DirtyClone: A Linux Privilege Escalation That Leaves No Trace on Disk

Staff Editor 2026-06-27
DirtyClone: A Linux Privilege Escalation That Leaves No Trace on Disk

DirtyClone: A Linux Privilege Escalation That Leaves No Trace on Disk

https://securityaffairs.com/194338/uncategorized/dirtyclone-fourth-linux-kernel-flaw-in-six-weeks-escalates-to-root.html

Publish Date: 2026-06-27 06:06:00

Source Domain: securityaffairs.com

DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root

Pierluigi Paganini
June 27, 2026

DirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace. Patch now.

JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone. It’s the fourth vulnerability in the DirtyFrag family, all sharing the same root failure: file-backed memory gets treated as packet data, and an in-place network operation writes where it should have copied. CVSSIf your kernel doesn’t have the May 21 mainline patch, update now.

“The severity of this issue is significant because it allows any unprivileged local user to gain root access (LPE) by manipulating the Linux page cache.” reads the report published by JFrog. “The attack is silent, leaves no kernel logs or audit traces, and bypasses common on-disk integrity monitoring tools.”

The attacker loads a privileged binary like /usr/bin/su into memory, wires those pages into a network packet, and forces the kernel to clone it through a loopback IPsec tunnel they control. The decryption step overwrites the binary’s authentication logic with attacker-chosen bytes, and the next run of su hands over root — while the file on disk stays untouched.

The exploit requires CAP_NET_ADMIN to configure the IPsec environment. On Debian and Fedora that capability is reachable by any local user through unprivileged user namespaces, which are enabled by default.

“The attacker begins by creating a fresh network namespace:

unshare -Urn

This provides network administrative capabilities inside the namespace.” continues the report. “While capabilities are namespaced, page cache is shared at the host level, so if file-backed pages are modified through shared mappings, the effects…

Source

More Stories

Hacking Routers Like It’s 2008

Hacking Routers Like It’s 2008

Staff Editor 2026-06-27
Microsoft made a Linux distro, and it’s not what you’d expect

Microsoft made a Linux distro, and it’s not what you’d expect

Staff Editor 2026-06-27
Linux MD RAID5 Seeing Scalability Improvements Up To 17%

Linux MD RAID5 Seeing Scalability Improvements Up To 17%

Staff Editor 2026-06-27

Terms and Conditions - Privacy Policy