“Dirty Frag”: Linux flaws grant root access

“Dirty Frag” marks the third privilege escalation vulnerability (or rather, combination of vulnerabilities) discovered within two weeks, allowing attackers to escalate their privileges in most Linux distributions. As some parties apparently published information too early, the discoverer Hyunwoo Kim (X-handle @v4bel) felt compelled to make the vulnerabilities public now – without updates for affected Linux distributions or a CVE vulnerability entry being available.

He writes this in the GitHub project for the vulnerability combination “Dirty Frag.” There he demonstrates a chaining of two vulnerabilities. A complete deep dive discusses them in detail. These are vulnerabilities that ultimately manipulate the page cache of files in memory to which users only have read access, such as “/etc/passwd” or “/usr/bin/su.” On subsequent access, Linux uses the modified entries from RAM, which grant further-reaching privileges and ultimately root access. This is very reminiscent of the vulnerability known as “Copy Fail.” Kim explains that this was also the starting point for his vulnerability search. To circumvent certain restrictions in Linux distributions that would prevent an exploit, he also chains two security vulnerabilities. On systems that were secured against “Copy Fail” by blacklisting the algif_aead module, “Dirty Frag” still works.

The vulnerabilities impact xfrm-ESP and RxRPC, both of which have a page cache write vulnerability. Kim has successfully tested the vulnerabilities on several distributions, gaining root privileges: Ubuntu 24.04.4 (Kernel 6.17.0-23-generic), RHEL 10.1 (Kernel 6.12.0-124.49.1.el10_1.x86_64), openSUSE Tumbleweed (Kernel 7.0.2-1-default), CentOS Stream 10 (Kernel 6.12.0-224.el10.x86_64), AlmaLinux 10 (Kernel 6.12.0-124.52.3.el10_1.x86_64), and Fedora 44 (with Kernel 6.19.14-300.fc44.x86_64).

Countermeasure: Remove modules

Since the distributions have not yet had time to release updated kernels, Kim writes, administrators can help themselves by removing the vulnerable modules. He names the command

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

Kim also proposes a source code patch in the deep dive that is intended to solve the problem. It is recommended to wait for official kernel updates from the respective distribution. A patch for the ESP component was merged into the upstream netdev tree on May 7, 2026; an upstream patch for RxRPC is still pending.

This is the third notable privilege escalation vulnerability reported in the past two weeks. About two weeks ago, the vulnerability “Pack2TheRoot” (CVE-2026-41651), discovered by the Telekom Security Team, which grants root privileges in several Linux distributions, became known. At the end of last week, the “Copy Fail” security vulnerability was added, which is now even being exploited in the wild. If you think this is a Linux-specific problem, it is not. For three weeks now, the “RedSun” zero-day vulnerability has been open in Windows, without Microsoft making any move to deliver a patch for it. These vulnerabilities as well – a total of three have accumulated there, besides “RedSun,” also “UnDefend,” and “BlueHammer” – enable privilege escalation and are already being exploited by malicious actors.

(dmk)