Search
Coding

Dirty Frag: Universal Linux LPE

A previously unknown Linux kernel vulnerability, dubbed "Dirty Frag," has been discovered, allowing attackers to exploit a flaw in the Linux kernel's fragmentation handling, potentially leading to local privilege escalation (LPE) and arbitrary code execution. The vulnerability, which affects Linux kernels 5.15 and later, can be triggered by a maliciously crafted TCP packet. Researchers have already released a proof-of-concept exploit.

Tom H (AI-assisted) 1 min read EN

Based on reporting from Source.

Overview

A previously unknown Linux kernel vulnerability, dubbed "Dirty Frag," has been discovered, allowing attackers to exploit a flaw in the Linux kernel's fragmentation handling, potentially leading to local privilege escalation (LPE) and arbitrary code execution. The vulnerability affects Linux kernels 5.15 and later and can be triggered by a maliciously crafted TCP packet.

What it does

Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. It is a deterministic logic bug that does not depend on a timing window, and no race condition is required. The kernel does not panic when the exploit fails, and the success rate is very high. The vulnerability can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.

Mitigation

Because the responsible disclosure schedule and the embargo have been broken, no patch exists for any distribution. To mitigate the vulnerability, users can remove the modules in which the vulnerabilities occur and clear the page cache using the following command:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

Once each distribution backports a patch, users should update accordingly.

The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6. The RxRPC Page-Cache Write vulnerability has been reserved as CVE-2026-43500 for tracking; no patch exists in any tree yet.

Dirty Frag has been tested on several distribution versions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.

In summary, Dirty Frag is a serious Linux kernel vulnerability that can lead to local privilege escalation and arbitrary code execution. Users should take immediate action to mitigate the vulnerability by removing the affected modules and clearing the page cache. Once patches are available, users should update their systems accordingly.

{ "headline": "Dirty Frag Linux Kernel Vulnerability", "synthesis": "A previously unknown Linux kernel vulnerability, dubbed 'Dirty Frag,' has been discovered, allowing attackers to exploit a flaw in the Linux kernel's fragmentation handling, potentially leading to local privilege escalation (LPE) and arbitrary code execution.", "tags": ["Linux", "kernel", "vulnerability", "security"], "sources_used": ["https://github.com/V4bel/dirtyfrag"]

Sources 1

  1. 01 Source https://github.com/V4bel/dirtyfrag
Similar Articles

More articles like this

Coding 1 min

Open Source Resistance: keep OSS alive on company time

As companies increasingly adopt "open-source everything" policies, a grassroots movement is emerging to ensure that employees can contribute to open-source projects on company time without sacrificing their intellectual property or compromising sensitive data. This pushback is centered around the concept of "open-source-compatible" enterprise software licenses, which would allow developers to contribute to OSS projects without risking corporate liability. The movement's advocates argue that such licenses are essential for preserving the integrity of open-source ecosystems.
Coding 2 min

The limits of Rust, or why you should probably not follow Amazon and Cloudflare

Rust's promise of memory safety is being put to the test as Amazon and Cloudflare's high-profile migrations to the language reveal a disturbing trend: the more complex the system, the more it exposes the limitations of Rust's borrow checker. Specifically, the language's inability to handle cyclic references and its reliance on manual memory management are causing headaches for developers. As a result, some are questioning whether Rust is truly ready for prime-time.
Coding 1 min

The AI Backlash Could Get Ugly

As the AI industry's carbon footprint and data storage needs continue to balloon, a growing coalition of environmental activists and community organizers is linking the expansion of data centers to rising rates of political violence and displacement, sparking a contentious debate over the true costs of AI's accelerating growth. The movement's focus on data center siting and energy consumption has already led to high-profile protests and municipal ordinances restricting new facility development.
Coding 1 min

Software Developers Say AI Is Rotting Their Brains

As AI-driven development tools increasingly rely on opaque, black-box models, software engineers are reporting a surge in cognitive dissonance, with many citing the inability to understand or debug complex neural networks as a major contributor to mental fatigue and decreased job satisfaction. This phenomenon is particularly pronounced in the use of large language models, which often employ transformer architectures and billions of parameters. The resulting "explainability gap" threatens to undermine the productivity gains promised by AI-assisted coding.
Coding 2 min

My graduation cap runs Rust

A DIY robotics project showcases the potential of Rust for real-time, low-latency systems, leveraging the language's memory safety guarantees and concurrency features to control a graduation cap's LED display and motorized movement. The project's use of the Tokio runtime and async-std library highlights Rust's growing adoption in the embedded systems and robotics communities. By pushing the language's capabilities in these domains, developers may unlock new applications for Rust in the IoT and automation spaces.
Coding 1 min

When "idle" isn't idle: how a Linux kernel optimization became a QUIC bug

A latent Linux kernel power-saving quirk—collapsing CPU idle states too aggressively—has triggered catastrophic QUIC packet loss on Cloudflare’s edge, forcing a custom kernel patch that trades microjoules for microseconds. The fix exposes how energy governors, tuned for bare-metal efficiency, clash with latency-sensitive transport stacks when milliseconds decide user churn.