Dirty Frag Linux Vulnerability Allows Root Privileges Access
Dirty Frag, a newly disclosed and CVE-pending Linux kernel local privilege escalation (LPE) vulnerability, enables attackers to achieve root access across virtually all major Linux distributions....
Dirty Frag, a newly disclosed and CVE-pending Linux kernel local privilege escalation (LPE) vulnerability, enables attackers to achieve root access across virtually all major Linux distributions. This critical flaw operates by chaining two separate page-cache write vulnerabilities: the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write. A public exploit for Dirty Frag is already in the wild, surfacing after an embargo break on May 7, 2026, as detailed in an oss-security mailing list post.
Table Of Content
Dirty Frag belongs to the same vulnerability class as Dirty Pipe and Copy Fail (CVE-2026-31431), but targets the frag member of the kernel’s struct sk_buff rather than struct pipe_buffer.
Discovered and reported by security researcher Hyunwoo Kim (@v4bel), the vulnerability exploits the zero-copy send path where splice() plants a reference to a read-only page cache page, such as /etc/passwd or /usr/bin/su — into the frag slot of a sender-side skb.
Dirty Frag Linux Vulnerability
The receiver-side kernel code then performs in-place cryptographic operations directly on top of that frag, permanently modifying the page cache in RAM.
Every subsequent read to that file sees the corrupted version, even though the unprivileged attacker was granted only read access.
Unlike race-condition exploits, Dirty Frag is a deterministic logic bug that requires no timing window, does not panic the kernel on failure, and carries an extremely high success rate.
xfrm-ESP Page-Cache Write resides in esp_input(), the IPsec ESP receive path. When an skb is non-linear but lacks a frag list, the code skips the mandatory skb_cow_data() buffer allocation step and jumps directly to in-place AEAD decryption on the attacker-planted frag.
Using the XFRMA_REPLAY_ESN_VAL netlink attribute, the attacker can control both the location (file offset) and the value (4 bytes) of each store operation, enabling them to overwrite arbitrary bytes of /usr/bin/su‘s page cache with a static root-shell ELF 192 bytes written across 48 chunks of 4 bytes each.
Authentication failure (-EBADMSG) is returned afterward, but the page cache write has already persisted. This variant requires the ability to create a user namespace (unshare(CLONE_NEWUSER)).
RxRPC Page-Cache Write resides in rxkad_verify_packet_1(), which performs an in-place single-block pcbc(fcrypt) decryption on the first 8 bytes of the RxRPC payload.
Because skb_to_sgvec() converts the splice-pinned page cache page directly into the SGL, the attacker-controlled page becomes both src and dst.
The 8-byte store value is fcrypt_decrypt(C, K), where K is a freely specifiable session key registered via add_key("rxrpc", ...) — an operation requiring no privileges at all.
The attacker brute-forces K in user space until the desired plaintext (e.g., turning /etc/passwd line 1’s password field into an empty string) is produced, enabling PAM nullok authentication bypass.
Neither vulnerability alone covers all Linux environments:
- ESP variant: Available on most distros but requires user namespace creation — blocked on some Ubuntu configurations via AppArmor policy.
- RxRPC variant: No namespace privilege required, but
rxrpc.kois absent on most distros like RHEL 10.1 by default — yet ships and auto-loads on Ubuntu.
Chaining the two exploits closes both blind spots, achieving root on essentially every major distribution. The exploit first attempts the ESP path; if unshare(CLONE_NEWUSER) fails, it automatically falls back to the RxRPC path targeting /etc/passwd.
Affected Distributions and Kernel Versions
The ESP vulnerability has been present since commit cac2661c53f3 (January 2017), and the RxRPC flaw since 2dc334f1a63a (June 2023), giving the chain an effective window of approximately 9 years. Confirmed affected distributions include:
- Ubuntu 24.04.4 (kernel 6.17.0-23-generic)
- RHEL 10.1 (kernel 6.12.0-124.49.1.el10_1.x86_64)
- openSUSE Tumbleweed (kernel 7.0.2-1-default)
- CentOS Stream 10 (kernel 6.12.0-224.el10.x86_64)
- AlmaLinux 10 (kernel 6.12.0-124.52.3.el10_1.x86_64)
- Fedora 44 (kernel 6.19.14-300.fc44.x86_64)
The ESP variant patch using the SKBFL_SHARED_FRAG flag to ensure splice-pinned pages always route through skb_cow_data() — was merged into the netdev tree on May 7, 2026.
The final merged patch was based on a shared-frag approach submitted by Kuan-Ting Chen. The RxRPC patch, which adds || skb->data_len to the existing skb_cloned() gate to force isolation of non-linear skbs, remains unmerged upstream.
No CVE identifiers have been assigned for either flaw as of publication, due to the premature embargo break by an unrelated third party on May 7, 2026 .
Immediate Mitigation
Since distribution-level patches are not yet available, administrators should immediately disable the affected kernel modules using the following command:
bashsh -c "printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
This blacklists and unloads the esp4, esp6, and rxrpc modules, disrupting IPsec and RxRPC functionality as a trade-off.
Systems that rely on IPsec VPN tunnels should weigh operational impact carefully before applying the workaround and prioritize applying distribution-backported kernel patches once available.
The complete technical write-up and PoC exploit code are available at the researcher’s GitHub repository.
No Comment! Be the first one.