Key Takeaways
- A new local privilege escalation (LPE) flaw, dubbed Dirty Frag, chains two page‑cache write primitives in the Linux kernel to gain root without a race condition.
- The underlying bugs are the xfrm‑ESP Page‑Cache Write (introduced Jan 2017) and the RxRPC Page‑Cache Write (introduced Jun 2023).
- Exploitation works on most major distributions (Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, Fedora 44) despite namespace‑creation restrictions on Ubuntu.
- A working proof‑of‑concept (PoC) can achieve root with a single command; until patches arrive, administrators should blocklist the
esp4,esp6, andrxrpckernel modules. - Dirty Frag is deterministic, does not rely on timing windows, and remains effective even when the
algif_aeadmitigation for the earlier Copy Fail (CVE‑2026‑31431) is applied.
Introduction
Security researcher Hyunwoo Kim (@v4bel) disclosed a previously unpatched local privilege escalation vulnerability affecting the Linux kernel, named Dirty Frag. The flaw builds upon the logic of the earlier Copy Fail bug (CVE‑2026‑31431) but removes the need for a race condition, making exploitation deterministic and highly reliable. Kim reported the issue to kernel maintainers on April 30, 2026, and noted that the vulnerability can chained two distinct page‑cache write primitives to obtain root on most mainstream Linux distributions.
Vulnerability Overview
Dirty Frag is classified as a deterministic logic bug that does not require a timing window or cause a kernel panic when the exploit fails. By stringing together the xfrm‑ESP Page‑Cache Write and the RxRPC Page‑Cache Write vulnerabilities, an unprivileged local user can overwrite kernel memory in a controlled fashion and escalate to root privileges. The absence of a CVE identifier stems from an embargo break after details and an exploit for the xfrm‑ESP primitive were published by an unrelated third party.
Technical Details: xfrm‑ESP Page‑Cache Write
The xfrm‑ESP primitive resides in the IPsec (xfrm) subsystem and offers a four‑byte store capability similar to Copy Fail. It overwrites a small region in the kernel’s page cache when a socket buffer carries paged fragments that are not privately owned by the kernel—such as pages attached via splice(2), sendfile(2), or MSG_SPLICE_PAGES. The vulnerability was introduced in a source‑code commit dated January 17, 2017, the same commit that later caused buffer‑overflow CVE‑2022‑27666. On distributions where AppArmor blocks unprivileged user‑namespace creation (e.g., Ubuntu), this primitive cannot be triggered because the exploit first requires a namespace to set up the necessary socket buffers.
Technical Details: RxRPC Page‑Cache Write
The second primitive, RxRPC Page‑Cache Write, targets the RxRPC subsystem and does not require the ability to create a user namespace. However, the rxrpc.ko kernel module is not included in the default builds of many enterprise distributions (e.g., RHEL 10.1). Ubuntu, by contrast, loads rxrpc.ko by default, making the RxRPC path available there. When a socket buffer with externally‑backed pages traverses the RxRPC receive path, the kernel decrypts data in‑place over those pages, exposing or corrupting plaintext that an unprivileged process still references—providing another four‑byte write primitive.
Chaining the Two Exploits
Kim explains that the two primitives complement each other’s blind spots: on systems where user namespace creation is permitted, the xfrm‑ESP exploit runs first; on Ubuntu, where namespace creation is blocked but rxrpc.ko is present, the RxRPC exploit takes over. By chaining them, an attacker can reliably achieve root regardless of the distribution’s specific security configurations. The combined attack does not depend on timing windows, resulting in a very high success rate and no kernel panic on failure.
Impact and Affected Distributions
Successful exploitation grants an unprivileged local user full root access, enabling arbitrary code execution, persistence, and complete system compromise. The researcher confirmed that the flaw works on Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. Because the underlying code dates back to 2017, virtually all recent kernels that have not received the specific patches are vulnerable, spanning a wide range of enterprise, desktop, and cloud environments.
Mitigation Recommendations
Until official patches are released, administrators can mitigate the risk by preventing the vulnerable kernel modules from loading. A recommended temporary measure is to create a modprobe configuration file that redirects module loading to /bin/false and then unload any already‑loaded instances:
bash
sudo sh -c "printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; \
rmmod esp4 esp6 rxrpc 2>/dev/null; true"
This blocks esp4, esp6, and rxrpc, eliminating both primitives. Additionally, monitoring for unusual namespace creation or RxRPC traffic can help detect attempted exploits.
Proof‑of‑Concept and Exploitability
A working proof‑of‑concept (PoC) has been made public that achieves root with a single command, demonstrating the practicality of the attack. The PoC leverages the chained primitives to overwrite kernel pointers and spawn a root shell. Notably, Dirty Frag remains effective even when the algif_aead module—which mitigates the earlier Copy Fail bug—is disabled or blacklisted, confirming that the two vulnerabilities are independent in terms of mitigations.
Relation to Copy Fail
Dirty Frag shares conceptual similarities with Copy Fail (CVE‑2026‑31431), particularly the use of a four‑byte store primitive in the page cache. However, Dirty Frag removes the requirement for a race condition, making it deterministic and more reliable. The researcher emphasizes that existing Copy Fail mitigations do not protect against Dirty Frag, underscoring the need for distinct patches targeting the xfrm‑ESP and RxRPC pathways.
Conclusion
The emergence of Dirty Frag highlights the ongoing risk posed by subtle logic flaws in kernel subsystems that handle network‑related data paths. By combining two independently introduced page‑cache write vulnerabilities, attackers can bypass common mitigations and achieve reliable root escalation across major Linux distributions. Prompt application of vendor patches, coupled with the temporary module‑blocking strategy outlined above, is essential to protect systems until a permanent fix is integrated into the kernel mainline. Administrators should remain vigilant for further disclosures and prioritize updating affected systems as soon as patches become available.