Dirty Frag\u00a0is a newly disclosed, CVE-pending Linux kernel local privilege escalation (LPE) vulnerability that chains two separate page-cache write flaws, the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write, to achieve root access on virtually all major Linux distributions, with a public exploit already in the wild following an embargo break on May 7, 2026.<\/p>\n
Dirty Frag belongs to the same vulnerability class as Dirty Pipe<\/a> and Copy Fail (CVE-2026-31431)<\/a>, but targets the\u00a0 Discovered and reported by security researcher Hyunwoo Kim (@v4bel), the vulnerability exploits the zero-copy send path where\u00a0splice()\u00a0plants a reference to a read-only page cache page, such as\u00a0 The receiver-side kernel code then performs in-place cryptographic operations directly on top of that frag, permanently modifying the page cache in RAM.<\/p>\n Every subsequent read to that file sees the corrupted version, even though the unprivileged attacker was granted only read access.<\/p>\n Unlike race-condition exploits, Dirty Frag is a\u00a0deterministic logic bug\u00a0that requires no timing window, does not panic the kernel on failure, and carries an extremely high success rate.<\/p>\n xfrm-ESP Page-Cache Write\u00a0resides in\u00a0 Using the\u00a0 Authentication failure ( RxRPC Page-Cache Write\u00a0resides in\u00a0 Because\u00a0 The 8-byte store value is\u00a0 The attacker brute-forces<\/a>\u00a0 Neither vulnerability alone covers all Linux environments:<\/a><\/p>\n Chaining the two exploits closes both blind spots, achieving root on essentially every major distribution. The exploit first attempts the ESP path; if\u00a0 The ESP vulnerability has been present since commit\u00a0 The ESP variant patch using the\u00a0 The final merged patch was based on a shared-frag approach submitted by Kuan-Ting Chen. The RxRPC patch, which adds\u00a0 No CVE identifiers have been assigned for either flaw as of publication, due to the premature embargo break by an unrelated third party on May 7, 2026\u00a0.<\/p>\n Since distribution-level patches are not yet available, administrators should immediately disable the affected kernel modules using the following command:<\/a><\/p>\n This blacklists and unloads the\u00a0 Systems that rely on IPsec VPN tunnels should weigh operational impact carefully before applying the workaround and prioritize applying distribution-backported kernel patches once available.<\/p>\n The complete technical write-up and PoC exploit code are available at the\u00a0researcher\u2019s GitHub repository<\/a>.<\/p>\n Cybercriminals now enter through your suppliers instead of your front door \u2013 Free Webinar<\/a><\/strong><\/p>\n The post Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges \u2013 PoC Released<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nfrag<\/code>\u00a0member of the kernel\u2019s\u00a0struct sk_buff<\/code>\u00a0rather than\u00a0struct pipe_buffer<\/code>.<\/p>\n\/etc\/passwd<\/code>\u00a0or\u00a0\/usr\/bin\/su<\/code>\u00a0\u2014 into the\u00a0frag<\/code>\u00a0slot of a sender-side\u00a0skb<\/code>.<\/p>\nDirty Frag Linux Vulnerability<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvNNkEm4n2veZNOnPpqWrX9M8GjDETaFwa7dObbN-Q4_3o4y5fJBSi5y82MGk5J8smySRKPoCCGQKQjmPomBbPIKsWpMbu1C5gWIvsMGhW4hvWJxEbHdRaFQU0VfKU-454z_jY7TaKPXy6rpLjYY5IMxIg9v0bcsP1gzOUfHVqtjONzfNrlJ50MNuZooB7\/s16000\/demo.gif?ssl=1\")
esp_input()<\/code>, the IPsec ESP receive path. When an\u00a0skb<\/code>\u00a0is non-linear but lacks a frag list, the code skips the mandatory\u00a0skb_cow_data()<\/code>\u00a0buffer allocation step and jumps directly to in-place AEAD decryption on the attacker-planted frag.<\/p>\nXFRMA_REPLAY_ESN_VAL<\/code>\u00a0netlink attribute, the attacker can control both the\u00a0location<\/em>\u00a0(file offset) and the\u00a0value<\/em>\u00a0(4 bytes) of each store operation, enabling them to overwrite arbitrary bytes of\u00a0\/usr\/bin\/su<\/code>\u2018s page cache with a static root-shell ELF 192 bytes written across 48 chunks of 4 bytes each.<\/p>\n-EBADMSG<\/code>) is returned afterward, but the page cache write has already persisted. This variant requires the ability to create a user namespace (unshare(CLONE_NEWUSER)<\/code>).<\/p>\nrxkad_verify_packet_1()<\/code>, which performs an in-place single-block\u00a0pcbc(fcrypt)<\/code>\u00a0decryption on the first 8 bytes of the RxRPC payload.<\/p>\nskb_to_sgvec()<\/code>\u00a0converts the splice-pinned page cache page directly into the SGL, the attacker-controlled page becomes both src and dst.<\/p>\nfcrypt_decrypt(C, K)<\/code>, where\u00a0K<\/code>\u00a0is a freely specifiable session key registered via\u00a0add_key(\"rxrpc\", ...)<\/code>\u00a0\u2014 an operation requiring\u00a0no privileges at all.<\/p>\nK<\/code>\u00a0in user space until the desired plaintext (e.g., turning\u00a0\/etc\/passwd<\/code>\u00a0line 1\u2019s password field into an empty string) is produced, enabling PAM\u00a0nullok<\/code>\u00a0authentication bypass.<\/p>\n\n
rxrpc.ko<\/code>\u00a0is absent on most distros like RHEL 10.1 by default \u2014 yet ships and auto-loads on Ubuntu.<\/li>\n<\/ul>\nunshare(CLONE_NEWUSER)<\/code>\u00a0fails, it automatically falls back to the RxRPC path targeting\u00a0\/etc\/passwd<\/code>.<\/p>\nAffected Distributions and Kernel Versions<\/strong><\/h2>\n
cac2661c53f3<\/code>\u00a0(January 2017), and the RxRPC flaw since\u00a02dc334f1a63a<\/code>\u00a0(June 2023), giving the chain an effective window of approximately 9 years. Confirmed affected distributions include:<\/a><\/p>\n\n
SKBFL_SHARED_FRAG<\/code>\u00a0flag to ensure splice-pinned pages always route through\u00a0skb_cow_data()<\/code>\u00a0\u2014 was merged into the netdev tree on May 7, 2026.<\/p>\n|| skb->data_len<\/code>\u00a0to the existing\u00a0skb_cloned()<\/code>\u00a0gate to force isolation of non-linear skbs, remains unmerged upstream.<\/p>\nImmediate Mitigation<\/strong><\/h2>\n
bash
sh -c \"printf 'install esp4 \/bin\/falseninstall esp6 \/bin\/falseninstall rxrpc \/bin\/falsen' > \/etc\/modprobe.d\/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>\/dev\/null; true\"<\/code><\/pre>\nesp4<\/code>,\u00a0esp6<\/code>, and\u00a0rxrpc<\/code>\u00a0modules, disrupting IPsec and RxRPC functionality as a trade-off.<\/p>\n