Security researchers uncovered another serious flaw in the Linux kernel this week. It lets any local user grab root privileges on systems running distributions from Ubuntu to Red Hat. The vulnerability, called Dirty Frag, surfaced publicly on May 7, 2026, after an embargo collapsed before fixes could roll out widely.
Hyunwoo Kim, the researcher behind the discovery, described it plainly. “Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability,” he wrote in his detailed technical explanation on GitHub. The attack builds directly on patterns seen in earlier bugs like Dirty Pipe from 2022 and the more recent Copy Fail, disclosed just days earlier.
But Dirty Frag stands out. It doesn’t rely on tricky race conditions that often crash kernels or fail unpredictably. Success rates run very high. The logic stays deterministic. And it works even on setups that already blocked Copy Fail through module blacklisting. Short. Direct. Dangerous.
The core problem sits in how the kernel handles network packet processing for certain protocols. When applications use splice to move data efficiently without extra copies, they can pin pages from the page cache into socket buffer fragments. Those pages often come from files the user can only read. Think /etc/passwd or /usr/bin/su.
Then the receiver side performs in-place decryption or authentication directly on those fragments. The kernel assumes the memory stays private. It writes anyway. That corrupts the cached version of the file in RAM. Changes stick until someone drops the caches or reboots the machine. An unprivileged process just altered protected system binaries or configuration files. No write permissions required.
Kim chains two separate primitives to make it reliable across environments. The xfrm-ESP path, tied to CVE-2026-43284, gives an attacker a precise 4-byte write gadget. It surfaces in esp4 and esp6 modules handling IPsec ESP packets with extended sequence numbers. By registering multiple security associations with carefully chosen values, the exploit overwrites small chunks of a target file’s cached page.
The RxRPC path, tracked under the reserved CVE-2026-43500, delivers an 8-byte write through weak authentication in the rxrpc module. It uses a brute-forceable key and in-place PCBC decryption. One path needs user namespaces for CAP_NET_ADMIN. The other does not. Together they cover gaps. On Ubuntu, where AppArmor often restricts unshare, the RxRPC route still lands. On systems without rxrpc loaded by default, the ESP variant takes over.
Proof-of-concept code appeared almost immediately. One version overwrites the beginning of /usr/bin/su with a compact ELF that drops a root shell. Another edits /etc/passwd to insert a passwordless root-equivalent account. Either way, executing su afterward elevates the session. The entire process completes in one command for many targets.
Affected systems stretch back years. Kernels since roughly 2017 carry the xfrm-ESP bug. The RxRPC issue arrived later, around 2023. That covers Ubuntu 24.04, 22.04, 20.04, RHEL 10, Fedora, openSUSE Tumbleweed, AlmaLinux, CentOS Stream and more. The Hacker News reported the list of confirmed vulnerable releases shortly after disclosure.
Distributions scrambled. AlmaLinux moved fastest among community rebuilds. It shipped patched kernels to production repositories within hours. Administrators there can update with a simple dnf command and reboot. “The patched kernels are now rolling out to production repositories/mirrors,” the team noted in their advisory. They also published the exact blacklist command that disables the three modules: esp4, esp6 and rxrpc.
That workaround appears everywhere. A one-liner creates /etc/modprobe.d/dirtyfrag.conf with install rules that point to /bin/false, then unloads the modules if present. It breaks IPsec VPNs that rely on ESP and any RxRPC-dependent services like certain AFS setups. Trade-offs matter. Yet for servers without those needs, the step removes the attack surface today.
Red Hat issued its own security bulletin and coordinates fixes through CentOS Stream. Ubuntu published guidance linking to the same module blacklist while preparing kernel updates. Cloud providers including AWS and CloudLinux warned customers and accelerated live patches where possible. Microsoft weighed in too. Its security team highlighted how the flaw expands risks after initial compromise.
“Once root access is obtained, attackers can disable security tooling, access sensitive credentials, tamper with logs, pivot laterally, and establish persistent access,” the Microsoft Security Blog explained. The company added signatures to Defender for Linux that detect exploitation attempts. It also monitors for related campaigns.
Kim reported the issues to kernel maintainers on April 30. Discussions about coordinated disclosure followed. Then an unrelated party leaked details and partial exploit code for the xfrm-ESP half. The embargo shattered. Kim released his full write-up and PoC at the request of linux-distros maintainers, as detailed in his oss-security mailing list post.
This sequence echoes recent patterns. Copy Fail, also from Kim, followed a similar path days earlier and saw active exploitation in the wild. Both belong to a broader family of page-cache corruption attacks. Dirty Pipe in 2022 used pipe buffers. Copy Fail targeted AF_ALG sockets. Dirty Frag moves the primitive to skb fragments in the network stack.
The common thread remains zero-copy optimism. Splice and sendfile deliver performance. They also hand kernel data structures references that user processes still control. When crypto or verification code skips copy-on-write checks for speed, memory that should stay read-only becomes mutable. The assumption that fragments belong exclusively to the kernel breaks.
Upstream patches address the ESP side. A commit merged to netdev disables the fast path when shared fragments appear. It forces skb_cow_data for safety. The RxRPC fix remains under discussion. Kernel developers proposed additional checks for data length before trusting in-place operations.
Yet patches take time to reach every LTS branch and enterprise distribution. Some users run kernels years old. Containers and cloud instances multiply the attack surface. Shared hosts, CI runners, build farms. Any environment where untrusted code can spawn a shell suddenly looks different.
Administrators face practical choices right now. Apply the module blacklist immediately. It requires no reboot in most cases. Drop page caches afterward if compromise is suspected. That evicts tampered entries but spikes disk I/O temporarily. Then watch vendor channels for kernel updates. Test them. Schedule maintenance windows.
Longer term the episode underscores deeper questions about kernel architecture. Networking paths grew complex over decades. Fast paths multiplied. Security reviews struggle to keep pace when performance remains the priority. Similar classes of bugs keep appearing because the underlying patterns persist.
Kim himself noted the continuity. His research shows Dirty Frag works regardless of algif_aead blacklisting. Previous mitigations fall short. New ones must target the shared fragment flag more broadly across subsystems.
Enterprise teams already audit local access policies. Many disable unnecessary kernel modules by default. They restrict user namespaces in containers. Those practices gain fresh relevance. Hardening becomes urgent when a single command can produce a root shell on production servers.
Researchers continue examining related code. The same 2017 commit behind the ESP bug also contributed to an older buffer overflow, CVE-2022-27666. Patterns repeat. Attention shifts to other in-place operations in the networking stack and filesystems.
For now the priority stays containment. Update where patches exist. Blacklist where they don’t. Monitor for signs of tampering in critical files. And recognize that Linux’s strength in flexibility also creates these persistent classes of risk. The next variant may not wait long.
WebProNews is an iEntry Publication