openSUSE, CentOS, AlmaLinux, Ubuntu and Fedora: Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released

Dirty Frag: New Linux Kernel LPE Vulnerability Grants Root Access Across Major Distros

A newly disclosed Linux kernel vulnerability, dubbed Dirty Frag, enables local privilege escalation (LPE) by chaining two page-cache write flaws xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write to achieve root access on nearly all major Linux distributions. The exploit, publicly released on May 7, 2026, following an embargo break, leverages a deterministic logic flaw rather than race conditions, ensuring a high success rate without kernel panics.

Discovered by security researcher Hyunwoo Kim (@v4bel), Dirty Frag exploits the kernel’s zero-copy send path, where splice() inserts a reference to a read-only page cache (e.g., /etc/passwd or /usr/bin/su) into the frag slot of a sender-side sk_buff. Receiver-side cryptographic operations then modify the page cache in-place, corrupting files even for unprivileged users.

Exploit Mechanics

1. xfrm-ESP Variant:

   • Targets esp_input() in the IPsec ESP receive path, skipping buffer allocation checks (skb_cow_data()) for non-linear skbs.
   • Attackers use XFRMA_REPLAY_ESN_VAL to overwrite arbitrary bytes (e.g., /usr/bin/su) with a root-shell ELF, requiring user namespace creation (unshare(CLONE_NEWUSER)), which is blocked on some Ubuntu systems via AppArmor.

2. RxRPC Variant:

   • Exploits rxkad_verify_packet_1() to perform in-place decryption on the first 8 bytes of an RxRPC payload.
   • Attackers brute-force a session key to manipulate plaintext (e.g., emptying /etc/passwd’s password field), bypassing PAM authentication. This variant does not require namespace privileges but relies on the rxrpc.ko module, absent by default on RHEL but present on Ubuntu.

Chaining both exploits ensures root access across distributions, with the PoC first attempting the ESP path before falling back to RxRPC if unshare fails.

Affected Systems

The vulnerabilities span nine years, with the ESP flaw introduced in January 2017 (commit cac2661c53f3) and the RxRPC flaw in June 2023 (commit 2dc334f1a63a). Confirmed affected distributions include:

• Ubuntu 24.04.4 (kernel 6.17.0-23)
• RHEL 10.1 (kernel 6.12.0-124.49.1)
• openSUSE Tumbleweed (kernel 7.0.2-1)
• CentOS Stream 10, AlmaLinux 10, Fedora 44

Patches & Mitigation

• The ESP patch, using SKBFL_SHARED_FRAG to enforce buffer isolation, was merged into the netdev tree on May 7, 2026.
• The RxRPC patch remains unmerged upstream.
• No CVEs have been assigned due to the premature embargo break.
• Temporary mitigation involves blacklisting the affected modules (esp4, esp6, rxrpc) via:

  sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
  

  This disrupts IPsec and RxRPC functionality, requiring careful evaluation for systems reliant on VPNs.

The full technical write-up and PoC are available on the researcher’s GitHub repository.

Source: https://cybersecuritynews.com/dirty-frag-linux-vulnerability/

openSUSE TPRM report: https://www.rankiteo.com/company/opensuse-project

CentOS TPRM report: https://www.rankiteo.com/company/the-centos-project

AlmaLinux TPRM report: https://www.rankiteo.com/company/tuxcare

Ubuntu TPRM report: https://www.rankiteo.com/company/ubuntu-linux

Fedora TPRM report: https://www.rankiteo.com/company/fedora-project

"id": "tuxopefedtheubu1778214411",
"linkid": "tuxcare, opensuse-project, fedora-project, the-centos-project, ubuntu-linux",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Technology',
                        'name': 'Ubuntu',
                        'type': 'Operating System'},
                       {'industry': 'Technology',
                        'name': 'RHEL',
                        'type': 'Operating System'},
                       {'industry': 'Technology',
                        'name': 'openSUSE Tumbleweed',
                        'type': 'Operating System'},
                       {'industry': 'Technology',
                        'name': 'CentOS Stream',
                        'type': 'Operating System'},
                       {'industry': 'Technology',
                        'name': 'AlmaLinux',
                        'type': 'Operating System'},
                       {'industry': 'Technology',
                        'name': 'Fedora',
                        'type': 'Operating System'}],
 'attack_vector': 'Local exploitation via page-cache write flaws in Linux '
                  'kernel',
 'data_breach': {'file_types_exposed': ['/etc/passwd', '/usr/bin/su']},
 'date_publicly_disclosed': '2026-05-07',
 'description': 'A newly disclosed Linux kernel vulnerability, dubbed *Dirty '
                'Frag*, enables local privilege escalation (LPE) by chaining '
                'two page-cache write flaws (*xfrm-ESP Page-Cache Write* and '
                '*RxRPC Page-Cache Write*) to achieve root access on nearly '
                'all major Linux distributions. The exploit leverages a '
                'deterministic logic flaw rather than race conditions, '
                'ensuring a high success rate without kernel panics. The '
                'vulnerability exploits the kernel’s zero-copy send path, '
                'where `splice()` inserts a reference to a read-only page '
                'cache into the `frag` slot of a sender-side `sk_buff`, '
                'allowing receiver-side cryptographic operations to modify the '
                'page cache in-place, corrupting files even for unprivileged '
                'users.',
 'impact': {'operational_impact': 'Potential unauthorized root access, system '
                                  'compromise, and data manipulation',
            'systems_affected': 'Root access compromise on affected Linux '
                                'distributions'},
 'post_incident_analysis': {'corrective_actions': 'Patches to enforce buffer '
                                                  'isolation '
                                                  '(SKBFL_SHARED_FRAG) and '
                                                  'blacklisting vulnerable '
                                                  'modules.',
                            'root_causes': 'Deterministic logic flaws in Linux '
                                           "kernel's zero-copy send path and "
                                           'cryptographic operations, allowing '
                                           'in-place page-cache modifications '
                                           'by unprivileged users.'},
 'recommendations': 'Apply patches for ESP variant, blacklist affected modules '
                    'if patches are unavailable, and monitor for unauthorized '
                    'root access attempts.',
 'references': [{'source': "Hyunwoo Kim's GitHub repository"}],
 'response': {'containment_measures': 'Blacklisting affected modules (esp4, '
                                      'esp6, rxrpc) via modprobe',
              'remediation_measures': 'Patches merged into netdev tree for ESP '
                                      'variant; RxRPC patch pending'},
 'threat_actor': 'Hyunwoo Kim (@v4bel)',
 'title': 'Dirty Frag: New Linux Kernel LPE Vulnerability Grants Root Access '
          'Across Major Distros',
 'type': 'Local Privilege Escalation (LPE)',
 'vulnerability_exploited': ['xfrm-ESP Page-Cache Write',
                             'RxRPC Page-Cache Write']}