New Linux 'Dirty Frag' zero-day gives root on all major distros
Source: Bleeping Computer
Overview
A new Linux zero‑day vulnerability, Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command. Security researcher Hyunwoo Kim disclosed the flaw on May 7 2026 and published a proof‑of‑concept (PoC) exploit. The vulnerability was introduced roughly nine years ago in the Linux kernel’s algif_aead cryptographic algorithm interface.
Technical Details
Dirty Frag works by chaining two separate kernel flaws:
- xfrm‑ESP Page‑Cache Write vulnerability
- RxRPC Page‑Cache Write vulnerability
By exploiting both, an attacker can modify protected system files in memory without authorization and achieve privilege escalation. The exploit targets the fragment field of a kernel data structure, placing it in the same class as the earlier Dirty Pipe and Copy Fail vulnerabilities but using a different vector.
The vulnerability has not yet been assigned a CVE‑ID and affects a wide range of Linux distributions, including Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora, none of which have received patches at the time of writing.
“As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities,” – Hyunwoo Kim.
“Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.” – Hyunwoo Kim.
Dirty Frag demo (Hyunwoo Kim)
Kim released complete documentation and a PoC exploit after an embargo on full public disclosure was broken on May 7 2026, when an unrelated third party independently published the exploit.
Mitigation
To reduce the attack surface, Linux users can disable the vulnerable esp4, esp6, and rxrpc kernel modules. Note: This will break IPsec VPNs and AFS distributed network file systems.
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"For additional mitigation steps, see the Dirty Frag GitHub repository.
Context & Related Vulnerabilities
- Copy Fail – another root‑privilege escalation flaw that is currently being actively exploited. It was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog in early May 2026, prompting federal agencies to apply mitigations by May 15.
- Pack2TheRoot – a separate privilege‑escalation bug in the PackageKit daemon that was patched in April 2026.
References
- Disclosure announcement: https://www.openwall.com/lists/oss-security/2026/05/07/8
- PoC exploit tweet: https://x.com/v4bel/status/2052464007857185136
- Dirty Frag repository: https://github.com/V4bel/dirtyfrag
- Affected versions list: https://github.com/V4bel/dirtyfrag#affected-versions
- Mitigation instructions: https://github.com/V4bel/dirtyfrag#mitigation
- Copy Fail KEV entry (CISA): https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog
- Pack2TheRoot coverage: https://www.bleepingcomputer.com/news/security/new-pack2theroot-flaw-gives-hackers-root-linux-access/