Dirty Frag: New Linux Kernel LPE Chain Enables High-Reliability Root Exploitation

Overview

Security researchers have disclosed a new unpatched local privilege escalation (LPE) vulnerability affecting the Linux kernel, referred to as Dirty Frag. The issue is considered a successor to the recently disclosed Copy Fail (CVE-2026-31431) and shares similarities with earlier kernel bugs such as Dirty Pipe.

Unlike traditional race-condition-based exploits, Dirty Frag is a deterministic logic flaw that does not depend on timing windows, making exploitation significantly more reliable and consistent across systems.

The vulnerability was reported to Linux kernel maintainers on April 30, 2026, but no complete patch is available for all affected components at the time of writing.

Technical Breakdown

Dirty Frag is not a single vulnerability but a chained exploitation technique combining two separate kernel issues:

  • xfrm-ESP Page-Cache Write vulnerability (IPsec subsystem)
  • RxRPC Page-Cache Write vulnerability

Together, these flaws allow attackers to manipulate page-cache-backed memory that is not exclusively owned by the kernel.

xfrm-ESP Path

The xfrm-ESP issue exists in the IPsec (xfrm) subsystem and provides a 4-byte write primitive, allowing controlled corruption of kernel page cache memory. However, exploitation typically requires user namespaces, which may be restricted by security mechanisms such as AppArmor.

RxRPC Path

The RxRPC vulnerability affects the rxrpc.ko kernel module. Unlike xfrm-ESP, it does not require user namespace creation. However, many distributions do not include or load this module by default.

Why the Chain Works

Dirty Frag combines both weaknesses to bypass environment-specific protections:

  • Systems allowing user namespaces → xfrm-ESP is usable
  • Systems blocking namespaces but loading RxRPC → RxRPC path is usable

This dual-path design allows attackers to maintain a high success rate across different Linux distributions.

Impacted Systems

According to researchers and vendor advisories, the vulnerability affects or potentially impacts:

  • Ubuntu 24.04.4
  • RHEL 10.1
  • Fedora 44
  • openSUSE Tumbleweed
  • CentOS Stream 10
  • AlmaLinux 10
  • Debian-based distributions
  • Amazon Linux
  • Rocky Linux
  • SUSE distributions

On container workloads, the issue may also enable container escape scenarios, depending on configuration.

Exploitation Details

Cloud security researchers describe the flaw as residing in:

ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path reachable via the XFRM netlink interface.

The issue occurs when socket buffers containing paged fragments are decrypted in place, even when those pages are externally referenced (e.g., via splice() or sendfile()), leading to unintended memory corruption or exposure.

This can allow:

  • Kernel memory corruption
  • Sensitive data leakage
  • Privilege escalation to root

Proof-of-Concept and Active Exploitation

A working proof-of-concept (PoC) exploit has been publicly released, reportedly capable of achieving root access with a single command execution.

Microsoft has observed limited in-the-wild exploitation, where attackers:

  • Gain initial SSH access
  • Execute an ELF binary (./update)
  • Trigger privilege escalation using su
  • Modify GLPI LDAP authentication files
  • Perform system reconnaissance and session manipulation

This suggests the vulnerability is already being integrated into real-world attack chains.

Mitigation

Until full patches are widely available, administrators are advised to mitigate exposure by disabling vulnerable kernel modules:

```bash
sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"