One command. Root privileges. No timing tricks needed. The latest Linux kernel vulnerability, dubbed Dirty Frag, hands unprivileged local users full control across Ubuntu, Red Hat Enterprise Linux, Fedora and more. Security researcher Hyunwoo Kim laid it bare this week after an embargo collapsed.
From Copy Fail to Dirty Frag
Just seven days after the Copy Fail flaw rattled administrators, Dirty Frag surfaced. Phoronix first highlighted the early disclosure, noting the absence of patches or assigned CVEs at the moment of release. The bug lives in decryption fast paths for esp4, esp6 and rxrpc. When socket buffers carry paged fragments not privately owned by the kernel — think pages from splice or sendfile — the receive path decrypts straight into them. An unprivileged process that still holds a reference ends up with a write primitive into the page cache.
Kim, posting as @v4bel on X, chained two distinct issues. One stems from xfrm-ESP page-cache writes, introduced in a 2017 kernel commit. The other involves RxRPC page-cache writes, added in 2023. “Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability,” he explained in his detailed write-up on GitHub.
The result? A deterministic logic bug. No race condition. No kernel panic on failure. Success rates stay very high. And unlike its predecessor, Dirty Frag works even on systems that blacklisted the algif_aead module to block Copy Fail. “Even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag,” Kim wrote.
Distributions tested include Ubuntu 24.04.4, where AppArmor blocks user namespace creation yet rxrpc loads by default. On RHEL 10.1 the reverse holds: namespaces remain available but rxrpc stays absent from the default build. The chain covers those gaps. Fedora, openSUSE Tumbleweed, CentOS Stream and AlmaLinux all fall in range. Kernels dating back to 2017 sit exposed.
Exploitation follows a clear path. Attackers corrupt page cache entries for sensitive files. Overwrite /etc/passwd to grant root without a password. Or replace /usr/bin/su with a custom binary that drops a root shell. Public proof-of-concept code already exists on GitHub. One variant uses XFRM state manipulation and splice to inject a 192-byte ELF. Another patches passwd via the rxrpc route, then relies on PAM’s nullok to authenticate su without credentials.
The disclosure timeline moved faster than planned. Kim reported the issues April 30. An unrelated third party then published details on one half, shattering the embargo. He consulted [email protected]. Maintainers asked him to release publicly. The oss-security mailing list post followed on May 7, complete with exploit code.
But fixes lag. Upstream patches have appeared for the ESP side. One commit from the netdev tree addresses the in-place decryption flaw. A separate rxrpc patch sits on lore.kernel.org. Yet distribution kernels remain unpatched in production at the time of writing. AlmaLinux moved quickest, pushing test kernels with backported fixes for versions 8, 9 and 10. “Patched kernels are in testing,” the company stated. Other vendors trail.
Until updates arrive, a module blacklist offers protection. Administrators run a short script that adds lines to modprobe.d, then unloads esp4, esp6 and rxrpc. The command appears in nearly every advisory: sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”. Simple. Effective for most workloads that never touch IPsec or RxRPC.
Those who suspect prior compromise can drop the page cache afterward. Echo 3 to /proc/sys/vm/drop_caches clears tainted pages. Still, the real fix lies in updated kernels. The bug class traces back to Dirty Pipe and now Copy Fail. Each time, zero-copy optimizations and page cache assumptions create openings. Kernel developers must rethink how external pages reach fast decryption paths.
Enterprise environments feel the pressure first. Shared hosts, CI runners, container build farms — any place untrusted users gain shells. A single compromised developer account on a build server could yield root in seconds. Cloud instances with multiple tenants face the same risk. And while containers add some isolation, a kernel bug of this reach often escapes them.
Kim’s work stands out for its clarity. He mapped blind spots across distributions and built a universal chain. The ESP path needs namespace privileges but avoids certain modules. The RxRPC path skips namespaces yet depends on a module loaded on Ubuntu. Together they close gaps. “Chaining the two variants makes the blind spots cover each other, allowing root privileges to be obtained on every major distribution,” he noted.
News outlets reacted swiftly. The Hacker News detailed the successor relationship to Copy Fail and quoted Kim extensively. Red Hat published mitigation guidance for OpenShift. CloudLinux and others issued alerts. The speed of coverage reflects how seriously the industry takes these local escalations. One breach at the kernel level undoes layers of user-space hardening.
Longer term, this episode highlights ongoing tension in kernel development. Performance features such as in-place decryption and splice optimizations deliver speed. They also introduce subtle reference-counting and ownership assumptions that prove hard to verify. Review processes catch many issues. Yet bugs like this survive for years — the xfrm flaw since 2017, the rxrpc piece since 2023.
System administrators now face a familiar drill. Audit running kernels. Apply the blacklist where patches remain unavailable. Monitor vendor channels for updates. Test new kernels promptly. And treat any local shell on multi-user systems as a potential root vector until the fix lands.
Dirty Frag won’t be the last in this family. Similar patterns lurk in other networking and crypto subsystems. The question is whether the community can harden these fast paths before the next public exploit appears. For now, the immediate priority stays clear. Patch. Or block those three modules. Anything less leaves the door wide open.
WebProNews is an iEntry Publication