A concerning new Linux kernel vulnerability, dubbed “Dirty Frag,” has been disclosed, posing a local privilege escalation (LPE) risk. The unpatched flaw, reported on April 30, 2026, allows an unprivileged local user to potentially gain administrative root access on a wide range of popular Linux distributions. This discovery follows closely on the heels of another significant LPE vulnerability, Copy Fail, indicating ongoing challenges in securing the core of Linux systems.
Security researcher Hyunwoo Kim described Dirty Frag as a “successor” to Copy Fail, achieved by chaining together two distinct page-cache write vulnerabilities: xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write. The combined exploit is noted for its high success rate, determinism, and crucially, does not require race conditions to execute successfully.
Understanding the Dirty Frag Linux Kernel Vulnerability
The Dirty Frag vulnerability exploits flaws within the Linux kernel’s networking subsystems. According to the researcher’s write-up, the xfrm-ESP Page-Cache Write vulnerability stems from a code commit made in January 2017, impacting the IPSec (xfrm) component. This vulnerability provides a mechanism to overwrite small amounts of data in the kernel’s page cache, similar to the functionality seen in Copy Fail.
However, exploiting xfrm-ESP Page-Cache Write typically requires the ability to create user namespaces, a privilege that is restricted on some distributions, such as Ubuntu, by security mechanisms like AppArmor. This is where the second component of the Dirty Frag exploit becomes critical.
The Role of RxRPC Page-Cache Write
The RxRPC Page-Cache Write vulnerability, introduced in June 2023, does not necessitate namespace creation. While the rxrpc.ko module, which contains this vulnerability, is not enabled by default on many distributions like RHEL 10.1, it is included in the default build for Ubuntu. This difference in default configurations is key to the chaining mechanism of Dirty Frag.
“Chaining the two variants makes the blind spots cover each other,” explained Kim. “In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.” This elegant dependency management allows the exploit to be effective across a broader spectrum of Linux systems.
Implications and Affected Distributions
The successful exploitation of Dirty Frag could grant an attacker full root privileges. This could lead to complete system compromise, including data theft, unauthorized modifications, and the installation of persistent malware. The vulnerability has been confirmed to affect widely used distributions such as Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
CloudLinx, in its advisory, detailed that the flaw resides in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path and is reachable via the XFRM user netlink interface.” AlmaLinux elaborated that the bug affects the in-place decryption fast paths of esp4, esp6, and rxrpc. When a socket buffer contains paged fragments not exclusively owned by the kernel, the receive path can decrypt directly over these externally-backed pages, potentially exposing or corrupting plaintext that an unprivileged process still references.
Adding to the immediate concern, a working proof-of-concept (PoC) exploit has already been released. This PoC reportedly allows for gaining root privileges with a single command, significantly lowering the barrier to entry for potential attackers. This underscores the urgency for users and administrators to address the vulnerability.
Mitigation and Future Outlook
Until official patches are released by the Linux kernel developers, a temporary mitigation strategy has been recommended. This involves blocking the loading of the esp4, esp6, and rxrpc kernel modules. The command provided to achieve this is:
sudo sh -c “printf ‘install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
It is important to note that Dirty Frag bypasses a known mitigation for Copy Fail. The Copy Fail fix often involves blacklisting the algif_aead module. However, Dirty Frag can be exploited irrespective of whether the algif_aead module is enabled or not, as it targets different components of the kernel’s networking stack.
The disclosure and PoC release of Dirty Frag highlight the ongoing battle against privilege escalation vulnerabilities in the Linux kernel. The next steps will involve the development and distribution of official patches for affected Linux distributions. Users are strongly advised to monitor for these updates and apply them as soon as they become available to secure their systems against this critical Linux kernel vulnerability.