Dirty Frag — New Linux Kernel LPE Successor to Copy Fail

May 8, 2026 Faeem BLOGS 0

Overview A new local privilege escalation (LPE) vulnerability in the Linux kernel, dubbed Dirty Frag, has been disclosed. It is considered a successor to Copy Fail (CVE‑2026‑31431) and extends the same bug class as Dirty Pipe. Dirty Frag allows unprivileged local users to gain root access across major Linux distributions with a high success rate and no race conditions.

Vulnerability Details

  • Bug Class: Deterministic logic flaw in page‑cache write paths.
  • Exploits Chained:
    • xfrm‑ESP Page‑Cache Write (introduced Jan 2017).
    • RxRPC Page‑Cache Write (introduced Jun 2023).
  • Impact: Root access on most Linux distributions, including:
    • Ubuntu 24.04.4
    • RHEL 10.1
    • openSUSE Tumbleweed
    • CentOS Stream 10
    • AlmaLinux 10
    • Fedora 44
  • Exploit Reliability:
    • No race conditions required.
    • Kernel does not panic on failure.
    • Very high success rate.

Technical Insights

  • xfrm‑ESP Exploit: Provides a 4‑byte store primitive via IPSec subsystem. Requires user namespace creation (blocked by AppArmor on Ubuntu).
  • RxRPC Exploit: Works without namespace creation but requires rxrpc.ko module (default on Ubuntu, absent in RHEL).
  • Chaining: ESP exploit works where namespaces are allowed; RxRPC works where ESP is blocked — together they cover blind spots.
  • Root Cause: Vulnerability in ESP‑in‑UDP MSG_SPLICE_PAGES no‑COW fast path, reachable via XFRM netlink interface.

Mitigation Guidance

  • Immediate Action: Blocklist vulnerable modules (esp4, esp6, rxrpc) until patches are released.

bash

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
  • Monitor: Watch for PoC exploit attempts — a working single‑command exploit is already public.
  • Patch Readiness: Track kernel maintainer advisories for updates.

Final Thought

Dirty Frag demonstrates how long‑standing kernel commits can resurface as high‑impact privilege escalation flaws years later. Even systems patched against Copy Fail remain vulnerable, as Dirty Frag bypasses algif_aead mitigations. For defenders, the lesson is clear: kernel subsystems like IPSec and RxRPC must be treated as critical attack surfaces, and proactive module hardening is essential until fixes arrive.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.