• Home
  • cyber
  • Debian, Linux and Ubuntu: New DirtyClone Linux Vulnerability Allows Attackers to Gain Root Access Via Cloned Packets
cyber Vulnerability

Debian, Linux and Ubuntu: New DirtyClone Linux Vulnerability Allows Attackers to Gain Root Access Via Cloned Packets

May 19, 2026 2 min read
Debian, Linux and Ubuntu: New DirtyClone Linux Vulnerability Allows Attackers to Gain Root Access Via Cloned Packets

New Linux Kernel Vulnerability "DirtyClone" Enables Root Access Without a Trace

A critical local privilege escalation flaw in the Linux kernel, dubbed DirtyClone (CVE-2026-43503), has been disclosed, allowing unprivileged users to gain full root access by exploiting the XFRM/IPsec subsystem. The vulnerability, discovered by JFrog Security Research during an audit of prior DirtyFrag fixes, carries a CVSS score of 8.8 and enables attacks without leaving logs or audit trails.

DirtyClone is part of the DirtyFrag vulnerability family, which exploits improper handling of socket buffers (skb) and shared page-cache memory. The flaw stems from the __pskb_copy_fclone() function, which drops the SKBFL_SHARED_FRAG safety flag a mitigation introduced in earlier patches during packet cloning. Unlike its predecessors, DirtyClone leverages the netfilter TEE target to trigger the exploit via packet duplication.

The attack involves seven steps, including mapping a privileged binary (e.g., /usr/bin/su) into page cache, splicing it into a UDP socket buffer, and manipulating IPsec decryption to overwrite the binary’s in-memory copy. The disk file remains unaltered, evading file-integrity monitoring.

Affected systems include most modern Linux distributions where unprivileged user namespaces are enabled, such as Debian, Fedora, and Ubuntu (partially mitigated in 24.04+). Cloud and container environments with user namespaces are at heightened risk. The vulnerability was patched in Linux v7.1-rc5 (May 24, 2026), with a fix ensuring the SKBFL_SHARED_FRAG flag is preserved across all skb operations. No public proof-of-concept (PoC) exists, as JFrog has withheld exploit code during patch rollouts.

Source: https://cybersecuritynews.com/dirtyclone-linux-vulnerability/

Debian cybersecurity rating report: https://www.rankiteo.com/company/debian

The Linux Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-linux-foundation

Canonical cybersecurity rating report: https://www.rankiteo.com/company/canonical

"id": "DEBTHECAN1782498459",
"linkid": "debian, the-linux-foundation, canonical",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Debian',
                        'type': 'Operating System'},
                       {'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Fedora',
                        'type': 'Operating System'},
                       {'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Ubuntu',
                        'type': 'Operating System'}],
 'attack_vector': 'Local',
 'date_publicly_disclosed': '2026-05-24',
 'date_resolved': '2026-05-24',
 'description': 'A critical local privilege escalation flaw in the Linux '
                'kernel, dubbed DirtyClone (CVE-2026-43503), has been '
                'disclosed, allowing unprivileged users to gain full root '
                'access by exploiting the XFRM/IPsec subsystem. The '
                'vulnerability enables attacks without leaving logs or audit '
                'trails and stems from improper handling of socket buffers '
                '(skb) and shared page-cache memory in the '
                '__pskb_copy_fclone() function.',
 'impact': {'operational_impact': 'Full root access compromise, potential for '
                                  'undetected system takeover',
            'systems_affected': 'Linux systems with unprivileged user '
                                'namespaces enabled'},
 'investigation_status': 'Patched',
 'lessons_learned': 'Importance of thorough auditing of kernel subsystems and '
                    'proper handling of shared memory flags in '
                    'security-critical functions.',
 'post_incident_analysis': {'corrective_actions': 'Preservation of '
                                                  'SKBFL_SHARED_FRAG flag '
                                                  'across all skb operations '
                                                  'in Linux kernel.',
                            'root_causes': 'Improper handling of '
                                           'SKBFL_SHARED_FRAG flag in '
                                           '__pskb_copy_fclone() function '
                                           'during packet cloning.'},
 'recommendations': 'Apply Linux kernel patch v7.1-rc5 or later. Disable '
                    'unprivileged user namespaces if not required. Monitor for '
                    'unusual privilege escalation attempts.',
 'references': [{'source': 'JFrog Security Research'}],
 'response': {'containment_measures': 'Patch released in Linux v7.1-rc5',
              'remediation_measures': 'Preservation of SKBFL_SHARED_FRAG flag '
                                      'in skb operations'},
 'title': 'DirtyClone: Linux Kernel Vulnerability Enables Root Access Without '
          'a Trace',
 'type': 'Local Privilege Escalation',
 'vulnerability_exploited': 'DirtyClone (CVE-2026-43503)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.