2 Linux kernel flaw PoCs published, enabling local privilege escalation | news

Staff Editor 2026-06-26
2 Linux kernel flaw PoCs published, enabling local privilege escalation | news

2 Linux kernel flaw PoCs published, enabling local privilege escalation | news

https://www.scworld.com/news/2-linux-kernel-flaw-pocs-published-enabling-local-privilege-escalation

Publish Date: 2026-06-26 19:50:00

Source Domain: www.scworld.com

Two proof-of-concept exploits for Linux kernel vulnerabilities were recently published, both of which could lead to local privilege escalation if left unpatched.One of the flaws, DirtyClone, tracked as CVE-2026-43503, is a variant of class of Linux vulnerabilities known as DirtyFrag. The variant was discovered by the JFrog Security Research team, which published their PoC on Thursday. The team previously reported the flaw to the Linux kernel maintainers, who issued a patch on May 19, 2026.DirtyFrag, and other similar flaws such as Fragnesia, abuse the cryptographic processes of networking subsystems to overwrite page-cache versions of key read-only files, like /usr/bin/su, in memory.This is achieved by loading the targeted file into a page cache, crafting a network packet that is backed by that page cache using splice and vmsplice, and manipulating the in-place packet decryption steps of subsystems like XFRM/IPsec and RxRPC to overwrite bytes of the targeted file within the page-cache-backed packet buffer.  This exploit tricks the kernel into treating the read-only page cache as a writable network buffer during decryption, according to JFrog. The attacker can control cryptographic inputs to direct predictable outputs to specific offsets, modifying the page-cache version of /usr/bin/su to achieve root privileges.  The patches for DirtyFrag and its previous variants add a metadata flag SKBFL_SHARED_FRAG to spliced UDP packets to mark packets that reference page-cache memory and trigger a safe Copy-on-Write (COW) on these flagged packets prior to in-place decryption, JFrog explained. This prevents modifications made to these packets during decryption from also being made to their corresponding page-cache files.DirtyClone circumvents this fix by configuring an IPsec processing tunnel with a netfilter rule that uses a TEE target to duplicate UDP packets via _pskb_copy_fclone(). JFrog found that this function does not preserve the SKBFL_SHARED_FRAG flag during…

Source

More Stories

Reserved THP Feature Proposed For Linux To Combine The Best Of HugeTLB & THP

Reserved THP Feature Proposed For Linux To Combine The Best Of HugeTLB & THP

Staff Editor 2026-06-27
DenuvOwO is preparing a version of the Denuvo Hypervisor bypass in 007 First Light for Linux

DenuvOwO is preparing a version of the Denuvo Hypervisor bypass in 007 First Light for Linux

Staff Editor 2026-06-27
Hacking Routers Like It’s 2008

Hacking Routers Like It’s 2008

Staff Editor 2026-06-27

Terms and Conditions - Privacy Policy