Critical Linux Kernel Exploit 'Dirty Frag' Gives Attackers Root Access—Patches Lag Behind
A newly discovered Linux kernel exploit, dubbed Dirty Frag, allows local users to gain unrestricted root access by chaining two separate vulnerabilities. Security researcher Hyunwoo Kim (v4bel) reported the threat to the linux-distros mailing list, but the exploit was publicly released the same day by an unnamed third party, undermining the intended five-day embargo.
“The disclosure went wrong,” Kim told reporters. “We expected time for distros to prepare patches, but the exploit code is now public. Most distributions are unprotected.”
Dirty Frag is the second major privilege escalation (privesc) exploit to emerge in less than a week, following Copy Fail, which exploited an older logic flaw. The new attack modifies in-memory copies of system files without altering the disk version—meaning filesystem integrity checks detect nothing wrong.
How Dirty Frag Works
Dirty Frag leverages two distinct flaws:
- CVE-2026-43284 (xfrm-ESP Page-Cache Write) – targets
/usr/bin/suand replaces its memory image with one that spawns a root shell. - CVE-2026-43500 (RxRPC Page-Cache Write) – targets
/etc/passwdand empties the root password field, allowing PAM to accept a blank password.
Neither vulnerability works alone on every system. The first requires a user namespace, which Ubuntu’s AppArmor often blocks. The second depends on the rxrpc.ko kernel module, absent from most distros’ default builds. However, by chaining them, the exploit covers all major distributions.
“Ubuntu ships the rxrpc module by default, making it especially vulnerable,” noted Kim. “But the combination works across the board.”
Background
Dirty Frag belongs to a family of page-cache manipulation attacks that corrupt in-memory file representations. These attacks bypass signatures and filesystem audit logs because disk content remains untouched.
The previous exploit, Copy Fail, had targeted the same underlying mechanism via an older logic flaw. Dirty Frag uses new code paths, and the blacklist mitigation recommended for Copy Fail—blocking the algif_aead module—offers no protection.
What This Means
For administrators, the immediate risk is severe: any local user (or a remote attacker who first gains limited access) can execute Dirty Frag to become root without triggering typical alarms. The exploit is trivial to weaponize once the proof-of-concept is adapted.
“Organizations should treat this as a critical security incident,” said a cybersecurity analyst at a major vulnerability research firm. “Unless you are running AlmaLinux, which has released test patches, you currently have no official fix.”
Ubuntu’s parent company, Canonical, issued mitigation guidelines, but as of this writing no stable kernel update is available for most distributions, including Debian, Fedora, and RHEL.
What You Can Do Now
Until official patches arrive, experts recommend blacklisting the three kernel modules involved: esp4, esp6, and rxrpc. The following command accomplishes this and clears the page cache:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"This also removes any tampered in-memory copies that might already be present. Additionally, monitor vendor channels for kernel updates and plan an immediate reboot once patches are applied.
As the exploit proliferates, the window for proactive defense is closing. Kim urges users to “treat this as a zero-day—patch as soon as your distro releases a fix, and apply the module blacklist now.”