Critical Linux "Dirty Frag" Vulnerability Grants Root Access Across Major Distributions
A newly disclosed Linux vulnerability, dubbed Dirty Frag, allows attackers to escalate privileges to root on nearly all major distributions, with a public proof-of-concept (PoC) exploit already circulating. The flaw, part of the same class as Dirty Pipe and Copy Fail (CVE-2026-31431), targets the frag member of the kernel’s struct sk_buff, enabling stable exploitation without race conditions.
The attack leverages the zero-copy send path, where splice() inserts a reference to a read-only page cache page (e.g., /etc/passwd or /usr/bin/su) into the frag slot of a sender-side socket buffer (skb). Unlike previous vulnerabilities, Dirty Frag does not rely on timing-based conditions, making it highly reliable for achieving root access.
Immediate mitigation steps include blacklisting the esp4, esp6, and rxrpc kernel modules and clearing page caches (echo 3 > /proc/sys/vm/drop_caches) to purge potentially compromised binaries from memory. While upstream patches are pending, organizations are advised to apply these workarounds to reduce exposure.
The vulnerability affects a broad range of Linux systems, underscoring the urgency of addressing kernel-level flaws in enterprise and cloud environments. The public availability of the PoC increases the risk of widespread exploitation.
Source: https://www.linkedin.com/feed/update/urn:li:activity:7458402813727936530
Linux TPRM report: https://www.rankiteo.com/company/linux-kernel-foundation
"id": "lin1778224373",
"linkid": "linux-kernel-foundation",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise/Cloud Environments'}],
'attack_vector': 'Local',
'data_breach': {'file_types_exposed': ['/etc/passwd', '/usr/bin/su']},
'description': 'A newly disclosed Linux vulnerability, dubbed *Dirty Frag*, '
'allows attackers to escalate privileges to root on nearly all '
'major distributions, with a public proof-of-concept (PoC) '
'exploit already circulating. The flaw targets the `frag` '
'member of the kernel’s `struct sk_buff`, enabling stable '
'exploitation without race conditions. The attack leverages '
'the zero-copy send path, where `splice()` inserts a reference '
'to a read-only page cache page into the `frag` slot of a '
'sender-side socket buffer (skb). Unlike previous '
'vulnerabilities, *Dirty Frag* does not rely on timing-based '
'conditions, making it highly reliable for achieving root '
'access.',
'impact': {'operational_impact': 'Potential unauthorized root access',
'systems_affected': 'Linux systems across major distributions'},
'post_incident_analysis': {'corrective_actions': 'Patch kernel, enforce '
'module blacklisting, and '
'clear page caches.',
'root_causes': 'Kernel-level flaw in `struct '
'sk_buff` (`frag` member) enabling '
'privilege escalation via zero-copy '
'send path.'},
'recommendations': 'Apply immediate mitigation steps (blacklist kernel '
'modules, clear page caches) and monitor for upstream '
'patches.',
'response': {'containment_measures': 'Blacklisting `esp4`, `esp6`, and '
'`rxrpc` kernel modules; clearing page '
'caches (`echo 3 > '
'/proc/sys/vm/drop_caches`)',
'remediation_measures': 'Apply upstream patches (pending)'},
'title': "Critical Linux 'Dirty Frag' Vulnerability Grants Root Access Across "
'Major Distributions',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'Dirty Frag (CVE-2026-31431)'}