{"id":282849,"date":"2026-06-27T06:06:00","date_gmt":"2026-06-27T10:06:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/27\/dirtyclone-a-linux-privilege-escalation-that-leaves-no-trace-on-disk\/"},"modified":"2026-06-27T06:45:07","modified_gmt":"2026-06-27T10:45:07","slug":"dirtyclone-a-linux-privilege-escalation-that-leaves-no-trace-on-disk","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/27\/dirtyclone-a-linux-privilege-escalation-that-leaves-no-trace-on-disk\/","title":{"rendered":"DirtyClone: A Linux Privilege Escalation That Leaves No Trace on Disk"},"content":{"rendered":"

DirtyClone: A Linux Privilege Escalation That Leaves No Trace on Disk<\/a><\/p>\n

https:\/\/securityaffairs.com\/194338\/uncategorized\/dirtyclone-fourth-linux-kernel-flaw-in-six-weeks-escalates-to-root.html<\/a><\/p>\n

Publish Date: 2026-06-27 06:06:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

DirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ June 27, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

DirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace. Patch now.<\/h2>\n

JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone. It\u2019s the fourth vulnerability in the DirtyFrag family, all sharing the same root failure: file-backed memory gets treated as packet data, and an in-place network operation writes where it should have copied. CVSSIf your kernel doesn\u2019t have the May 21 mainline patch, update now.<\/p>\n

\u201cThe severity of this issue is significant because it allows any unprivileged local user to gain\u00a0root access<\/strong>\u00a0(LPE) by manipulating the Linux page cache.\u201d reads the report published by JFrog. \u201cThe attack is silent, leaves no kernel logs or audit traces, and bypasses common on-disk integrity monitoring tools.\u201d<\/p>\n

\"\"<\/p>\n

The attacker loads a privileged binary like \/usr\/bin\/su into memory, wires those pages into a network packet, and forces the kernel to clone it through a loopback IPsec tunnel they control. The decryption step overwrites the binary\u2019s authentication logic with attacker-chosen bytes, and the next run of su hands over root \u2014 while the file on disk stays untouched.<\/p>\n

The exploit requires CAP_NET_ADMIN to configure the IPsec environment. On Debian and Fedora that capability is reachable by any local user through unprivileged user namespaces, which are enabled by default. <\/p>\n

\u201cThe attacker begins by creating a fresh network namespace:<\/p>\n

unshare -Urn<\/p>\n

This provides network administrative capabilities inside the namespace.\u201d continues the report. \u201cWhile capabilities are namespaced, page cache is shared at the host level, so if file-backed pages are modified through shared mappings, the effects…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

DirtyClone: A Linux Privilege Escalation That Leaves No Trace on Disk https:\/\/securityaffairs.com\/194338\/uncategorized\/dirtyclone-fourth-linux-kernel-flaw-in-six-weeks-escalates-to-root.html Publish Date: 2026-06-27…<\/p>\n","protected":false},"author":1,"featured_media":282850,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/06\/image-75.png","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,91,31,97,89,71,57,27],"class_list":["post-282849","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-debian","tag-exploit","tag-fedora","tag-flaw","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282849"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=282849"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282849\/revisions"}],"predecessor-version":[{"id":282851,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282849\/revisions\/282851"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/282850"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=282849"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=282849"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=282849"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}