Dirty Frag: Universal Linux LPE

Overview

A previously unknown Linux kernel vulnerability, dubbed "Dirty Frag," has been discovered, allowing attackers to exploit a flaw in the Linux kernel's fragmentation handling, potentially leading to local privilege escalation (LPE) and arbitrary code execution. The vulnerability affects Linux kernels 5.15 and later and can be triggered by a maliciously crafted TCP packet.

What it does

Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. It is a deterministic logic bug that does not depend on a timing window, and no race condition is required. The kernel does not panic when the exploit fails, and the success rate is very high. The vulnerability can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.

Mitigation

Because the responsible disclosure schedule and the embargo have been broken, no patch exists for any distribution. To mitigate the vulnerability, users can remove the modules in which the vulnerabilities occur and clear the page cache using the following command:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

Once each distribution backports a patch, users should update accordingly.

The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6. The RxRPC Page-Cache Write vulnerability has been reserved as CVE-2026-43500 for tracking; no patch exists in any tree yet.

Dirty Frag has been tested on several distribution versions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.

In summary, Dirty Frag is a serious Linux kernel vulnerability that can lead to local privilege escalation and arbitrary code execution. Users should take immediate action to mitigate the vulnerability by removing the affected modules and clearing the page cache. Once patches are available, users should update their systems accordingly.

{ "headline": "Dirty Frag Linux Kernel Vulnerability", "synthesis": "A previously unknown Linux kernel vulnerability, dubbed 'Dirty Frag,' has been discovered, allowing attackers to exploit a flaw in the Linux kernel's fragmentation handling, potentially leading to local privilege escalation (LPE) and arbitrary code execution.", "tags": ["Linux", "kernel", "vulnerability", "security"], "sources_used": ["https://github.com/V4bel/dirtyfrag"]