel Versions

The ESP vulnerability has been present since commit cac2661c53f3 (January 2017), and the RxRPC flaw since 2dc334f1a63a (June 2023), creating an effective exploitation window of approximately nine years. Confirmed affected distributions include:

  • Ubuntu 24.04.4 (kernel 6.17.0-23-generic)
  • RHEL 10.1 (kernel 6.12.0-124.49.1.el10_1.x86_64)
  • openSUSE Tumbleweed (kernel 7.0.2-1-default)
  • CentOS Stream 10 (kernel 6.12.0-224.el10.x86_64)
  • AlmaLinux 10 (kernel 6.12.0-124.52.3.el10_1.x86_64)
  • Fedora 44 (kernel 6.19.14-300.fc44.x86_64)

A patch for the ESP variant, which uses the SKBFL_SHARED_FRAG flag to ensure splice-pinned pages always route through skb_cow_data(), was merged into the netdev tree on May 7, 2026. This final merged patch was based on a shared-frag approach submitted by Kuan-Ting Chen. However, the RxRPC patch, designed to add || skb->data_len to the existing skb_cloned() gate to enforce isolation of non-linear skbs, remains unmerged upstream. As of publication, no CVE identifiers have been assigned for either flaw, primarily due to the premature embargo break by an unrelated third party on May 7, 2026.

What You Should Do

Given that distribution-level patches are not yet widely available, system administrators should take immediate action to mitigate the risk:

  • Disable Affected Kernel Modules: Temporarily disable the esp4, esp6, and rxrpc kernel modules. This can be achieved by executing the following command:
    sh -c "printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

    This command blacklists and unloads the modules, effectively disrupting IPsec and RxRPC functionality.

  • Evaluate Operational Impact: Systems heavily reliant on IPsec VPN tunnels should carefully assess the operational impact before applying the module disabling workaround. Prioritize applying distribution-backported kernel patches as soon as they become available.
  • Monitor for Official Patches: Stay vigilant for official kernel updates from your Linux distribution vendors. Apply these patches immediately upon release.
  • Review Technical Details: For a comprehensive understanding and access to the PoC exploit code, refer to the researcher’s GitHub repository.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Vercel Patches Critical Next.js, React Server Component Vulnerabilities

Next Post

Critical Spring Bugs Expose Arbitrary Files and GCP Secrets

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
US Charges Two Bulletproof Hosting Firms for Aiding Cybercrime
July 15, 2026
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us