Details have emerged about a new unpatched local privilege elevation (LPE) vulnerability affecting the Linux kernel.
The vulnerability, known as Dirty Frag, is said to be a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw affecting the Linux kernel that has since been exploited in the wild. This vulnerability was reported to Linux kernel maintainers on April 30, 2026.
“Dirty flags are a class of vulnerabilities that achieve root privileges on most Linux distributions by chaining together the xfrm-ESP page cache write vulnerability and the RxRPC page cache write vulnerability,” security researcher Hyunwoo Kim (@v4bel) said in the article.
“Dirty Frag is an extension of the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not rely on timing windows, there is no need for race conditions, the kernel does not panic if the exploit fails, and the success rate is very high.”
Successful exploitation of this flaw could allow unprivileged local users to gain elevated root access on most Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
According to researchers, the xfrm-ESP page cache write vulnerability was introduced in a source code commit made in January 2017, and the RxRPC page cache write vulnerability was introduced in June 2023. Interestingly, the same January 17, 2017 commit was the root cause behind another buffer overflow (CVE-2022-27666, CVSS score: 7.8) that had mixed impacts. Linux distribution.
The xfrm-ESP page cache write is rooted in the IPSec (xfrm) subsystem and provides an attacker with a 4-byte store primitive, like a copy fail, to overwrite a small amount in the kernel’s page cache.
However, this exploit requires an unprivileged user to create a namespace, a step that is blocked by Ubuntu via AppArmor. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered. This is where the second exploit, RxRPC Page-Cache Write, comes into play.
“RxRPC Page-Cache Write does not require permission to create namespaces, but the rxrpc.ko module itself is not included in most distributions,” Kim explained. “For example, the default build of RHEL 10.1 does not ship with rxrpc.ko. However, on Ubuntu, the rxrpc.ko module is loaded by default.”
“By chaining the two variants together, the blind spots are covered by each other. In environments where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.”
CloudLinx said in its own advisory that the flaw exists in “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path” and is reachable via the XFRM usernet link interface.
“This bug exists in the in-place decryption fast path for esp4, esp6, and rxrpc. Paged fragments where the socket buffer is not privately owned by the kernel (for example, pipe pages attached via splice(2)/sendfile(2)/MSG_SPLICE_PAGES) , the receiving path decrypts directly on those externally backed pages, exposing or corrupting the plaintext that an unprivileged process still has a reference to,” AlmaLinux said.
Adding to the urgency is the release of a working proof of concept (PoC) that can be exploited to gain root with a single command. Until a patch is available, we recommend that you blocklist the esp4, esp6, and rxrpc modules to prevent them from loading.
sudo sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true”
It’s worth mentioning here that even though Dirty Frag has some overlap with Copy Fail, it can be exploited regardless of whether the Linux kernel’s algif_aead module is enabled.
“Note that the dirty flag can be triggered regardless of whether the algif_aead module is available,” the researchers said. “In other words, Linux is still vulnerable to dirty flags even on systems with publicly known copy failure mitigations (algif_aead blacklist) in place.”
Source link
