The Vulnerability and Its Impact
A newly discovered local privilege escalation vulnerability in the Linux kernel, named Dirty Frag, allows unprivileged local users to gain full root access on a wide range of Linux distributions. The flaw affects Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. Security researcher Hyunwoo Kim identified the vulnerability and reported it to kernel maintainers on April 30, 2026.
Dirty Frag is considered a successor to another recently disclosed Linux kernel flaw known as Copy Fail, which has already been exploited in real world attacks. The vulnerability combines two distinct page cache write issues: one in the IPSec subsystem (xfrm ESP) and another in the RxRPC subsystem.
How the Exploit Works
Dirty Frag operates as a deterministic logic bug that does not rely on race conditions, making it highly reliable. The xfrm ESP page cache write vulnerability, introduced in a January 2017 kernel commit, provides attackers with a controlled 4 byte write primitive in the kernel’s page cache. The RxRPC page cache write vulnerability, introduced in June 2023, completes the exploit chain.
The attack requires the unprivileged user to create a namespace as part of the exploitation process. However, once the conditions are met, the exploit succeeds with a very high success rate and does not cause kernel panics even when exploitation attempts fail. The same underlying kernel commit from January 2017 was also responsible for a previously patched buffer overflow vulnerability that affected multiple Linux distributions.
Source: The Hacker News
