Devastating 'Dirty Frag' exploit leaks out, gives immediate root access on most Linux machines since 2017, no patches available, no warning given — Copy Fail-like vulnerability had its embargo broken
Source: Tom’s Hardware
Image credit: Getty Images
Overview
The Dirty Frag vulnerability is an instant‑root exploit that affects most Linux installations dating back to 2017. It works similarly to the earlier Copy Fail exploit and allows any local user to obtain root privileges by running a small program. No advance warning was given, and no patches are currently available. The embargo on the vulnerability appears to have been broken, suggesting that malicious actors may already be exploiting it.
Exploit demonstration
A simple command can trigger the vulnerability by loading a crafted dirtyfrag.conf and removing the vulnerable modules:
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \
> /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null || trueTo test a system with the proof‑of‑concept (PoC) provided by the researchers:
git clone https://github.com/V4bel/dirtyfrag.git
cd dirtyfrag
gcc -O0 -Wall -o exp exp.c -lutil
./expTechnical details
The exploit relies on a zero‑copy operation that splices a page‑cache descriptor into a vulnerable kernel path. The faulty code resides in the IPSec‑related modules:
- xfrm‑ESP Page Cache Write – introduced in kernel commit
cac2661c53f3(2017) and present in most distributions. - RxRPC Page‑Cache Write – added in commit
2dc334f1a63a; used as a secondary chain when the primary exploit is mitigated (e.g., by Ubuntu’s AppArmor).
For an in‑depth write‑up, see the researchers’ documentation: .
Impact and mitigation
- Affected distributions include current releases of Ubuntu (24.04, 26.04), Arch, RHEL, OpenSUSE, CentOS Stream, Fedora, AlmaLinux, and even WSL2.
- No official patches have been released.
- Users should monitor kernel updates and security advisories for any forthcoming fixes.
- As a temporary mitigation, consider disabling or blacklisting the vulnerable modules (
esp4,esp6,rxrpc) if they are not required for your workload.
This article summarizes publicly available information about the Dirty Frag vulnerability. No additional proprietary or unpublished details are included.