“Dirty Frag”: Linux flaws grant root access
“Dirty Frag”: Linux flaws grant root access
https://www.heise.de/en/news/Dirty-Frag-Linux-flaws-grant-root-access-11286796.html
Publish Date: 2026-05-08 03:49:00
Source Domain: www.heise.de
“Dirty Frag” marks the third privilege escalation vulnerability (or rather, combination of vulnerabilities) discovered within two weeks, allowing attackers to escalate their privileges in most Linux distributions. As some parties apparently published information too early, the discoverer Hyunwoo Kim (X-handle @v4bel) felt compelled to make the vulnerabilities public now – without updates for affected Linux distributions or a CVE vulnerability entry being available.
He writes this in the GitHub project for the vulnerability combination “Dirty Frag.” There he demonstrates a chaining of two vulnerabilities. A complete deep dive discusses them in detail. These are vulnerabilities that ultimately manipulate the page cache of files in memory to which users only have read access, such as “/etc/passwd” or “/usr/bin/su.” On subsequent access, Linux uses the modified entries from RAM, which grant further-reaching privileges and ultimately root access. This is very reminiscent of the vulnerability known as “Copy Fail.” Kim explains that this was also the starting point for his vulnerability search. To circumvent certain restrictions in Linux distributions that would prevent an exploit, he also chains two security vulnerabilities. On systems that were secured against “Copy Fail” by blacklisting the algif_aead module, “Dirty Frag” still works.
The vulnerabilities impact xfrm-ESP and RxRPC, both of which have a page cache write vulnerability. Kim has successfully tested the vulnerabilities on several distributions, gaining root privileges: Ubuntu 24.04.4 (Kernel 6.17.0-23-generic), RHEL 10.1 (Kernel 6.12.0-124.49.1.el10_1.x86_64), openSUSE Tumbleweed (Kernel 7.0.2-1-default), CentOS Stream 10 (Kernel 6.12.0-224.el10.x86_64), AlmaLinux 10 (Kernel 6.12.0-124.52.3.el10_1.x86_64), and Fedora 44 (with Kernel 6.19.14-300.fc44.x86_64).
Countermeasure: Remove modules
Since the distributions have not yet had time to release…
