Dirty Frag: A new Linux privilege escalation vulnerability is already in the wild
Dirty Frag: A new Linux privilege escalation vulnerability is already in the wild
Publish Date: 2026-05-08 07:19:17
Source Domain: securityaffairs.com
Summary:
Security researchers have uncovered a dangerous new privilege escalation vulnerability in the Linux kernel referred to as Dirty Frag. This vulnerability allows unprivileged local users to obtain root access on various major Linux distributions, such as Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. Unlike previous vulnerabilities in the Dirty Pipe family, Dirty Frag is not mitigated by the Copy Fail patch and remains exploitable even on systems that have applied certain blacklist mechanisms. The vulnerability is highly reliable as it does not require race conditions or precise timing and does not make the kernel panic. The exploit is constructed by chaining two separate vulnerabilities: the xfrm-ESP Page-Cache Write flaw and the RxRPC Page-Cache Write flaw. Both vulnerabilities, when combined, cover each other’s blind spots across different environments. The exploit is already publicly available, posing immediate threats to affected systems. Until official patches are released, blocking specific kernel modules is recommended to mitigate the threat.
Key Points:
- Dirty Frag is a newly disclosed privilege escalation vulnerability in the Linux kernel enabling root access on multiple major distributions, and it is independent of previous mitigations.
- The vulnerability exploits two separate logic flaws: xfrm-ESP and RxRPC, leveraging their combined capabilities across different Linux environments.
- It is a highly reliable exploit as it does not require race conditions, and no kernel panic occurs on failure, yielding a very high success rate.
- The exploit code was prematurely leaked, and no CVE identifier has been formally assigned yet.
- To mitigate risk until patches are available, it is advised to blocklist esp4, esp6, and rxrpc kernel modules.
