Dirty Frag Linux Kernel LPE Exploit Chains Two Page-Cache Write Vulnerabilities for Reliable Root Access
A new local privilege escalation exploit named Dirty Frag chains two Linux kernel page-cache write vulnerabilities to reliably gain root access on major distributions without requiring a race condition.
A new, unpatched local privilege escalation (LPE) exploit targeting the Linux kernel has been publicly disclosed, posing a significant threat to a wide range of enterprise and consumer systems. Dubbed Dirty Frag by its discoverer, security researcher Hyunwoo Kim, the exploit chains two distinct page-cache write vulnerabilities to achieve reliable root access on major Linux distributions including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44.
Dirty Frag is described as a deterministic logic bug that does not depend on a race condition, making it highly reliable and less likely to cause kernel panics upon failure. The exploit leverages two vulnerabilities: the xfrm-ESP Page-Cache Write, introduced in a January 2017 commit, and the RxRPC Page-Cache Write, introduced in June 2023. The xfrm-ESP vulnerability resides in the IPSec (xfrm) subsystem and provides a 4-byte store primitive that overwrites a small amount of kernel page cache memory. The RxRPC vulnerability, on the other hand, does not require the privilege to create a namespace, making it effective on systems where user namespace creation is blocked, such as Ubuntu with AppArmor.
By chaining these two vulnerabilities, Dirty Frag covers the blind spots of each individual exploit. In environments where user namespace creation is allowed, the ESP exploit runs first. On Ubuntu, where user namespace creation is blocked but the rxrpc.ko module is loaded by default, the RxRPC exploit is used. This chaining ensures that the exploit works across a broad spectrum of Linux configurations.
The vulnerabilities have been assigned CVE-2026-43284 (xfrm-ESP Page-Cache Write) and CVE-2026-43500 (RxRPC Page-Cache Write). Patches have been committed to the mainline Linux kernel at commits f4c50a4034e6 and aa54b1d54b1d27fe0, respectively. However, as of the time of writing, these patches have not yet been backported to stable kernels, leaving many systems vulnerable. A working proof-of-concept (PoC) exploit has been released, and security researchers warn that it can be used to gain root access in a single command.
In the absence of patches, administrators are advised to blocklist the esp4, esp6, and rxrpc kernel modules to prevent them from being loaded. This can be done by creating a configuration file in /etc/modprobe.d/ and removing the modules if they are currently loaded. The specific command is: sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
Dirty Frag is the latest in a series of page-cache write vulnerabilities that have affected the Linux kernel, following Dirty Pipe and Copy Fail. Unlike Copy Fail, which required the algif_aead module to be enabled, Dirty Frag can be triggered regardless of whether that module is available. This means that even systems that have applied the publicly known Copy Fail mitigation (algif_aead blacklist) are still vulnerable to Dirty Frag.
Google-owned Wiz has analyzed the vulnerability chain, describing it as a combination of two page-cache write primitives that allow modification of page-cache-backed memory not exclusively owned by the kernel. This enables corruption of sensitive files and ultimately privilege escalation. The exploit requires access to specific vulnerable kernel interfaces and the ability to manipulate page-backed buffers, such as via splice()-related paths. However, the exploit typically requires high-level privileges to create a network namespace, making it a significant threat in containerized environments where arbitrary third-party workloads may be executed.
Ubuntu has acknowledged the vulnerability, noting that on hosts that do not run container workloads, it allows a local user to elevate privileges to root. In container deployments, it may additionally facilitate container escape scenarios. The disclosure of Dirty Frag underscores the ongoing challenge of securing the Linux kernel against deterministic, race-condition-free vulnerabilities that can be reliably exploited for privilege escalation.