{"id":243166,"date":"2026-05-08T00:06:00","date_gmt":"2026-05-08T04:06:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/08\/dirty-frag-linux-vulnerability-let-attackers-gain-root-privileges-on-most-linux-distributions\/"},"modified":"2026-05-10T15:35:20","modified_gmt":"2026-05-10T19:35:20","slug":"dirty-frag-linux-vulnerability-let-attackers-gain-root-privileges-on-most-linux-distributions","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/08\/dirty-frag-linux-vulnerability-let-attackers-gain-root-privileges-on-most-linux-distributions\/","title":{"rendered":"Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges on most Linux Distributions"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/dirty-frag-linux-vulnerability\/\">Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges on most Linux Distributions<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/dirty-frag-linux-vulnerability\/\">https:\/\/cybersecuritynews.com\/dirty-frag-linux-vulnerability\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-08 00:06:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p>Dirty Frag\u00a0is a newly disclosed, CVE-pending Linux kernel local privilege escalation (LPE) vulnerability that chains two separate page-cache write flaws, the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write, to achieve root access on virtually all major Linux distributions, with a public exploit already in the wild following an embargo break on May 7, 2026.<\/p>\n<p>Dirty Frag belongs to the same vulnerability class as Dirty Pipe and Copy Fail (CVE-2026-31431), but targets the\u00a0frag\u00a0member of the kernel\u2019s\u00a0struct sk_buff\u00a0rather than\u00a0struct pipe_buffer.<\/p>\n<p>Discovered and reported by security researcher Hyunwoo Kim (@v4bel), the vulnerability exploits the zero-copy send path where\u00a0splice()\u00a0plants a reference to a read-only page cache page, such as\u00a0\/etc\/passwd\u00a0or\u00a0\/usr\/bin\/su\u00a0\u2014 into the\u00a0frag\u00a0slot of a sender-side\u00a0skb.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-dirty-frag-linux-vulnerability\"><strong>Dirty Frag Linux Vulnerability<\/strong><\/h2>\n<p>The receiver-side kernel code then performs in-place cryptographic operations directly on top of that frag, permanently modifying the page cache in RAM.<\/p>\n<p>Every subsequent read to that file sees the corrupted version, even though the unprivileged attacker was granted only read access.<\/p>\n<p>Unlike race-condition exploits, Dirty Frag is a\u00a0deterministic logic bug\u00a0that requires no timing window, does not panic the kernel on failure, and carries an extremely high success rate.<\/p>\n<p>Dirty Frag Linux Exploit <\/p>\n<p>xfrm-ESP Page-Cache Write\u00a0resides in\u00a0esp_input(), the IPsec ESP receive path. When an\u00a0skb\u00a0is non-linear but lacks a frag list, the code skips the mandatory\u00a0skb_cow_data()\u00a0buffer allocation step and jumps directly to in-place AEAD decryption on the attacker-planted frag.<\/p>\n<p>Using the\u00a0XFRMA_REPLAY_ESN_VAL\u00a0netlink attribute, the attacker can control both the\u00a0location\u00a0(file offset) and the\u00a0value\u00a0(4 bytes) of each store operation, enabling them to overwrite arbitrary bytes of\u00a0\/usr\/bin\/su\u2018s page cache with a static root-shell ELF 192 bytes written across 48 chunks of 4 bytes&#8230;<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/dirty-frag-linux-vulnerability\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges on most Linux Distributions https:\/\/cybersecuritynews.com\/dirty-frag-linux-vulnerability\/ Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":243169,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/Dirty-Frag-Linux-Vulnerability.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,71,57,27],"class_list":["post-243166","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243166"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=243166"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243166\/revisions"}],"predecessor-version":[{"id":243171,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243166\/revisions\/243171"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/243169"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=243166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=243166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=243166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}