Details have come to light about a significant local privilege escalation (LPE) vulnerability affecting the Linux kernel, named Dirty Frag. This flaw has emerged as a follow-up to the Copy Fail vulnerability (CVE-2026-31431), which has been actively exploited. The issue was reported to Linux kernel maintainers on April 30, 2026.
Understanding the Dirty Frag Vulnerability
Dirty Frag is gaining attention as it can provide root privileges on a wide range of Linux distributions by exploiting the xfrm-ESP Page-Cache Write vulnerability alongside the RxRPC Page-Cache Write vulnerability. Security researcher Hyunwoo Kim highlighted the deterministic nature of this bug, which does not rely on race conditions, ensuring a high success rate without causing kernel panic.
The exploit can elevate privileges for an unprivileged local user across various distributions such as Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. The vulnerabilities exploited by Dirty Frag date back to code commits from January 2017 and June 2023.
Technical Mechanisms of Dirty Frag
The xfrm-ESP Page-Cache Write vulnerability arises from the IPSec (xfrm) subsystem, offering attackers a method to overwrite kernel page cache. However, utilizing this exploit requires creating a namespace, a process blocked by Ubuntu’s AppArmor. Here, the RxRPC Page-Cache Write vulnerability becomes crucial, as it bypasses the need for namespace creation but depends on the inclusion of the rxrpc.ko module, which is not common in all distributions.
Kim explains that chaining these vulnerabilities can cover each other’s limitations. ESP exploits are effective where namespace creation is possible, while RxRPC exploits function on systems like Ubuntu, where namespace creation is restricted but the rxrpc.ko module is available.
Advisories and Mitigation Measures
CloudLinx has issued advisories noting that the vulnerability resides in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path”, accessible via the XFRM user netlink interface. The bug affects the decryption paths of esp4, esp6, and rxrpc, compromising plaintext security.
A working proof-of-concept (PoC) exists, allowing attackers to gain root access with a single command. Until patches are released, it is advised to blocklist the esp4, esp6, and rxrpc modules to prevent their usage. This can be done using the command:
sudo sh -c "printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"Future Outlook
Despite similarities with Copy Fail, Dirty Frag can be exploited irrespective of the presence of the algif_aead module, rendering existing mitigations insufficient. As the cybersecurity community works towards a solution, users are urged to apply the recommended blocklists to safeguard their systems.
