- A new, unpatched Linux kernel vulnerability dubbed Dirty Frag enables local privilege escalation to root.
- The flaw chains two Page-Cache Write bugs and has a high success rate, affecting major distributions like Ubuntu and RHEL.
- A working proof-of-concept exploit is available, and mitigation involves blocking specific kernel modules until patches are released.
On May 8, 2026, security researcher Hyunwoo Kim disclosed a serious new local privilege escalation vulnerability in the Linux kernel, reported to maintainers just days earlier. Dubbed Dirty Frag, the flaw threatens most Linux distributions by allowing a local user to gain full root access.
This vulnerability is described as a successor to the actively exploited Copy Fail bug. “Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong,” the researcher explained in a technical write-up.
It works by chaining the xfrm-ESP and RxRPC Page-Cache Write vulnerabilities. Consequently, the exploit does not depend on a timing race and has a very high success rate without causing kernel panic.
Successful exploitation impacts systems including Ubuntu 24.04.4, RHEL 10.1, and Fedora 44. The xfrm-ESP bug was introduced in a January 2017 commit, while the RxRPC bug came from a June 2023 commit.
However, the xfrm-ESP exploit requires creating a namespace, which Ubuntu blocks via AppArmor. Meanwhile, the RxRPC module is not included in distributions like RHEL but is loaded by default on Ubuntu.
By chaining the two, the blind spots cover each other across different environments. AlmaLinux said the bug decrypts directly over externally-backed pages, exposing or corrupting plaintext.
Adding urgency, a working proof-of-concept can gain root in a single command. Consequently, a mitigation involves blocking the esp4, esp6, and rxrpc modules until official patches are available.
It is worth noting that Dirty Frag works regardless of the algif_aead module’s status. Therefore, systems with the Copy Fail mitigation are still vulnerable to this new attack.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
