Linux Kernel Root Exploit Published: DirtyClone Attack Leaves No Trace
Linux Kernel Root Exploit Published: DirtyClone Attack Leaves No Trace
Publish Date: 2026-06-27 18:16:00
Source Domain: www.techtimes.com
A publicly documented exploit now shows any local user on an unpatched Linux system how to gain root access — and do it without leaving a single line in the kernel log or on-disk evidence for file-integrity monitors to catch. JFrog Security Research published the detailed exploit chain for DirtyClone (CVE-2026-43503) on Thursday, June 25 — the first public demonstration of a working attack against this high-severity Linux kernel flaw. The patch has been available in Linux mainline since May 21, but many distributions have not yet shipped it, leaving cloud servers, Kubernetes clusters, and CI runners broadly exposed while a clear roadmap to root access now exists in public.
How a Dropped Flag Becomes a Root Key
The vulnerability belongs to the DirtyFrag family, a growing class of Linux kernel memory corruption bugs that turn a zero-copy networking performance feature into a write primitive. The underlying design is legitimate: the Linux kernel can allow file-backed memory — the in-memory copy of an executable stored in the page cache — to serve directly as packet data without copying it. This eliminates CPU overhead on high-throughput network paths. The attack surface emerges when the metadata flag that marks this memory as shared with a file on disk gets silently dropped during a kernel operation.
In DirtyClone’s case, the vulnerable function is __pskb_copy_fclone(), which drops the SKBFL_SHARED_FRAG safety flag when cloning a packet — the same flag the original DirtyFrag mitigation introduced specifically to protect file-backed page-cache memory from being overwritten. The flag’s loss is triggered by the Linux netfilter TEE target, a packet-duplication mechanism used in traffic mirroring and intrusion detection setups. When the TEE target internally duplicates a packet via nf_dup_ipv4, the resulting clone lacks the flag that would force a safe copy-on-write before any in-place transformation.
The Seven-Step Attack Chain
JFrog researchers Eddy Tsalolikhin…
