Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html
Publish Date: 2026-05-08 01:12:00
Source Domain: thehackernews.com
Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel.
Dubbed Dirty Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026.
The vulnerability currently does not have a CVE identifier, as the embargo is said to have been broken after detailed information and the exploit for the xfrm-ESP Page-Cache Write vulnerability were published publicly by an unrelated third-party.
“Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability,” security researcher Hyunwoo Kim (@v4bel) said in a write-up.
“Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”
Successful exploitation of the flaw could allow an unprivileged local user to gain elevated root access on most Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
According to the researcher, the xfrm-ESP Page-Cache Write vulnerability was introduced in a source code commit made in January 2017, while the RxRPC Page-Cache Write vulnerability was introduced in June 2023. Interestingly, the same January 17, 2017, commit was the root cause behind another buffer overflow (CVE-2022-27666, CVSS score: 7.8) that affected various Linux distributions.
xfrm-ESP Page-Cache Write, which is rooted in the IPSec (xfrm) subsystem, provides attackers with a 4-byte store primitive like Copy Fail and overwrites a…
