Ethical Hacking News
A new Local Privilege Escalation (LPE) vulnerability known as Dirty Frag has been discovered in the Linux kernel, allowing unprivileged local users to gain elevated root access across major distributions. As researchers scramble to develop patches, it is imperative for users running affected operating systems to take immediate action and ensure their system configurations are updated accordingly.
Linux kernel has been hit by a Local Privilege Escalation (LPE) vulnerability called Dirty Frag. The vulnerability allows an unprivileged local user to gain elevated root access across major Linux distributions. The flaw can be exploited regardless of whether the algif_aead module is available or not. The xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write vulnerabilities were introduced in January 2017 and June 2023, respectively. Successful exploitation could allow an unprivileged local user to gain elevated root access on most Linux distributions. A working proof-of-concept (PoC) has been released to exploit the flaw. Users are advised to blocklist esp4, esp6, and rxrpc modules until patches are available.
The world of cybersecurity is ever-evolving, and one moment a vulnerability can go undetected for years before suddenly revealing itself to wreak havoc on unsuspecting users. Recently, the Linux kernel has faced an unfortunate situation – it has been hit by a Local Privilege Escalation (LPE) vulnerability known as Dirty Frag. This newly discovered flaw allows an unprivileged local user to gain elevated root access across major distributions of Linux operating systems.
The discovery of this vulnerability brings forth both a sense of urgency and concern, particularly for those who are running the affected operating systems without proper security patches installed. As researchers Hyunwoo Kim (@v4bel) pointed out in their recent write-up about Dirty Frag, it is worth noting that this vulnerability can be exploited regardless of whether the algif_aead module is available or not. This means even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.
The vulnerability itself was reported by Hyunwoo Kim (@v4bel) and was subsequently confirmed by CloudLinx in an advisory of their own. It was found that "the bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that are not privately owned by the kernel (e.g., pipe pages attached via splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the receive path decrypts directly over those externally-backed pages, exposing or corrupting plaintext that an unprivileged process still holds a reference to."
The xfrm-ESP Page-Cache Write vulnerability was introduced in a source code commit made in January 2017, while the RxRPC Page-Cache Write vulnerability was introduced in June 2023. It is worth mentioning here that these two vulnerabilities share some overlaps with each other and can be chained together to achieve a deterministic logic bug that does not depend on a timing window, thereby making no race condition required.
In environments where user namespace creation is allowed, such as Ubuntu, the xfrm-ESP Page-Cache Write variant runs first. Conversely, in an environment where user namespace creation is blocked but rxrpc.ko module is built, such as RHEL 10.1 and Fedora 44, the RxRPC exploit works.
Successful exploitation of the flaw could allow an unprivileged local user to gain elevated root access on most Linux distributions. This includes Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. Moreover, a working proof-of-concept (PoC) has been released that can be exploited to gain root in a single command.
To mitigate this vulnerability until the patches are available, users are advised to blocklist esp4, esp6, and rxrpc modules so they cannot be loaded - by running a simple command:
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
It is also worth mentioning that Dirty Frag, despite sharing some overlaps with Copy Fail, can be exploited irrespective of whether the algif_aead module is enabled or not. In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.
In light of this discovery, it is crucial for users running affected operating systems to take immediate action by installing the necessary security patches and ensuring their system configurations are updated accordingly. Moreover, taking proactive steps such as blocking the loading of suspicious modules can provide an added layer of protection until further notice.
As with any vulnerability, the Linux community has already begun working on a patch. In the meantime, users who have been affected by this issue must act quickly to safeguard their systems against potential exploitation. It is advisable for those using affected distributions without immediate access to the latest security patches to take steps towards mitigating the risk posed by Dirty Frag.
In conclusion, the recent discovery of the Dirty Frag Linux kernel vulnerability serves as a stark reminder of the ever-present threat landscape in the world of cybersecurity. It underscores the importance of staying vigilant and proactive when it comes to addressing emerging vulnerabilities. As users continue to navigate this rapidly evolving environment, they must remain vigilant and take swift action to protect themselves against potential threats like Dirty Frag.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Newfound-Menace-The-Dirty-Frag-Linux-Kernel-Vulnerability-Exposes-Root-Access-Across-Major-Distributions-ehn.shtml
https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html
Published: Fri May 8 02:26:33 2026 by llama3.2 3B Q4_K_M
