Dirty Frag: 10 Essential Things You Need to Know About the Latest Linux Privilege Escalation Attack

Just days after the Copy Fail vulnerability made headlines, a new and more insidious threat has emerged: Dirty Frag. Discovered by security researcher Hyunwoo Kim, this Linux kernel exploit chain grants root access by manipulating in-memory copies of critical system files. Unlike many vulnerabilities, Dirty Frag isn't a single bug—it's a sophisticated two-step attack that leverages separate flaws to cover nearly every major Linux distribution. With working exploit code already public and most distributions still lacking a proper patch, understanding Dirty Frag is crucial for system administrators and security teams. Below, we break down the 10 things you absolutely need to know.

1. What Is Dirty Frag and How Does It Work?

Dirty Frag is a local privilege escalation exploit targeting the Linux kernel. It modifies the in-memory copy of a system file without altering the version stored on disk. This means any subsequent read of that file sees the tampered copy, while filesystem integrity checks show nothing amiss. The exploit chain consists of two distinct vulnerabilities that, when combined, provide a reliable root escalation path across different Linux distributions.

2. The Connection to Copy Fail

Dirty Frag follows in the footsteps of Copy Fail, another privilege escalation exploit that exploited an old logic flaw. While both attacks escalate a local user to root, Dirty Frag uses a different mechanism—page-cache manipulation rather than a direct logic error. Importantly, the algif_aead blacklist that worked against Copy Fail provides zero protection against Dirty Frag, meaning existing mitigations are ineffective.

3. The Two CVEs Behind Dirty Frag

The exploit relies on two separate Common Vulnerabilities and Exposures (CVEs):

• CVE-2026-43284 (xfrm-ESP Page-Cache Write): Targets /usr/bin/su, replacing its in-memory copy with one that grants a root shell upon execution.
• CVE-2026-43500 (RxRPC Page-Cache Write): Targets /etc/passwd, emptying the root password field. PAM then accepts a blank password, allowing root login.

Both are page-cache corruption flaws, but they affect different kernel subsystems.

4. Why the Two Flaws Are Chained

Neither flaw works universally. The first requires a user namespace, which some Ubuntu AppArmor configurations block. The second does not have that requirement but depends on the rxrpc.ko kernel module, which is absent from most distributions' default builds. However, Ubuntu is one of the few that ships rxrpc.ko by default. By chaining both exploits, attackers cover all major Linux distributions—ensuring at least one method works on any target system.

5. Affected Systems and Scope

Every major Linux distribution is potentially vulnerable. Since the exploit modifies in-memory copies, it bypasses traditional file integrity monitoring. The attack requires local access (e.g., via a compromised user account or a web shell) but once executed, it grants full root privileges. The exploit has been successfully demonstrated on Ubuntu, Debian, Fedora, and others, with the only exception being systems that have already applied specific mitigations.

6. The Patch Situation: Why So Slow?

Hyunwoo Kim responsibly disclosed the flaws to the linux-distros mailing list with a five-day embargo to allow time for patches. However, an unnamed third party publicly released the exploit the same day, breaking the embargo. As a result, most distributions were caught off guard. As of now, only AlmaLinux has made patched kernels available (in its testing repository). Canonical (Ubuntu) has released mitigation guidelines but not a full patch. RHEL, SUSE, and others are still working on fixes.

7. Immediate Mitigation: Blacklisting Kernel Modules

The quickest defense is to blacklist the three kernel modules involved in the attack: esp4, esp6, and rxrpc. Run the following command as root:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"