{"id":242136,"date":"2026-05-09T02:35:00","date_gmt":"2026-05-09T06:35:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/09\/dirty-frag-is-a-new-linux-exploit-that-grants-root-and-theres-no-proper-patch-yet\/"},"modified":"2026-05-09T04:10:09","modified_gmt":"2026-05-09T08:10:09","slug":"dirty-frag-is-a-new-linux-exploit-that-grants-root-and-theres-no-proper-patch-yet","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/09\/dirty-frag-is-a-new-linux-exploit-that-grants-root-and-theres-no-proper-patch-yet\/","title":{"rendered":"Dirty Frag is a New Linux Exploit That Grants Root, and There&#8217;s No Proper Patch Yet"},"content":{"rendered":"<p><a href=\"https:\/\/itsfoss.com\/news\/dirty-frag-linux-exploit\/\">Dirty Frag is a New Linux Exploit That Grants Root, and There&#8217;s No Proper Patch Yet<\/a><\/p>\n<p><a href=\"https:\/\/itsfoss.com\/news\/dirty-frag-linux-exploit\/\">https:\/\/itsfoss.com\/news\/dirty-frag-linux-exploit\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-09 02:35:00<\/a><\/p>\n<p>Source Domain: <a href=\"itsfoss.com\">itsfoss.com<\/a><\/p>\n<p>It has not been a week since we came across Copy Fail, the exploit that took advantage of an old logic flaw to escalate a local user to root, giving them all kinds of harmful access over a system they shouldn&#8217;t have.<\/p>\n<p>A security researcher, Hyunwoo Kim (v4bel), has reported a new Linux kernel privilege escalation threat. This one is called <strong>Dirty Frag<\/strong>, and the disclosure of it has not gone as planned.<\/p>\n<p>Hyunwoo had set a five-day embargo after submitting details to the linux-distros mailing list, but an unnamed third party published the exploit publicly the same day, and that was that.<\/p>\n<p><strong>A working exploit is now out in the open<\/strong>; most distros have no patch, and the algif_aead blacklist you may have applied for Copy Fail does nothing against this.<\/p>\n<h2 id=\"what-is-dirty-frag\">What is Dirty Frag?<\/h2>\n<p>Like Copy Fail, Dirty Frag modifies the in-memory copy of a system file without touching the version on disk. Every subsequent read of that file sees the corrupted copy, and nothing on the filesystem looks wrong.<\/p>\n<p>Dirty Frag does this through two separate flaws. The first, xfrm-ESP Page-Cache Write (CVE-2026-43284), targets \/usr\/bin\/su, replacing its in-memory copy with one that hands out a root shell.<\/p>\n<p>The second, RxRPC Page-Cache Write<strong> <\/strong>(CVE-2026-43500), goes after \/etc\/passwd and empties the root password field. PAM accepts the blank entry and lets a root login through.<\/p>\n<p>More importantly, <strong>they are chained because neither works on every system alone<\/strong>. The first needs a user namespace, which some Ubuntu AppArmor setups block. The second does not have that requirement, but the rxrpc.ko module it relies on is absent from most distros&#8217; default builds.<\/p>\n<p>Ubuntu is one of the few that does ship it, though. Together, the two cover every major distro.<\/p>\n<h2 id=\"what-can-you-do\">What can you do?<\/h2>\n<p>Most distros have nothing out yet, perhaps except <strong>AlmaLinux<\/strong>, which is one step ahead of the others with patched kernels already in its testing repository. For everyone else, the immediate option is blacklisting the three modules&#8230;<\/p>\n<p><a href=\"https:\/\/itsfoss.com\/news\/dirty-frag-linux-exploit\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dirty Frag is a New Linux Exploit That Grants Root, and There&#8217;s No Proper Patch&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242137,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/itsfoss.com\/content\/images\/2026\/05\/dirty-frag-linux-vulnerability-banner.png","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[143,90,31,89,71,57,79],"class_list":["post-242136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-almalinux","tag-cve","tag-exploit","tag-flaw","tag-linux","tag-security","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242136"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242136"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242136\/revisions"}],"predecessor-version":[{"id":242139,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242136\/revisions\/242139"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242137"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}