Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released
Key Takeaways A critical Linux kernel local privilege escalation (LPE) vulnerability, dubbed “Dirty Frag,” has been publicly disclosed with a proof-of-concept (PoC) exploit. The flaw,...
Key Takeaways
- A critical Linux kernel local privilege escalation (LPE) vulnerability, dubbed “Dirty Frag,” has been publicly disclosed with a proof-of-concept (PoC) exploit.
- The flaw, pending CVE assignment, allows attackers to gain root privileges on nearly all major Linux distributions by chaining two distinct page-cache write vulnerabilities.
- Dirty Frag is a deterministic logic bug with a high success rate, affecting various kernel versions and distributions, including Ubuntu, RHEL, and Fedora.
- While one patch for the ESP variant has been merged into the netdev tree, the RxRPC patch remains unmerged, and distribution-level fixes are not yet widely available.
A severe local privilege escalation (LPE) vulnerability affecting the Linux kernel, dubbed “Dirty Frag,” has been revealed, complete with a functional proof-of-concept (PoC) exploit. This critical flaw, still awaiting CVE identifiers, enables attackers to achieve full root access across a broad spectrum of popular Linux distributions. The vulnerability was publicly disclosed following an embargo breach on May 7, 2026, as detailed in an oss-security mailing list post.
Table Of Content
Dirty Frag is a unique LPE that chains two separate page-cache write vulnerabilities: the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write. Its mechanism is similar in class to previously identified flaws like Dirty Pipe and Copy Fail (CVE-2026-31431), but it specifically targets the frag member within the kernel’s struct sk_buff, rather than struct pipe_buffer.
Understanding the Dirty Frag Vulnerability
Security researcher Hyunwoo Kim (@v4bel) discovered and reported Dirty Frag. The vulnerability leverages the zero-copy send path, where the splice() system call embeds a reference to a read-only page cache page—such as /etc/passwd or /usr/bin/su—into the frag slot of a sender-side skb (socket buffer).
The core of the exploit lies in how the receiver-side kernel then performs in-place cryptographic operations directly on this vulnerable frag. This process permanently alters the page cache in RAM. Consequently, any subsequent read operation on that file will reflect the modified, corrupted version, even though the attacker initially only possessed read access. Unlike race-condition exploits, Dirty Frag is a deterministic logic bug; it does not rely on precise timing windows, avoids kernel panics upon failure, and boasts an exceptionally high success rate.
The two components of Dirty Frag operate as follows:
xfrm-ESP Page-Cache Write
This variant is found in esp_input(), part of the IPsec ESP receive path. When an skb is non-linear but lacks a frag list, the code bypasses the mandatory skb_cow_data() buffer allocation step. Instead, it proceeds directly to in-place AEAD decryption on the attacker-controlled frag. By manipulating the XFRMA_REPLAY_ESN_VAL netlink attribute, an attacker can precisely control both the location (file offset) and the 4-byte value of each store operation. This allows for overwriting arbitrary bytes within /usr/bin/su‘s page cache, enabling the injection of a static root-shell ELF across 48 chunks of 4 bytes each (totaling 192 bytes). Although an authentication failure (-EBADMSG) is returned, the page cache write has already been made persistent. This specific variant requires the ability to create a user namespace via unshare(CLONE_NEWUSER).
RxRPC Page-Cache Write
The second variant resides in rxkad_verify_packet_1(), which conducts an in-place single-block pcbc(fcrypt) decryption on the initial 8 bytes of the RxRPC payload. Since skb_to_sgvec() directly converts the splice-pinned page cache page into the Scatter-Gather List (SGL), the attacker-controlled page serves as both the source and destination. The 8-byte stored value is derived from fcrypt_decrypt(C, K), where K is a freely specified session key registered using add_key("rxrpc", ...)—an operation that requires no special privileges. Attackers can brute-force K in user space until the desired plaintext is generated, for example, transforming the password field on the first line of /etc/passwd into an empty string, thereby facilitating a PAM nullok authentication bypass.
Neither vulnerability alone provides universal coverage across all Linux environments:
- ESP variant: Generally available on most distributions but necessitates user namespace creation, which is blocked on certain Ubuntu configurations by AppArmor policies.
- RxRPC variant: Does not require namespace privileges, but the
rxrpc.komodule is absent by default on many distributions like RHEL 10.1, though it ships and auto-loads on Ubuntu.
The ingenious chaining of these two exploits effectively eliminates these blind spots, enabling root access on virtually every major Linux distribution. The exploit first attempts the ESP path and, if unshare(CLONE_NEWUSER) fails, automatically falls back to the RxRPC path, targeting /etc/passwd.
Affected Distributions and Kernel Versions
The ESP vulnerability has been present since commit cac2661c53f3 (January 2017), and the RxRPC flaw since 2dc334f1a63a (June 2023), creating an effective exploitation window of approximately nine years. Confirmed affected distributions include:
- Ubuntu 24.04.4 (kernel 6.17.0-23-generic)
- RHEL 10.1 (kernel 6.12.0-124.49.1.el10_1.x86_64)
- openSUSE Tumbleweed (kernel 7.0.2-1-default)
- CentOS Stream 10 (kernel 6.12.0-224.el10.x86_64)
- AlmaLinux 10 (kernel 6.12.0-124.52.3.el10_1.x86_64)
- Fedora 44 (kernel 6.19.14-300.fc44.x86_64)
A patch for the ESP variant, which uses the SKBFL_SHARED_FRAG flag to ensure splice-pinned pages always route through skb_cow_data(), was merged into the netdev tree on May 7, 2026. This final merged patch was based on a shared-frag approach submitted by Kuan-Ting Chen. However, the RxRPC patch, designed to add || skb->data_len to the existing skb_cloned() gate to enforce isolation of non-linear skbs, remains unmerged upstream. As of publication, no CVE identifiers have been assigned for either flaw, primarily due to the premature embargo break by an unrelated third party on May 7, 2026.
What You Should Do
Given that distribution-level patches are not yet widely available, system administrators should take immediate action to mitigate the risk:
- Disable Affected Kernel Modules: Temporarily disable the
esp4,esp6, andrxrpckernel modules. This can be achieved by executing the following command:sh -c "printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"This command blacklists and unloads the modules, effectively disrupting IPsec and RxRPC functionality.
- Evaluate Operational Impact: Systems heavily reliant on IPsec VPN tunnels should carefully assess the operational impact before applying the module disabling workaround. Prioritize applying distribution-backported kernel patches as soon as they become available.
- Monitor for Official Patches: Stay vigilant for official kernel updates from your Linux distribution vendors. Apply these patches immediately upon release.
- Review Technical Details: For a comprehensive understanding and access to the PoC exploit code, refer to the researcher’s GitHub repository.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.