{"id":237668,"date":"2026-06-26T07:51:00","date_gmt":"2026-06-26T11:51:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/26\/new-dirtyclone-linux-kernel-flaw-lets-local-users-gain-root-via-cloned-packets\/"},"modified":"2026-06-26T08:30:57","modified_gmt":"2026-06-26T12:30:57","slug":"new-dirtyclone-linux-kernel-flaw-lets-local-users-gain-root-via-cloned-packets","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/26\/new-dirtyclone-linux-kernel-flaw-lets-local-users-gain-root-via-cloned-packets\/","title":{"rendered":"New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets"},"content":{"rendered":"

New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/06\/new-dirtyclone-linux-kernel-flaw-lets.html<\/a><\/p>\n

Publish Date: 2026-06-26 07:51:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n\ue804Swati Khandelwal\ue802Jun 26, 2026Linux \/ Vulnerability
\nDirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family.\u00a0JFrog Security Research published a working exploit walkthrough\u00a0for the flaw on June 25, the first public demonstration for this variant.<\/p>\n

Tracked as\u00a0CVE-2026-43503\u00a0(CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in mainline on May 21; if your kernel does not have it, update now.<\/p>\n

When the kernel copies a network packet internally, two helper functions drop a safety flag that marks the packet’s memory as shared with a file on disk. That missing flag is the entire vulnerability.<\/p>\n

The attacker loads a privileged binary like \/usr\/bin\/su into memory, wires those memory pages into a network packet, and forces the kernel to clone it. The cloned packet passes through an IPsec tunnel that the attacker controls, and the decryption step overwrites the binary’s login checks with attacker-chosen bytes. The next time anyone runs su, it hands over root.<\/p>\n

The file on disk never changes. The modification lives only in the kernel’s in-memory copy, so file-integrity tools miss it, the attack leaves no audit trail, and a reboot restores the original binary. The attacker already has root by the time anyone might think to check.<\/p>\n

Exploitation requires\u00a0CAP_NET_ADMIN\u00a0to configure the loopback IPsec tunnel. On Debian and Fedora, unprivileged user namespaces are enabled by default, so a local user can obtain that capability inside a new namespace.<\/p>\n

Ubuntu 24.04 and later restrict namespace creation via AppArmor, blocking the default exploit path. Page cache is shared at the host level, so modifications made inside a namespace affect every process on the machine.<\/p>\n

The exposed systems are multi-tenant servers, CI runners, container hosts, and Kubernetes clusters where untrusted users can create namespaces. JFrog\u00a0confirmed the exploit\u00a0on Debian, Ubuntu, and Fedora systems with default namespace configurations.<\/p>\n

Fourth in a Series<\/p>\n

This is the fourth recent privilege escalation with the same failure mode: file-backed memory gets treated as packet data, then an in-place network operation writes where it should have copied.<\/p>\n

Copy Fail\u00a0(CVE-2026-31431) came first in late April, exploiting the\u00a0algif_aead\u00a0module for a four-byte page-cache write.
\n DirtyFrag\u00a0(CVE-2026-43284 and CVE-2026-43500) followed on May 7, chaining IPsec ESP and RxRPC paths for a full write primitive.
\n Fragnesia\u00a0(CVE-2026-46300) appeared on May 13, bypassing the DirtyFrag patch through a flag-dropping bug in\u00a0skb_try_coalesce().<\/p>\n

Each fix closed one code path and left others open. DirtyClone’s demonstrated exploit centers on\u00a0__pskb_copy_fclone(), with\u00a0skb_shift()\u00a0also affected; the broader CVE fix covers additional frag-transfer helpers where the same flag could be lost.<\/p>\n

The underlying problem is not one bad helper function. It is a contract problem: every code path that moves skb fragments has to preserve the shared-frag bit, every time.<\/p>\n

The kernel’s zero-copy networking lets file-backed memory serve as packet data, and a single dropped flag anywhere in the chain turns a performance optimization into a write primitive. Each variant found a path where the contract was not honored.<\/p>\n

The original DirtyFrag researcher, Hyunwoo Kim, had submitted a broader\u00a0multi-site patch\u00a0covering several remaining frag-transfer helpers on May 16. The combined fix was merged on May 21 (commit\u00a048f6a5356a33), assigned CVE-2026-43503 on May 23, and shipped in Linux v7.1-rc5 on May 24.<\/p>\n

What to Do<\/p>\n

Install your distribution’s kernel update. The fix landed upstream in v7.1-rc5 and has been backported to stable and LTS branches.\u00a0Ubuntu,\u00a0Debian, and\u00a0SUSE\u00a0have published advisories;\u00a0Red Hat has a Bugzilla tracking entry.<\/p>\n

If you cannot patch today, two workarounds reduce the attack surface. Restrict unprivileged user namespaces: on Debian and Ubuntu, set\u00a0kernel.unprivileged_userns_clone=0\u00a0(other distributions use different mechanisms).<\/p>\n

Alternatively, blacklist the\u00a0esp4,\u00a0esp6, and\u00a0rxrpc\u00a0kernel modules, though that breaks IPsec and AFS and only works when those features are loadable modules rather than compiled into the kernel. Both are temporary controls, not fixes.<\/p>\n

The DirtyFrag class is probably not done. Any function that moves fragment descriptors without propagating the shared-frag flag is a potential new CVE, and auditing should cover every path that touches\u00a0skb_shinfo()->flags\u00a0during fragment transfer.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets https:\/\/thehackernews.com\/2026\/06\/new-dirtyclone-linux-kernel-flaw-lets.html Publish…<\/p>\n","protected":false},"author":1,"featured_media":237671,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEidrcFiZh5KSQ9sYpF7Fafoy8kYny6olyD5WlY_oaAdYt0krMeOL8eNiTItqYmEmJ55wueKdZJlhIKMun7kwQR8AbbFPKTw0Nv-qJbPiaKA1n2J1rUHBV3YuRmdJHQpOTlsKctFMXoO8ogpgHC8rXls3FGamF7p7K1gxc-7dmU2va58Es1c40FV8AZFR-w\/s1600\/dirtyclone.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,27],"class_list":["post-237668","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237668"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=237668"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237668\/revisions"}],"predecessor-version":[{"id":237672,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/237668\/revisions\/237672"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/237671"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=237668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=237668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=237668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}