New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets

Staff Editor 2026-06-26
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets

New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets

https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html

Publish Date: 2026-06-26 07:51:00

Source Domain: thehackernews.com

Swati KhandelwalJun 26, 2026Linux / Vulnerability

DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family. JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant.

Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in mainline on May 21; if your kernel does not have it, update now.

When the kernel copies a network packet internally, two helper functions drop a safety flag that marks the packet’s memory as shared with a file on disk. That missing flag is the entire vulnerability.

The attacker loads a privileged binary like /usr/bin/su into memory, wires those memory pages into a network packet, and forces the kernel to clone it. The cloned packet passes through an IPsec tunnel that the attacker controls, and the decryption step overwrites the binary’s login checks with attacker-chosen bytes. The next time anyone runs su, it hands over root.

The file on disk never changes. The modification lives only in the kernel’s in-memory copy, so file-integrity tools miss it, the attack leaves no audit trail, and a reboot restores the original binary. The attacker already has root by the time anyone might think to check.

Exploitation requires CAP_NET_ADMIN to configure the loopback IPsec tunnel. On Debian and Fedora, unprivileged user namespaces are enabled by default, so a local user can obtain that capability inside a new namespace.

Ubuntu 24.04 and later restrict namespace creation via AppArmor, blocking the default exploit path. Page cache is shared at the host level, so modifications made inside a namespace affect every process on the machine.

The exposed systems are multi-tenant servers, CI runners, container hosts, and Kubernetes clusters where untrusted users can create namespaces. JFrog confirmed the exploit on Debian, Ubuntu, and Fedora systems…

Source

More Stories

More AMD Zen 6 Prepping, Many ASUS / Lenovo / HP Laptop Improvements For Linux 7.2

More AMD Zen 6 Prepping, Many ASUS / Lenovo / HP Laptop Improvements For Linux 7.2

Staff Editor 2026-06-26
Linux Gets Dirty Again: DirtyClone Kernel Flaw Can Lead to Local Root Access

Linux Gets Dirty Again: DirtyClone Kernel Flaw Can Lead to Local Root Access

Staff Editor 2026-06-26
New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

Staff Editor 2026-06-26

Terms and Conditions - Privacy Policy