Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges on most Linux Distributions

Staff Editor 2026-05-08
Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges on most Linux Distributions

Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges on most Linux Distributions

https://cybersecuritynews.com/dirty-frag-linux-vulnerability/

Publish Date: 2026-05-08 00:06:00

Source Domain: cybersecuritynews.com

Dirty Frag is a newly disclosed, CVE-pending Linux kernel local privilege escalation (LPE) vulnerability that chains two separate page-cache write flaws, the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write, to achieve root access on virtually all major Linux distributions, with a public exploit already in the wild following an embargo break on May 7, 2026.

Dirty Frag belongs to the same vulnerability class as Dirty Pipe and Copy Fail (CVE-2026-31431), but targets the frag member of the kernel’s struct sk_buff rather than struct pipe_buffer.

Discovered and reported by security researcher Hyunwoo Kim (@v4bel), the vulnerability exploits the zero-copy send path where splice() plants a reference to a read-only page cache page, such as /etc/passwd or /usr/bin/su — into the frag slot of a sender-side skb.

Dirty Frag Linux Vulnerability

The receiver-side kernel code then performs in-place cryptographic operations directly on top of that frag, permanently modifying the page cache in RAM.

Every subsequent read to that file sees the corrupted version, even though the unprivileged attacker was granted only read access.

Unlike race-condition exploits, Dirty Frag is a deterministic logic bug that requires no timing window, does not panic the kernel on failure, and carries an extremely high success rate.

Dirty Frag Linux Exploit

xfrm-ESP Page-Cache Write resides in esp_input(), the IPsec ESP receive path. When an skb is non-linear but lacks a frag list, the code skips the mandatory skb_cow_data() buffer allocation step and jumps directly to in-place AEAD decryption on the attacker-planted frag.

Using the XFRMA_REPLAY_ESN_VAL netlink attribute, the attacker can control both the location (file offset) and the value (4 bytes) of each store operation, enabling them to overwrite arbitrary bytes of /usr/bin/su‘s page cache with a static root-shell ELF 192 bytes written across 48 chunks of 4 bytes…

Source

More Stories

XLibre Marks Its First Anniversary With Stable 25.1 Xserver Release

XLibre Marks Its First Anniversary With Stable 25.1 Xserver Release

Staff Editor 2026-06-06
AI Agent Discovery Gets Open DNS Standard: DNS-AID Launches Under Linux Foundation

AI Agent Discovery Gets Open DNS Standard: DNS-AID Launches Under Linux Foundation

Staff Editor 2026-06-06
Proton Drive just got 3x faster, and Linux users will finally get what they’ve been asking for

Proton Drive just got 3x faster, and Linux users will finally get what they’ve been asking for

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy