Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel.
Dubbed Dirty Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026.
“Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability,” security researcher Hyunwoo Kim (@v4bel) said in a write-up.
“Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”
The vulnerability currently does not have a CVE identifier, as the embargo is said to have been broken after detailed information and an exploit for the xfrm-ESP Page-Cache Write vulnerability were published publicly by an unrelated third-party.
Successful exploitation of the flaw could allow an unprivileged local user to gain elevated root access on most Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
According to the researcher, the xfrm-ESP Page-Cache Write vulnerability was introduced in a source code commit made in January 2017, while the RxRPC Page-Cache Write vulnerability was introduced in June 2023. Interestingly, the same January 17, 2017, commit was the root cause behind another buffer overflow (CVE-2022-27666, CVSS score: 7.8) that affected various Linux distributions.
xfrm-ESP Page-Cache Write, which is rooted in the IPSec (xfrm) subsystem, provides attackers with a 4-byte store primitive like Copy Fail and overwrites a small amount in the kernel’s page cache.
However, the exploit requires the unprivileged user to create a namespace, a step that’s blocked by Ubuntu through AppArmor. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered. That’s where the second exploit, RxRPC Page-Cache Write, comes in.
“RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions,” Kim explained. “For example, the default build of RHEL 10.1 does not ship rxrpc.ko. However, on Ubuntu, the rxrpc.ko module is loaded by default.”
“Chaining the two variants makes the blind spots cover each other. In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.”
CloudLinx, in an advisory of its own, said the flaw resides in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path and is reachable via the XFRM user netlink interface.”
“The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that are not privately owned by the kernel (e.g., pipe pages attached via splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the receive path decrypts directly over those externally-backed pages, exposing or corrupting plaintext that an unprivileged process still holds a reference to,” AlmaLinux said.
Similar advisories have been released by other Linux distributions –
Adding to the urgency is the release of a working proof-of-concept (PoC) that can be exploited to gain root in a single command. Until the patches are available, it’s advised to blocklist esp4, esp6, and rxrpc modules so they cannot be loaded –
sudo sh -c “printf ‘install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
It’s worth mentioning here that Dirty Frag, despite sharing some overlaps with Copy Fail, can be exploited irrespective of whether the Linux kernel’s algif_aead module is enabled or not.
“Note that Dirty Frag can be triggered regardless of whether the algif_aead module is available,” the researcher said. “In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.”
Update
The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6. The RxRPC Page-Cache Write vulnerability has been assigned the identifier CVE-2026-43500, although no patch is available as of writing.
“On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user,” Ubuntu said. “In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host.”
In an advisory, Google-owned Wiz described Dirty Frag as a vulnerability chain that combines two page-cache write primitives in the Linux kernel: one in the xfrm-ESP (IPsec) subsystem and another in RxRPC.
“Both flaws allow modification of page-cache-backed memory that is not exclusively owned by the kernel, enabling corruption of sensitive files and ultimately privilege escalation,” researchers Merav Bar and Rami McCarthy said. “Unlike race-condition-based exploits, this bug class is deterministic and highly reliable, similar to previous vulnerabilities like Copy Fail and Dirty Pipe.”
“To pull off this exploit, an attacker needs two things: access to specific vulnerable kernel interfaces and the ability to manipulate page-backed buffers (e.g., via splice()-related paths). However, there is a significant hurdle: the exploit usually requires high-level system permissions, such as CAP_NET_ADMIN. This means exploitation is less likely in hardened containerized environments (e.g., Kubernetes with default seccomp profiles).”
Limited In-The-Wild Exploitation Observed
Microsoft said it’s currently observing limited in-the-wild activity to achieve privilege escalation using the “su” (aka substitute user) command, which it noted “may be indicative of techniques associated with either ‘Dirty Frag’ or ‘Copy Fail.'”
“The campaign shows a sequential attack timeline where an external connection gains SSH access and spawns an interactive shell, followed by staging and execution of an ELF binary (./update) that immediately triggers a privilege escalation via ‘su,'” Microsoft added.
Upon gaining elevated access, the unknown threat actors have been found to modify a GLPI LDAP authentication file, perform reconnaissance of the GLPI directory and system configuration, and inspect an exploit artifact. This step is followed by the attackers accessing sensitive data and interacting with multiple PHP session files, including deleting and forcefully wiping some of them, likely in an attempt to disrupt active sessions and access to session contents.
“Dirty Frag is notable because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to improve exploitation reliability,” Microsoft said. “Rather than relying on narrow timing windows or unstable corruption conditions often associated with Linux local privilege escalation exploits, Dirty Frag appears designed to increase consistency across vulnerable environments.”
About The Author
Original post here
