A critical, unpatched local privilege escalation (LPE) vulnerability dubbed Dirty Frag has been publicly disclosed, enabling any local attacker to obtain full root privileges on virtually all major Linux distributions, including Ubuntu, RHEL, Fedora, AlmaLinux, openSUSE, and CentOS Stream, with a single command and no race conditions required.
Published complete write-up and working proof-of-concept (PoC) exploit on May 7, 2026, after an unrelated third party broke a coordinated five-day embargo.
Dirty Frag belongs to the same vulnerability class as Dirty Pipe and Copy Fail (CVE-2026-31431, CVSS 7.8), both of which exploit the Linux kernel’s page cache to overwrite files that an attacker has only read access.
While Dirty Pipe overwrites struct pipe_buffer, Dirty Frag targets the frag slot of struct sk_buff the kernel’s socket buffer structure by planting attacker-controlled page-cache pages through the splice() system call’s zero-copy send path.
Critically, Dirty Frag works even on systems where the Copy Fail mitigation (algif_aead module blocklist) has been applied, meaning previously hardened systems remain fully exposed.
Dirty Frag Zero-Day Vulnerability
The power of Dirty Frag lies in chaining two distinct kernel flaws that cover each other’s blind spots:
1. xfrm-ESP Page-Cache Write – Rooted in the IPSec (xfrm) subsystem’s esp_input() function, this flaw has existed since kernel commit cac2661c53f3 (January 17, 2017) nearly nine years.
When an skb is non-linear but lacks a frag_list, esp_input() skips the critical skb_cow_data() call and performs in-place AEAD decryption directly on an attacker-pinned page-cache page.
Using the XFRMA_REPLAY_ESN_VAL netlink attribute, the attacker can freely control both the 4-byte store location (file offset) and the 4-byte store value (the high-order 32 bits of the ESN sequence number). Even when AEAD authentication fails with -EBADMSG, the page-cache modification has already been committed and persists until a reboot or drop_caches.
The exploit targets /usr/bin/su, writing a 192-byte root-shell ELF in 48 chunks of 4 bytes each to fully replace the binary’s page cache with shellcode that calls setuid(0) and drops into /bin/sh.
However, this variant requires CAP_NET_ADMIN via an unprivileged user namespace (unshare(CLONE_NEWUSER | CLONE_NEWNET)), a step blocked on Ubuntu systems protected by AppArmor policy.
2. RxRPC Page-Cache Write – Introduced in kernel commit 2dc334f1a63a (June 2023), this flaw resides in the rxkad_verify_packet_1() function of the RxRPC kernel subsystem.
When performing RXKAD-level security verification, the function executes an in-place 8-byte pcbc(fcrypt) decryption directly onto a fragment that the attacker plants via splice(). Since an RxRPC session key can be registered freely via add_key(“rxrpc”, …), requiring no elevated privileges at all, the attacker controls the cipher key K.
The 8-byte store value equals fcrypt_decrypt(C, K), which is determined by brute-forcing K in user-space (fcrypt runs ~18 million keys/second, resolving in milliseconds to ~1 second per chunk).
The exploit targets /etc/passwd, rewriting line 1’s password field to empty (“::”), so that pam_unix.so with the nullok option, it accepts a passwordless root login via /usr/bin/su.The trade-off: rxrpc.ko is not shipped on RHEL 10.1 or most non-Ubuntu distributions by default. On Ubuntu, however, it is loaded automatically.
The combined exploit first attempts the ESP variant. If unshare(CLONE_NEWUSER) is blocked (e.g., by Ubuntu’s AppArmor) or if esp4.ko is unavailable, it falls back automatically to the RxRPC variant. This chain ensures root access across all major distributions regardless of their individual security hardening configurations, making Dirty Frag a near-universal LPE.
Affected Kernel Versions
Dirty Frag has been confirmed on the following tested systems:
- Ubuntu 24.04.4 – kernel 6.17.0-23-generic
- RHEL 10.1 – kernel 6.12.0-124.49.1
- openSUSE Tumbleweed – kernel 7.0.2-1-default
- CentOS Stream 10 – kernel 6.12.0-224.el10
- AlmaLinux 10 – kernel 6.12.0-124.52.3
- Fedora 44 – kernel 6.19.14-300.fc44
The xfrm-ESP flaw affects Linux kernel 4.11 and later; the RxRPC flaw affects kernel 6.5 and later.
Patch and Mitigation
As of publication, no distribution-level patches exist due to the embargo being broken prematurely. A kernel-level fix for the ESP variant using the SKBFL_SHARED_FRAG flag to ensure attacker-pinned page-cache pages are routed through skb_cow_data() was merged into the netdev tree on May 7, 2026.
Based on a shared-frag approach submitted by Kuan-Ting Chen. No upstream patch exists yet for the RxRPC variant. CloudLinux has confirmed patched kernels and KernelCare livepatches are in active build and test.
Red Hat has rated the severity as Important. Amazon AWS has acknowledged the issue across Amazon Linux kernels. CVE-2026-43284 has been associated with a vulnerability in some vendor advisories.
Until distribution patches are released, system administrators should turn off the affected kernel modules immediately using the following command:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
> /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"This prevents the vulnerable esp4, esp6, and rxrpc modules from loading. For exploit code and full technical details, see the researcher’s GitHub repository.
FAQs
Q1: Does applying the Copy Fail (algif_aead blocklist) mitigation protect against Dirty Frag?
No, Dirty Frag triggers independently of whether algif_aead is available, so systems with the Copy Fail mitigation applied remain fully vulnerable.
Q2: Does Dirty Frag require a race condition to succeed?
No, it is a deterministic logic bug with no timing dependency, meaning no race condition is needed, and the exploit succeeds reliably without crashing the kernel.
Q3: Which Linux distributions are confirmed vulnerable to Dirty Frag?
Ubuntu, RHEL, Fedora, AlmaLinux, openSUSE Tumbleweed, CentOS Stream, and Amazon Linux are all confirmed affected, covering virtually all major enterprise and consumer distributions.
Q4: What is the fastest way to mitigate Dirty Frag before patches are available?
Run the one-line modprobe blocklist command provided by the researcher to block esp4, esp6, and rxrpc modules from loading, and apply vendor kernel updates as soon as they are released.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
