News

Dirty Frag is a New Linux Exploit That Grants Root, and There’s No Proper Patch Yet

It has not been a week since we came across Copy Fail, the exploit that took advantage of an old logic flaw to escalate a local user to root, giving them all kinds of harmful access over a system they shouldn’t have.

A security researcher, Hyunwoo Kim (v4bel), has reported a new Linux kernel privilege escalation threat. This one is called Dirty Frag, and the disclosure of it has not gone as planned.

Hyunwoo had set a five-day embargo after submitting details to the linux-distros mailing list, but an unnamed third party published the exploit publicly the same day, and that was that.

A working exploit is now out in the open; most distros have no patch, and the algif_aead blacklist you may have applied for Copy Fail does nothing against this.

What is Dirty Frag?

Like Copy Fail, Dirty Frag modifies the in-memory copy of a system file without touching the version on disk. Every subsequent read of that file sees the corrupted copy, and nothing on the filesystem looks wrong.

Dirty Frag does this through two separate flaws. The first, xfrm-ESP Page-Cache Write (CVE-2026-43284), targets /usr/bin/su, replacing its in-memory copy with one that hands out a root shell.

The second, RxRPC Page-Cache Write (CVE-2026-43500), goes after /etc/passwd and empties the root password field. PAM accepts the blank entry and lets a root login through.

More importantly, they are chained because neither works on every system alone. The first needs a user namespace, which some Ubuntu AppArmor setups block. The second does not have that requirement, but the rxrpc.ko module it relies on is absent from most distros’ default builds.

Ubuntu is one of the few that does ship it, though. Together, the two cover every major distro.

What can you do?

Most distros have nothing out yet, perhaps except AlmaLinux, which is one step ahead of the others with patched kernels already in its testing repository. For everyone else, the immediate option is blacklisting the three modules involved:

sh -c "printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

Doing so also clears the page cache, getting rid of any tampering that may have already happened. Hyunwoo also recommends updating the kernel and rebooting as soon as your distro has a patch out.

Update: Canonical has some mitigation guidelines for Ubuntu users.

Leave a Comment